Regulative Baseline: Compositional Security Evaluation

In the focus of the certMILS project are cyber physical systems (CPS). These combine physical and software elements and, with the advances of industry, such automated solutions increasingly take over critical tasks in all areas of our society. Smart grids, safety-critical transport systems and in general industrial control systems – CPS can take on many faces but are commonly characterized by their complexity. CPS are composed of specialized parts and COTS elements, typically by different parties.

Due to CPS’ criticality, there is a high need for assurance in the correct (safe and secure) operation of the entire systems and, consequently, they are often subject to regulations. That is, the components and/or complete systems must be certified according to standards, applicable to the respective sector. For instance, the IEC 62443 series of standards deals with complete industrial automation and control systems, the ISO 27000 series with information security management systems (processes), and the Common Criteria (CC) with subsystems of IT products. Even though these different frameworks share some common principles, a diversity of approaches prevails. It is not always easily reconciled. The present report provides an overview of the various standards applicable to different critical applications. It points out that the regulative situation is sometimes unsatisfactorily incomplete or conflicting where different standards apply.

Prerequisite for the certification according to any standard is a successful evaluation according to its principles. The rigor of such evaluations will normally increase with increasing criticality of the application, but is in practice eventually a trade-off between assurance needs and economic feasibility. A common theme of security evaluations of CPS is therefore the desire to derive assurance for composed systems from that established for their components (subsystems). The objective here is that the results of the component’s evaluation can be reused to render the evaluation of complex systems economically feasible, or possible at all. In particular, their evaluation/certification would not need to be repeated from scratch if one or more system components are changed. To this end, one of the relevant and broadly applied industry standards, the CC knows the concept of compositional evaluation. However, despite the rather generic formulation of this CC aspect, and the promise that it holds, it has hardly found application. The issues that hinder its success are described by the present document, as well as an alternative method, intended for smart cards and similar applications, that received more attention but likewise suffers from shortcomings. In summary, the benefit of the CC compositional evaluation approach is minor for low assurance evaluations. Very high assurance cannot be gained as it foresees a limited transfer of design documentation. This is owed to the fact that component developers will not always easily share these secrets.

MILS systems, that borrow their name to this project, arose from the requirement to gain assurance in the security properties of computers. They feature a layered structure in which security-critical functions are concentrated in a part, called the separation kernel, which is intentionally small enough to permit evaluation with great rigour. In applications, such as CPS, these layers are always combined with other elements, such as the hardware platform or software running on top of the separation kernel. At first glance, MILS systems seem to lend themselves to compositional evaluation, as they are well structured and characterized by strong security policies. However, the various conceivable applications of compositional evaluation suggested by MILS applications still pose challenges for the existing methods if high assurance is required. It is the purpose of the present report to describe the different approaches and what they have to offer for this type of system.