Today's digital aircraft are large distributed computing systems. Each of these nodes is certified to perform its functions safely. To date, there is no formal mandate for FAA to include security issues in its system certifications. However, as more aircraft systems communicate data on a real-time basis with other systems inside and outside of the aircraft, and as malicious attempts to subvert those communications multiply, security concerns become increasingly important.
The certification approaches used in high-assurance military/intelligence applications, such as multilevel-secure and cross-domain solutions, can provide additional valuable assurances to avionics safety certifications. Security certifications provide confidence that all operations preserve data confidentiality, integrity and availability even under hostile conditions. Combining the two certification techniques results in an even more robust, reliable and safer airborne system.
The advantage for integrated modular avionics platforms is composability-the confidence that side effects among applications with different criticality levels are manageable and predictable. The safety characteristics of each application are preserved no matter how they are combined. Systems with multiple security domains want the same payoff. The security characteristics of each application have to be preserved no matter the combination.
Given the similarity of their goals, it is not surprising that safety and security certification standards are very much alike. Indeed, many of the artifacts used for certification are similar. DO-178B for safety and the internationally accepted Common Criteria standard for security are mostly concerned with correctness. DO-178B more thoroughly addresses post-certification quality assurance, while the Common Criteria covers topics such as vulnerability, user documentation and software delivery.
Both standards recognize that software assurance is a continuum. Not every airborne software function is equally critical. DO-178B, for example, defines Level A through Level E. There is no safety impact if Level E software fails. If Level A software fails, the safety impact is catastrophic. The Common Criteria defines Evaluation Assurance Levels (EALs) 1 (low) through 7 (high). The threat level and the value of the information combine to determine the appropriate level of confidence in both the correctness of the security functionality (EAL level) and the extent of the security functionality, specified in a "Protection Profile" under the Common Criteria. The consequences of information compromise range from negligible effects to exceptionally grave damage to security, safety or infrastructure. The threat range extends from inadvertent or accidental events to deliberate cyber attacks from nation states in time of crisis.
Another characteristic common to both safety and security is that earning certification is much more difficult, risky, and therefore expensive if certification was not an original design goal. This occurs when certification requirements are extended into areas where they were previously not applicable, often the result of new or revised policies as well as differing regulations in the international marketplace. Such circumstances raise a dilemma. Is it less expensive or risky for vendors to certify what they have "after the fact" or to start over, engineering for safety and/or security from the ground up? How do they maximize the value of existing intellectual property?
Certifications at high assurance levels are expensive, although software that analyzes source code for faults is emerging. Other tools promising provable correctness by construction are also becoming available. Developers specify their requirements in an unambiguous, formal language, and a safety-qualified, security-trusted tool verifies programming language source code that meets those requirements under all conditions.
Operating systems that use ARINC 653 and MILS, or multiple independent levels of security, to simultaneously isolate safety and security critical code into composable modules, are entering the commercial off-the-shelf (COTS) market. These operating systems are certifiable to DO-178B, Level A, as well as to at least an EAL 6+ security assurance level. Middleware (i.e., Partitioning Communications System) that guarantees quality of service, separation, confidentiality, and integrity for the data flows within distributed systems is also available. These components enable systems that are certified as safe to also be certified as highly secure with an incremental effort that is both manageable and affordable.
Joseph M. Jacob, senior vice president, sales and marketing of Objective Interface Systems Inc., also co-chairs the Avionics Special Interest Group at the SDR Forum.