Using the existing MILS or Multiple Independent Levels of Security platform, certMILS (https://certmils.eu/) seeks to find ways of shortening, simplifying, and implementing new certification methodologies with the ultimate goal of efficient security in cyber physical systems across Europe. In this episode we speak with project partners Thorsten Schulz and Holger Blasum about how to better understand certMILS.

The certMILS project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731456.

See omnystudio.com/listener (https://omnystudio.com/listener) for privacy information.

Introduction: Powerful collaborations, cutting edge science and curious minds coming together Introduction: for a glimpse of the future. Stay tuned as we Introduction: look at the latest updates on some of the most Introduction: promising technology projects. Peter Balint: Hello and welcome. I’m Peter Balint from Technikon. And today

Peter Balint: we look at the certMILS project once again. As you recall, Peter Balint: this EU funded effort is researching ways of keeping complex Peter Balint: systems safe and secure. The last time we talked about Peter Balint: trains and power grids that could benefit by rapid and

Peter Balint: efficient safety certification methodologies. That’s the goal of certMILS. Using Peter Balint: the existing MILS or multiple independent levels of security platform, Peter Balint: certMILS seeks to find ways of shortening, simplifying and implementing Peter Balint: new certification methodologies with the ultimate goal of efficient security

Peter Balint: in embedded systems across Europe. Today we speak with Holger Blasum from SYSGO and Thorsten Schulz from the University of Rostock Peter Balint: also in Germany. Both gentlemen are project partners in certMILS. Peter Balint: They join us remotely from their home offices today. Welcome,

Peter Balint: and I’ll ask you Holger What is certMILS and where Peter Balint: does the name come from? Holger Blasum: So the idea of certMILS is that we demonstrate how Holger Blasum: to certify modern embedded systems that are safety and security critical

Holger Blasum: so is is also called cyber physical systems and that we… Holger Blasum: to do this we not only say that we CERT that Holger Blasum: certify this is where CERT is coming from, but we also Holger Blasum: introduce that we intend… or that we do apply a

Holger Blasum: certain methodology which is by using MILS systems. MILS itself Holger Blasum: means multiple independent levels of security and or safety. And Holger Blasum: maybe MILS is something that needs some explanation and actually Holger Blasum: the easiest way to explain MILS in my eyes is

Holger Blasum: to start with what everybody knows -that’s operating systems and Holger Blasum: computers and how they relate to our everyday life. So Holger Blasum: if you are sitting at a computer desktop or laptop Holger Blasum: then you probably want to use that computer which is

Holger Blasum: itself a fairly general purpose machine to do different tasks Holger Blasum: at your desktop that might be you want to surf Holger Blasum: the Internet with your browser. You might want to have Holger Blasum: some document editing you might have spreadsheets you might have

Holger Blasum: things like teleconferencing software. You might have some drawing software Holger Blasum: and you have this different task of telecommunicating, drawing, writing text, Holger Blasum: writing structured data in spreadsheets and so on and you Holger Blasum: have different applications for that. That is on your desktop

Holger Blasum: or laptop you have an ecosystem of completely different applications Holger Blasum: that were also written by different teams and everybody was Holger Blasum: doing the applications at getting what they are really good at. Holger Blasum: Say for instance, for the Internet browsers for surfing the

Holger Blasum: Internet you can… you can choose among say Firefox, Chrome, Holger Blasum: Edge and many others or Opera to name a European company. Holger Blasum: And again for the document editing you could choose between Holger Blasum: say Microsoft Word, LibraOffice Writer and things like that. And you’ll

Holger Blasum: have different tremendous teams behind all these applications. That’s in Holger Blasum: the background; do their job when you need them -but Holger Blasum: you can also have different applications open at the same Holger Blasum: time and then magically even if you say you’re using

Holger Blasum: teleconferencing system and you’re editing a document the same time Holger Blasum: maybe a document that you’re showing and maybe you’re browsing Holger Blasum: at the same time these applications usually do not interfere Holger Blasum: which is -as they do not get into each other’s way.

Holger Blasum: I mean sometimes they do. And then on the desktop Holger Blasum: operating system we noticed oh the system is frozen -the Holger Blasum: spreadsheet is calculating and they can’t use the browser or Holger Blasum: vice versa. But it’s not happening that often. And the

Holger Blasum: magic behind this that is that these applications that have Holger Blasum: been developed by completely different teams by great teams that Holger Blasum: were optimizing for their own things that they don’t interfere. Holger Blasum: That’s the operating system and the operating system is in

Holger Blasum: charge that you can run these things at the same Holger Blasum: time or seemingly at the same time on a single Holger Blasum: computer without interference and magically having aligned these things. Now Holger Blasum: next I go to things that we don’t see in

Holger Blasum: every day life that often but we are going to Holger Blasum: embedded systems. Embedded systems are things that are deep inside Holger Blasum: the magics of everyday technology to say of the last Holger Blasum: time Sandro and Thorsten were talking about trains and it’s about

Holger Blasum: the control systems of trains themselves within the trains. It’s about Holger Blasum: the control systems of interlocking systems that allow where the Holger Blasum: trains are run. And again these traditionally has been very… Holger Blasum: starting in the 1970s 80s 90s very simple devices and

Holger Blasum: they are now becoming networked to the Internet because that’s Holger Blasum: useful for monitoring them. So if I’m talking about these Holger Blasum: embedded devices, some frequent cloud applications or needs that we Holger Blasum: see is that we have to run a controlled on

Holger Blasum: a such a device it’s also called an actuator that Holger Blasum: we say brake, please now brake… stop or kind of release Holger Blasum: the brake again or that we say the signal shall Holger Blasum: go green or red or whatever. So this is.. part

Holger Blasum: of this is that the embedded system is actually controlling Holger Blasum: and the device. A second common pattern that you have Holger Blasum: in an embedded system is that you need some remote monitoring of Holger Blasum: the thing that’s an operator of say several thousand interlocks

Holger Blasum: on a railroad grid can see the overall state of Holger Blasum: each interlock: is it open or is it closed and Holger Blasum: remotely also inspect the kind of health status of the Holger Blasum: device for instance does it react properly? Maybe it’s getting

Holger Blasum: rusty or whatever. Thirdly there was also a talk… that Holger Blasum: was also talked by Sandro and Thorsten last time is Holger Blasum: the importance… is the need to have updates of the Holger Blasum: system to react to security challenges. And this, well there

Holger Blasum: are different ways of doing this either can be done Holger Blasum: locally by a trusted operator doing it the traditional way, Holger Blasum: coming with some `USB stick or something like that doing an Holger Blasum: update on site or you do it remotely. If you’re

Holger Blasum: allowed to do it remotely then again you have quite Holger Blasum: strong security requirements that this update function does not interfere Holger Blasum: with the monitoring and the actuator control. So coming back Holger Blasum: to the original topic of interference, again on these embedded

Holger Blasum: devices it’s very important that these applications do not interfere Holger Blasum: with each other. So that say if somebody is monitoring Holger Blasum: the status of an inter locking signal, it should never Holger Blasum: interfere with the action or functionality of giving a signal

Holger Blasum: of the interlock or braking system it should never… it Holger Blasum: must never interfere with the braking itself. Therefore we need Holger Blasum: for an embedded device, we need an operating system that is Holger Blasum: really really reliable in keeping this different task apart from

Holger Blasum: each other. The concept is the same as described on Holger Blasum: the desktop operating system or laptop and the mobile device, Holger Blasum: but here on the embedded device it’s an absolute priority Holger Blasum: that the actuator that the control is really executed within

Holger Blasum: say 10 or 50 or 100 milliseconds within a defined Holger Blasum: range and that is not just ninety nine percent reliable Holger Blasum: but close to 100 percent reliable. And this is the Holger Blasum: ecological niche of certain kinds of embedded operating systems that

Holger Blasum: are called MILS operating systems that are that share many Holger Blasum: design principles with the general purpose in the operating systems, Holger Blasum: but as a special feature they have a strong emphasis Holger Blasum: that they were designed to keep the applications apart and

Holger Blasum: also to allow for some more static configurations. And usually Holger Blasum: these systems are more simple than than desktop operating systems. Holger Blasum: So MILS separation kernel is a thousand times smaller than Holger Blasum: say Windows or Linux or the big operating system so that

Holger Blasum: you can make a really thorough and deep analysis of Holger Blasum: it and have a better understanding. So it has less Holger Blasum: features but also less complexity and is suited to this Holger Blasum: kind of embedded systems that have comparatively still simpler functions

Holger Blasum: than a desktop operating system, but that conversely do very Holger Blasum: critical things that must not be interrupted or interfered with. Peter Balint: So that’s a great analogy using a desktop operating system Peter Balint: to sort of illustrate the importance of things working together.

Peter Balint: And it sounds to me like in certMILS this is Peter Balint: the goal -things have to work together and there really Peter Balint: can’t be any mistakes and there has to be some Peter Balint: kind of certification that says these things work together. Am

Peter Balint: I seeing this in the right way? Holger Blasum: Yes this… the you’re actually bringing up the second four Holger Blasum: letters of certMILS. So far I had only explained the Holger Blasum: MILS acronym and now we can go for the CERT,

Holger Blasum: for the certification. So, what in the end this certification Holger Blasum: so certification is in my eyes, that people construct an Holger Blasum: argument why a system is secure. Why a system is Holger Blasum: safe and that this argument can inspect it… can be

Holger Blasum: inspected by different people and then they can agree on Holger Blasum: this analysis that the architecture, that the design of the Holger Blasum: system that is being certified is safe and secure against Holger Blasum: in safety, random faults and in security, malicious attackers. And now

Holger Blasum: we can can maybe bring the certMILS together. So now Holger Blasum: I gave a general view on certification and in one Holger Blasum: of the MILS workshops where we’re talking a lot about Holger Blasum: certification because, Peter as you rightly say, certification is important

Holger Blasum: for these kinds of critical systems. That was actually five Holger Blasum: years ago Kateryna Netkachova made an argument about security cases. So Holger Blasum: these are structured arguments how to present security of complex Holger Blasum: system Peter Balint: OK, and Thorsten I want to throw something out to you.

Peter Balint: We talk about embedded systems; w hat is the likelihood Peter Balint: that the average person on street encounters an embedded system Peter Balint: is this something that’s part of their lives or is Peter Balint: it something that maybe they have never been in contact with?

Thorsten Schulz: I think for most of us listening to this podcast Thorsten Schulz: like everybody that’s listening to this has been in contact Thorsten Schulz: with an embedded system. So just in the morning if Thorsten Schulz: you walk past… one of the earliest ones that we

Thorsten Schulz: name embedded systems basically also been washing machines and basically Thorsten Schulz: any device that you mainly physically interact with in your home Thorsten Schulz: environment will be that what we consider an embedded system. Thorsten Schulz: So because of their physical interaction. But then also for

Thorsten Schulz: home devices as Holger just like on the other hand Thorsten Schulz: Holger just mentioned the certification. So we also have that Thorsten Schulz: for home devices so that our home devices like our Thorsten Schulz: toaster doesn’t get mad at us just because we plugged

Thorsten Schulz: in the price of bread the wrong way. So there Thorsten Schulz: is certification that they do the right thing. And… but Thorsten Schulz: there’s typically more strict certification going on with systems that Thorsten Schulz: can harm not just one person maybe just scratch their finger.

Thorsten Schulz: But like for we have the larger infrastructure systems where Thorsten Schulz: you can harm hundreds and thousands of people. So that’s Thorsten Schulz: a bit of a different embedded system category that we’re Thorsten Schulz: talking about. But yes I think that basically everybody has

Thorsten Schulz: been in contact with what you call… what what we Thorsten Schulz: call embedded systems. Peter Balint: So we could say that they’re everywhere. They’re ubiquitous. There’s Peter Balint: no getting around embedded systems for anybody basically. Thorsten Schulz: Right. Right. Correctly. So even like I was thinking I

Thorsten Schulz: was just walking outside of my home would be the Thorsten Schulz: first thing to see would be a traffic light. It’s Thorsten Schulz: part of the infrastructure also it’s maybe hard to say Thorsten Schulz: that it’s an embedded system because actually sticking out of the ground.

Thorsten Schulz: But this is exactly the the things that we interact Thorsten Schulz: with everyday and that we rely on with our basically Thorsten Schulz: with our integrity of our health and our body. Right. Holger Blasum: I was thinking about the probably the battery controller and

Holger Blasum: an e-bike is already an embedded system. Then you have Holger Blasum: dozens of processors in any car. If you’re going by Holger Blasum: train you also have dozens if not hundreds of processors Holger Blasum: in a train, airplanes have a lot of them so

Holger Blasum: they’re really, regardless of the way of transportation you use, Holger Blasum: relevant for you. Peter Balint: And tell us about the certMILS project as it sits today. Peter Balint: Let’s sort of take the temperature a little bit. How Peter Balint: long of a project is this?

Holger Blasum: It’s a four year project. We intentionally made it long Holger Blasum: because we anticipated that we… that certification takes time. Certification Holger Blasum: is a communication endeavor and therefore it’s not only us Holger Blasum: who can do things but we also have to talk

Holger Blasum: with certification authorities and also the people making the certification standards. Peter Balint: OK. Makes sense. Yes. And so it is deliberately made Peter Balint: to be a long project four year project. And how Peter Balint: far are you at this point?

Holger Blasum: From the time line we are in the fourth and Holger Blasum: last year. Actually with certification it’s sometimes hard to… give Holger Blasum: exact timelines because it’s it’s a little bit maybe it Holger Blasum: can be likened to a legal dispute at the court

Holger Blasum: or something… so the parties have to agree that the Holger Blasum: argument is sound and that may take all the time Holger Blasum: it needs to take. Therefore I would say we are Holger Blasum: in good progress but it’s particular for a certification project

Holger Blasum: it’s hard to give an exact metric saying we are Holger Blasum: now at 78 percent or something. Peter Balint: And Thorsten for you at the end of this project Peter Balint: how do you know it’s a success or what will

Peter Balint: make you happy at the end of the project and Peter Balint: in a position where you could say yeah we’ve done Peter Balint: our job? Thorsten Schulz: So looking at the certification that that Holger just mentioned Thorsten Schulz: if that goes goes ahead… I mean it always takes

Thorsten Schulz: a little bit longer and we’re also starting to see Thorsten Schulz: very small delays towards the end of the project which Thorsten Schulz: we basically did foresee but since we’re heading for the Thorsten Schulz: final months of the project and we still have the

Thorsten Schulz: timeline that we’re going to get the certification goals that Thorsten Schulz: we wanted to achieve and we are really looking forward Thorsten Schulz: into achieving that towards the end maybe maybe a few Thorsten Schulz: weeks after we’ll see how the how the external authorities

Thorsten Schulz: can can work with the whole workload and the the Thorsten Schulz: situation of other workloads that they have to face. So Thorsten Schulz: once I can see all the certification artifacts being being Thorsten Schulz: passing by official grounds and this will be the one

Thorsten Schulz: achievement and the other achievement would be to see the Thorsten Schulz: the architecture and the methodology that we set out to Thorsten Schulz: actually be also used beyond our own project partners. So Thorsten Schulz: in other systems and other designs around the world. So

Thorsten Schulz: if we can see there then I think we really Thorsten Schulz: achieved something. So I mean it is a EU project Thorsten Schulz: and we’re really striving to to have other partners in Thorsten Schulz: the European Union involved in this. Also beyond our project

Thorsten Schulz: partners but obviously we’re also happy to export that methodology Thorsten Schulz: and the way it’s been done worldwide. So we have Thorsten Schulz: been just even though this was a for you Thorsten Schulz: but we’ve also been reaching out to other companies and

Thorsten Schulz: and programming and system developer system designers around the world Thorsten Schulz: for example also in Australia and in the US and we’re Thorsten Schulz: quite happy that we got positive feedback on our methodology Thorsten Schulz: and the certification process that we’re doing so already this

Thorsten Schulz: has been quite a little bit of success for the Thorsten Schulz: projects I guess. Yes. One of the reasons that the Thorsten Schulz: EU is funding this project is also to get a Thorsten Schulz: methodology and get kind of almost a unity on the

Thorsten Schulz: certification approach as to make it successful and more more usable Thorsten Schulz: for a lot of users. So, I mean the whole Thorsten Schulz: European Union also depends on on exporting technologies in worldwide use. Thorsten Schulz: So if it’s just us 10 project partners using the

Thorsten Schulz: kind of technology and approach that’s not much work but Thorsten Schulz: I mean it’s something but it’s really important to get Thorsten Schulz: the technology and approaches being used by other vendors and Thorsten Schulz: partners in the market. So and I’m quite happily looking Thorsten Schulz: forward for that, yes.

Holger Blasum: I mean, another outlets that I could make some shameless Holger Blasum: advertising here is the MILS community which is mils.community and Holger Blasum: just has an open mailing list that everybody can subscribe Holger Blasum: to to discuss MILS topics and we have been doing several

Holger Blasum: public MILS workshops where also results of certMILS have been Holger Blasum: presented and shared. Peter Balint: And this MILS community this is not a project, they’re Peter Balint: always there right it’s ongoing? Holger Blasum: It’s ongoing. So it’s I don’t know when actually we

Holger Blasum: did we start… 2015 but at least well before certMILS. Peter Balint: Why is it that the European Union would decide to Peter Balint: fund a project like this? Thorsten Schulz: So I think there’s there’s two perspectives of this. So

Thorsten Schulz: from my understanding almost seeing it from from the user perspective. Thorsten Schulz: So like in the other podcast we discussed about that Thorsten Schulz: we want to have the technology and we want to Thorsten Schulz: have it working and we want to have also reliable…

Thorsten Schulz: reliably working but on the other hand so we need Thorsten Schulz: to have all this certification for our products. But with Thorsten Schulz: a new requirement -so we can’t stop people from saying Thorsten Schulz: I want my trains or my smart grid to be

Thorsten Schulz: smart and I want for example my airplanes to be Thorsten Schulz: on time and all these things. So like there’s the Thorsten Schulz: demand for that and we basically with all the security Thorsten Schulz: measures that pop up we have to run behind it

Thorsten Schulz: and to to keep things secure to actually keep them safe. Thorsten Schulz: So all that we want is we don’t get harmed. Thorsten Schulz: We don’t want one one to be injured or anything. Thorsten Schulz: So we’re at this very moment basically running behind security

Thorsten Schulz: protecting things that are being kind of smart into their Thorsten Schulz: network and things. And so the the idea or the Thorsten Schulz: concept of the European Union funding these kind of project Thorsten Schulz: is to do get behind these issues to keep things

Thorsten Schulz: secure and safe also for the critical systems and and Thorsten Schulz: not rely on maybe on that there’ll be some days Thorsten Schulz: some solution from from some ways in the world. So Thorsten Schulz: we want to have that technology within the European Union

Thorsten Schulz: and we want to have it as soon as possible Thorsten Schulz: before we get hacked as we discussed in the other podcast. Peter Balint: OK well you know I have to say thank you. Peter Balint: You guys are doing the work that’s sort of behind

Peter Balint: the scenes and very important in our society to keep Peter Balint: people safe and secure in their daily lives. So this Peter Balint: project goes a long way to ensuring our safety and Peter Balint: the safety of everybody listening. So thank you for doing that.

Peter Balint: And good luck with the rest of the project and Peter Balint: we may check in at the end to see how Peter Balint: things are going and how the wrap up went. So Peter Balint: best of luck to you Holger Blasum: OK. Thanks. Thorsten Schulz: Thank you Peter.

Peter Balint: For more information about certMILS visit their web site at Peter Balint: certmils.eu Peter Balint: This podcast has been brought to you by Technikon. The Peter Balint: certMILS project has received funding from the European Union’s Horizon Peter Balint: 2020 research and innovation program under grant agreement number 731456 .

Share.
Leave A Reply