Evaluation of MILS and reduced kernel security concepts for SCADA remote terminal units.

The purpose of this project is to study the benefits that the Multiple Independent Levels of Security (MILS) approach can provide to Supervisory Control and Data Acquisition (SCADA) remote terminal units. This is accomplished through a heavy focus on MILS concepts such as resource separation, verification, and kernel minimization and reduction. Two architectures are leveraged to study the application of reduced kernel concepts for a remote terminal unit (RTU). The first is the LynxOS embedded operating system, which is used to create a bootable image of a working RTU. The second is the Pistachio microkernel, the features and development environment of which are analyzed and catalogued to provide the basis for a future RTU. A survey of recent literature is included that focuses on the state of SCADA security, the MILS standard, and microkernel research. The design methodology for a MILS compliant RTU is outlined, including a benefit analysis of applying MILS in an industrial network setting. Also included are analyses of the concepts of MILS which are relevant to the design and how LynxOS and Pistachio can be used to study some of these concepts. A section detailing the prototyping of RTUs on LynxOS and Pistachio is also included, followed by an initial security and performance analysis for both systems

Combined Security and Schedulability Analysis for MILS Real-Time Critical Architectures

Real-time critical systems have to comply with stringent timing constraints, otherwise, disastrous consequences can occur at runtime. A large effort has been made to propose models and tools to verify timing constraints by schedulability analysis at the early stages of system designs. Fewer efforts have been made on verifying the security properties in these systems despite the fact that sinister consequences can also happen if these properties are compromised. In this article, we investigate how to jointly verify security and timing constraints. We show how to model a security architecture (MILS) and how to verify both timing constraints and security properties. Schedulability is investigated by the mean of scheduling analysis methods implemented into the Cheddar scheduling analyzer. Experiments are conducted to show the impact that improving security has on the schedulability analysis

Applying MILS to multicore avionics systems

The implementation of the Multiple Independent Levels of Security (MILS) software architecture on modern microprocessor architectures has become technically feasible in recent years. This allows MILS-based systems to host applications and data of multiple security classifications concurrently on a uniprocessor platform at affordable cost. In this paper, the potential requirements for the implementation of a separation kernel to support MILS systems on multicore processor architectures will be considered, and the design challenges associated with its potential implementation on the NXP (formerly Freescale) QorIQ™ P4080 multicore processor will be discussed. Finally, the potential use of a MILS Multicore separation kernel in two use cases will be presented - a Cross-Domain System (CDS) network gateway, and a Multi-Level Secure (MLS) Integrated Modular Avionics (IMA) platform

Security-Informed Safety Case Approach to Analysing MILS Systems

Safety cases are the development foundation for safety-critical systems and are often quite complex to understand depending on the size of the system and operational conditions. The recent advent of security aspects complicates the issues further. This paper describes an approach to analysing safety and security in a structured way and creating security-informed safety cases that provide justification of safety taking into particular consideration the impact of security. The paper includes an overview of the structured assurance case concept, a security-informed safety methodology and a layered approach to constructing cases. The approach is applied to a Security Gateway that is used to control data flow between security domains in a separation kernel based operating system in avionics environment. We show that a clear and structured way of presenting a safety case combining safety and security alleviates understanding important interactions taking into account the impact and, hence, increases safety

Investigation into a Layered Approach to Architecting Security-Informed Safety Cases

The paper describes a layered approach to analysing safety and security in a structured way and creating a security-informed safety case. The approach is applied to a case study – a Security Gateway controlling data flow between two different security domains implemented with a separation kernel based operating system in an avionics environment. We discuss some findings from the case study, show how the approach identifies and ameliorates important interactions between safety and security and supports the development of complex assurance case structures

Partitioned System with XtratuM on PowerPC

XtratuM is a real-time hypervisor originally built on x86 architecture. It is designed referencing the concept of partitioned system. The main work in this thesis is to implement XtratuM in PowerPC architecture.Zhou, R. (2009). Partitioned System with XtratuM on PowerPC. http://hdl.handle.net/10251/12738Archivo delegad

Security hardened remote terminal units for SCADA networks.

Remote terminal units (RTUs) are perimeter supervisory control and data acquisition (SCADA) devices that measure and control actual physical devices. Cyber security was largely ignored in SCADA for many years, and the cyber security issues that now face SCADA and DCS, specifically RTU security, are investigated in this research. This dissertation presents a new role based access control model designed specifically for RTUs and process control. The model is developed around the process control specific data element called a point, and point operations. The model includes: assignment constraints that limit the RTU operations that a specific role can be assigned and activation constraints that allow a security administrator to specify conditions when specific RTU roles or RTU permissions cannot be used. RTU enforcement of the new access control model depends on, and is supported by, the protection provided by an RTU\u27s operating system. This dissertation investigates two approaches for using minimal kernels to reduce potential vulnerabilities in RTU protection enforcement and create a security hardened RTU capable of supporting the new RTU access control model. The first approach is to reduce a commercial OS kernel to only those components needed by the RTU, removing any known or unknown vulnerabilities contained in the eliminated code and significantly reducing the size of the kernel. The second approach proposes using a microkernel that supports partitioning as the basis for an RTU specific operating system which isolates network related RTU software, the RTU attack surface, from critical RTU operational software such as control algorithms and analog and digital input and output. In experimental analysis of a prototype hardened RTU connected to real SCADA hardware, a reduction of over 50% was obtained in reducing a 2.4 Linux kernel to run on actual RTU hardware. Functional testing demonstrated that different users were able to carryout assigned tasks with the limited set of permissions provided by the security hardened RTU and a series of simulated insider attacks were prevented by the RTU role based access control system. Analysis of communication times indicated response times would be acceptable for many SCADA and DCS application areas. Investigation of a partitioning microkernel for an RTU identified the L4 microkernel as an excellent candidate. Experimental evaluation of L4 on real hardware found the IPC overhead for simulated critical RTU operations protected by L4 partitioning to be sufficiently small to warrant continued investigation of the approach