Compositional security certification for medium- to high-assurance COTS-based systems in environments with emerging threats

Klaus-Michael Koch

01 January 2017

30 June 2021

EC funded project


certMILS aims to reduce the complexity of the certification of cyber-physical systems dramatically by use of a trustworthy MILS platform (Multiple Independent Levels of Security) within the cyber-physical system, which is simple, small, and certified for the highest level.

Such a platform enables compositional security certification, which is applied in three different pilots. To be marketable as product for a large scope of ICT/cyberphysical systems, the platform has a powerful API configuration, supports open common and domain specific APIs (e.g. POSIX, ARINC) as well as consistently addresses existing domain safety standards/regulations.

Who is the project designed for?

Objective 1: Transfer know-how in compositional safety certification to security certification
Objective 2: Make certification of composed systems affordable
Objective 3: Preservation of certified assurance throughout operational deployment
Objective 4: Involvement of all stakeholders in different industry domains
Objective 5: Certified European MILS platform and MILS Platform Protection Profile
Objective 6: Develop and apply compositional certification methodology on three industrial pilots
Objective 7: Guidelines and templates for MILS certification

How is your project benefitting the end-user?

Previously isolated embedded systems have become connected to the Internet, thus becoming cyber-physical systems. For instance in transportation, for passenger as well as operator comfort, almost all means of transportation (airplanes, trains, cars, and ships) are networked. Due to the havoc potential of a malicious attacker, the security of cyber-physical systems has obtained a lot of interest. However, unlike many other IT systems, cyber-physical systems usually have already been heavily scrutinised for safety for decades.

While the safety protection against accidental faults does not address security, there are already established safety methods as well as “safety certification stakeholders”. Securing and certifying cyber-physical systems therefore must respect the existing safety certification processes. certMILS generates rich interaction between developers, evaluation laboratories and certification authorities in three European countries resulting in:

  • Validated modular Protection Profile
  • Standardised and validated methodology for evaluating and certifying high assurance products
  • Guidelines for compositional security for developers and evaluators

Please briefly describe the results your project achieved so far

Within the first project year the work progress was well on track. A report on the state-of-the-art for compositional evaluations has been written. This report describes the different ways compositions are currently performed for evaluations using ISO/IEC 15408 (Common Criteria) as of today.

The certMILS team has worked on a Common Criteria object, which can be used as an stand-alone Protection Profile or as a Base-PP for a modular PP (Base-PP plus extended packages). The scope of this Base-PP is a Separation Kernel that can serve as a basis for a MILS platform. The Separation Kernel provides a basis for multiple partitions where each partition gets its resources assigned by the Separation Kernel. The minimum set of resources that the Separation Kernel must be able to assign to partitions are computer memory and processing time. As such, the Separation Kernel is an operating system with minimized functionality leaving higher level functions, usually provided by a general purpose operating system like file systems, network protocols and application management, to be provided by the partitions. The Base-PP contains the basic functions of the Separation Kernel and it will be accompanied by a number of extensions / PP-modules addressing areas where specific Separation Kernels handle functions in a different way. These results can be inspected at the Zenodo MILS community https://zenodo.org/communities/mils/?page=1&size=20 . In terms of compositional certification it has achieved IECEE 62443-4-1 and IECEE 62443-4-2 certification for the railway secure gateway, and Common Criteria / IEC 62443 gap analysis for the smart grid demonstrator. 

What are the next steps for your project?

CC evaluation of the separation kernel, IEC 62443 evaluation in the subway demonstrator.


Vertical Category: