Securing Critical Infrastructure with MILS

By Paul Chen

PaulChen2On February 12, the White House released the Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience. The DHS website describes PPD-21 as “advancing a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure.” Sixteen different critical infrastructure sectors are identified, including: Chemical, Communications, Energy, Financial Services, Healthcare and Public Health, Food and Agriculture, Nuclear Reactors, Transportation, and Water and Wastewater Systems.

On the same day PPD-21 was released, President Obama also signed Executive Order 13636 for “Improving Critical Infrastructure Cybersecurity.” The Executive Order directs NIST (National Institute of Standards and Technology) to develop a framework for “reducing cyber risks to critical infrastructure,” for which they have issued an RFI and plan a workshop in late May.

And on March 26, the BSI (Bundesamt für Sicherheit in der Informationstechnik, the German Federal Office for Information Security) published the Protection Profile for the Gateway of a Smart Metering System. Such devices will securely collect, process, and store information from smart meters, adding security to smart electricity distribution grids. The protection profile notes that the threat from a remote cyberattack is much higher than that from a local physical attack, since the attacker in network has the potential to compromise not just one, but many components of the infrastructure, or even the corresponding grid.

These developments highlight the focus on improving critical infrastructure security as attacks from cyber-terrorism have increased over the last decade and, alarmingly, in the past year on power, water, and nuclear systems. A recent report states that, indeed, most cyber-attacks now target critical infrastructure, moving “away from hacking and financially motivated crime” to attacks to “deny, disrupt, and destroy” service. For most of us, even the most destructive cyber-attacks like Stuxnet are fairly remote and don’t impact us; but if critical infrastructure services are denied, disrupted, or destroyed, cyber-attacks could become devastatingly personal.

Critical infrastructure systems often use distributed control systems (DCS), industrial control systems (ICS), and supervisory control and data acquisition (SCADA) systems for process monitoring and control. Usually networked and often connected to the public Internet, these DCS, ICS, and SCADA systems are potentially vulnerable to cyber-attacks. Developing more secure DCS, ICS, SCADA systems, and other components of critical infrastructure using the MILS (Multiple Independent Levels of Security) architecture can help improve the overall security of such infrastructure: I explain how below.

The MILS architecture enables security architects to configure the system following the principle of least privilege, which requires that each system component be granted access only to the resources needed to complete its functions. This enables the development of devices and systems that are more resilient against attacks, and better at mitigating potential damage from defective or malicious software. Also, the MILS architecture uses a separation kernel to provide time and space partitioning, information flow control, and fault containment. By providing these capabilities, security-critical components (such as a data guard or process controller) can be separated and protected from less secure components (such as an Internet gateway or network interface) when these components run on the same hardware platform to reduce size, weight, and power (SWaP) requirements. And by reducing SWaP, MILS allows devices and systems to be more cost effective to develop, deploy, operate, and maintain.

Underscoring Wind River’s commitment to delivering trusted systems with built-in security capabilities, we have just launched VxWorks MILS Platform 3.0, which implements the MILS architecture with a secure, hypervisor-based separation kernel compliant to the U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness (SKPP), version 1.03. Although NIAP has sunset the SKPP as the basis of a component-level certification process, NSA continues to recommend the use of separation kernels for security-critical systems, making VxWorks MILS Platform an appropriate choice for use in critical infrastructure sub-systems. And to support a wide range of potential evaluation activities, VxWorks MILS Platform provides a complete set of artifacts to support a system-level evaluation process, based on the internationally recognized Common Criteria.

VxWorks MILS Platform 3.0 is an ideal foundation for building secure, cost-effective, and evaluatable DCS, ICS, SCADA, and other security-critical systems. And it’s available today to help secure national critical infrastructure.


For additional information from Wind River, visit us on Facebook