Safety first? Security is just as important

In many applications in the railways, aircraft or automotive industry  the interaction between safety and security is of particular importance, since there are many dependencies between them and they can therefore no longer be considered separately.

Figure 1. The MILS concept enables trusted and untrusted components to co-exist on a single platform.


By Markus Jastroch, SYSGO                          Download PDF version of this article


Whether in railways, aircraft or the automotive industry - electronic control systems and their developers face complex challenges today. On the one hand, due to increasing networking, problems of functional safety and IT security are emerging. On the other hand, standard products are increasingly being used and individual control elements have to perform multiple tasks in order to save weight, costs and energy. Especially in such environments, the interaction between safety and security is of particular importance, since there are many dependencies between them and they can therefore no longer be considered separately.

Functional safety is about the unintentional failure of components or code, while (IT) security is about protection against intentional and mostly malicious attacks. In short, safety protects the environment from the system, while in security it is the other way round - it protects the system from the environment. Functional safety has long been one of the most important aspects of transport technology, and a large number of standards have been established to which technical systems must be certified:

IEC 61508 is an industry-independent basic standard for the functional safety of electrical, electronic and programmable systems with a safety reference. IEC 61508 distinguishes between four criticality levels, SIL-4 to SIL-1 (Safety Integrity Level).

DO-178B is the definitive standard for software development in aerospace. The standard knows five criticality levels DAL A to E (A=catastrophic to E=no effect)

EN 50128 is a European standard for software development in connection with railway applications with five criticality levels (SIL-4 to SIL-0). EN 50129 for signaling technology in rail traffic is related to this standard.

ISO 26262 defines the functional safety requirements for vehicles on the road. Based on the safety integrity levels of EN 61508, it defines four ASIL levels D-A, where D stands for the most critical systems.

Security deals with the prevention of errors that can lead to unauthorized access to or manipulation of data or systems. The main aim here is to avoid weak points by means of IT security measures or to make their exploitation by attacks impossible. There are also international security standards for security-critical systems, only a few of which are industry-specific.

ISO 15408, better known as CC or Common Criteria (for information technology security evaluation), is the most important standard for testing and evaluating the security properties of IT products worldwide. It introduces seven Evaluation Assurance Levels (EAL 1-7) for trustworthiness.

EUROCAE ED 202 provides developers and certification bodies with guidance for aeronautical systems that are influenced by human interaction and can affect the safety characteristics of an aircraft.

The SAE (formerly Society of Automotive Engineers) is working on a series of standards on various aspects of IT systems in automobiles and is introducing the term ACsIL (Automotive Cybersecurity Integrity Level) based on the Safety Integrity Levels in Draft J3061 published in 2016.

ISO is currently working on ISO 21434 (Road Vehicles - Cybersecurity Engineering).

Figure 2. PikeOS can be used for implementations of the MILS concept - in this case in the automotive industry.

Safety errors are typically random errors that are regarded as "friendly" errors in a safe environment. Added to this are random and systematic errors such as electromagnetic radiation, hardware errors, specification and design errors or software errors. All safety-relevant functions (e.g. real-time behavior) must be taken into account here. The exposure time, i.e. the period during which the system is exposed to the fault, may or may not affect the occurrence of a failure. Security, on the other hand, is typically about intentional errors caused by internal or external attacks. In addition to such attacks, however, systematic errors such as design errors, software errors, weak passwords or cryptographic keys as well as unexpected hidden channels must also be taken into account. The exposure time typically influences the success and consequences of an attack.

Although or precisely because the Common Criteria Standards are completely technology and industry agnostic, they provide a good basis for the development of critical embedded systems in conjunction with mostly industry-specific safety standards. In particular, it is possible to assign individual systems an EAL level (Evaluation Assurance Level) between 1 and 7 (from the least demanding to the most demanding in terms of design, testing and verification). However, one should be aware that CC-certified products do not guarantee the absence of vulnerabilities, but only that the test and verification objectives have been achieved and a state-of-the-art vulnerability analysis has been carried out.

Figure 3. PikeOS is a virtualization platform based on a separation kernel.

While the application of good software practices, mainly with regard to verification and validation, has long been established for safety-relevant topics due to strict certification requirements, there is often still some catching up to do with security. In return, the security industry reacts very quickly to changes. Techniques must also be developed in the area of functional safety in order to shorten the time for changes to certified systems.

Using COTS

Today's modular systems offer improved connectivity, resource sharing between applications of different levels of criticality on the same computer, and promote the use of standard or COTS (Commercial Off-the-Shelf) products in security-related systems. These developments bring benefits such as reduced development and maintenance costs or savings in weight and energy consumption, but from the security point of view they also mean an increase in the attack surface for malicious programs. In addition, the use of COTS hardware and software gives potential malicious attackers more information about possible vulnerabilities, some of which is publicly accessible. This affects both communication between spatially separated applications and communication between applications in different partitions on the same ECU.

The main problem when using COTS and consolidating different applications on one hardware is the strict separation of the individual applications from each other, so that problems with one application cannot affect others. This requires strict partitioning of the available resources so that the applications can actually run completely independently of each other. Partitioning and separation are also the cornerstones of the Multiple Independent Layers of Security (MILS) concept, which describes a multi-layered security architecture for the coexistence of trusted and untrusted components based on verifiable separation mechanisms and controlled information flows (image 1)

The MILS approach requires a (real-time) operating system that is able to strictly separate applications or processes and their resources - both spatially and temporally. Such a system is also called a separation kernel - an example of this is PikeOS from the German manufacturer SYSGO (Image 2). A separation kernel architecture makes it easier for the system integrator to create a clearly structured design in which safety applications coexist with less safe applications in the same system without making compromises between safety and security. For example, Linux guests which are responsible for external communication via complex network services can cooperate with applications at a higher security level. These applications with a higher level of security and the associated devices remain strictly separated from the outside world by partitioning. Since PikeOS supports not only spatial but also time partitioning, it also enables the implementation of complex time-controlled applications.

A robust partitioning approach is advantageous for both security and safety applications and is more or less explicitly required in virtually all of the above standards. Robust time partitioning also enables real-time and non-real-time applications to coexist on a single hardware, for example. In addition, this separation creates independent security domains for applications of different criticality and thus also facilitates certification considerably, since applications in different security domains can be certified independently of each other.

Arrow and Analog Devices strategic partnership and collaborative approach to provide solutions for our customers.

Mike Britchfield (VP for EMEA Sales) talks about why Analog Devices have a collaborative approach with Arrow Arrow’s design resources are key, from regional FAEs in the field to online des...


WE MAKE IT YOURS! Garz & Fricke to present the latest HMIs and SBCs at Electronica 2018

Sascha Ulrich, Head of Sales at Garz & Fricke, gives you a quick overview about the latest SBC, HMI and Panel-PC Highlights at electronica 2018. Learn more about the SANTOKA 15.6 Outdoor HMI, the ...


Macronix Innovations at electronica 2018

Macronix exhibited at electronica 2018 to showcase its latest innovations: 3D NAND, ArmorFlash secure memory, Ultra Low Vcc memory, and the NVM solutions with supreme quality mainly focusing on Automo...


ams CEO talks about their sensor solutions that define the mega trends of the future

In this video Alexander Everke, ams’ CEO, talks to Alix Paultre of EETimes about their optical, imaging and audio sensor solutions in fast-growing markets – from smartphones, mobile device...


Intel accelerated IoT Solutions by Arrow

Arrow is showing Intel’s Market Ready Solutions in a Retailer shop with complete eco environment. From sensors via gateways into the cloud, combined with data analytics, the full range of Intel ...


CSTAR - Manufacturers of cable assembly from Taiwan

CSTAR was founded in 2010 in Taipei, Taiwan. Through years of experience, we are experts in automotive products, LCD displays, LCD TVs, POS, computers, projectors, laptops, digital cameras, medical ca...


NXP Announces LPC5500 MCU Series

Check this video to discover the new NXP microcontroller LPC5500, the target application and focus area. Links to more information: LPC5500 Series: World’s First Arm® Cortex® -M...


Molex Meets Solutions at Electronica

These are exciting times in the electronics world as Molex migrates from a pure connectors company to an innovate solutions provider. Solutions often start at the component level, such as the connecto...


Alix Paultre investigates Bulgin's new optical fiber rugged connector range at Electronica 2018

Alix Paultre interviews Bulgin's Engineering Team Leader Christian Taylor to find out more about the company's new range of optical fiber connectors for harsh environments. As the smallest rug...


Cypress MCU and Connectivity are the best choice for real-world IoT solutions.

Cypress’ VP of Applications, Alan Hawse, explains why people should use Cypress for their IoT connectivity and MCU needs. Cypress wireless connectivity and MCU solutions work robustly and sea...


Chant Sincere unveils their latest High Speed/High Frequency connection solutions at Electronica 2018

Chant Sincere has been creating various of product families to provide comprehensive connection solutions to customers. USB Series Fakra Series QSFP Series Metric Connector Series Fibro ...


Addressing the energy challenge of IoT to unleash billions of devices

ON Semiconductor introduces various IoT use cases targeted towards smart homes/buildings, smart cities, industrial automation and medical applications on node-to-cloud platforms featuring ultra-low po...


ITECH, world leading manufacturer of power test instruments, shinned on electronica 2018

ITECH, as the leading power electronic instruments manufacturer, attended this show and brought abundant test solutions, such as automotive electronics, battery test, solar array simulator, and electr...


ITECH new series give users a fantastic user experience

ITECH latest series products have a first look at the electronics 2018, such as IT6000B regenerative power system, IT6000C bi-directional programmable DC power supply, IT6000D high power programmable ...


SOTB™ Process Technology - Energy Harvesting in Embedded Systems is Now a Reality

Exclusive SOTB technology from Renesas breaks the previous trade-off between achieving either low active current or low standby current consumption – previously you could only choose one. With S...


E-Mail Newsletters

nlsc240

Our 3 E-Mail Newsletters: EETimes/EDN Europe, Embedded News and Power Electronics News inform about the latest news in technology and products, as well as technical know-how like white papers, webinars, articles, etc.


B & S / ECE Magazine

- latest issue is online now -

November 2018

Content Highlights

Cover Story

Internet-connected displays make the industrial IoT more visible

Download now