Commercial, Embedded Avionics, Military, Regulation

Relevance of Separation Kernel Protection Profile for Avionics Systems Debated

By Frank Wolfe | May 14, 2020
Send Feedback

As civil aviation regulators consider how to mandate certain avionics cybersecurity regulations, embedded system suppliers are weighing in on some aspects, such as the Separation Kernel Protection Profile (SKPP). The Green Hills Software SKPP-certified INTEGRITY-178 Real Time Operating System, powers the Collins Aerospace Avionics Management and Display System, pictured here on Sikorsky’s S-92 helicopter.

Issued by the U.S. National Security Agency (NSA) in 2007, the Separation Kernel Protection Profile (SKPP) continues to be a cybersecurity guidepost for some in the avionics industry, while other avionics cyber experts say that SKPP is no longer relevant, as they believe SKPP can only address comparatively simple embedded processors.

The debate about SKPP comes as the Federal Aviation Administration (FAA) and the European Aviation Safety Agency (EASA) are considering a number of avionics mandates to provide aircraft with the resilience needed to withstand cyber attacks. For example, the FAA has planned a transport airplane (Title 14, Code of Federal Regulation, Part 25) rulemaking effort to codify two Special Conditions (SCs) for transport aircraft systems and information security protection (ASISP). The agency also said that it is developing an advisory circular that would describe a means of compliance to the codified SCs so that manufacturers are able to design cybersecure products from the outset, rather than when they submit the design for certification.

FAA certification requires avionics manufacturers to address and comply with the two SCs, when imposed, for new transport airplane designs and in-service airplanes installing new avionics equipment.

The FAA has said that it recently worked with RTCA Special Committee (SC-216), EUROCAE (WG-72), and other certification authorities to establish three industry standards to address ASISP: DO-326A, dealing with airworthiness security requirements; DO-356A, describing the DO-326A airworthiness security process; and DO-355, delineating required performance tasks to counter information security threats related to aircraft operation and maintenance.

Richard Jaenicke, the director of marketing for safety and security-critical products at California-based Green Hills Software, said that software products that are certified to Common Criteria at EAL5 [Evaluation Assurance Level 5] or higher, such as the Green Hills Software INTEGRITY®-178  Real Time Operating System (RTOS), have a head start on meeting DO-326A and that SKPP has “much more stringent security requirements and testing than is required for DO-326A.” Jaenicke said that the INTEGRITY®-178 real-time RTOS is “the only operating system certified to the SKPP and the only OS certified at EAL6 or higher.”

The generic Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408), which allows suppliers to define their own security requirements for the Common Criteria evaluations, is the international standard for computer hardware and software security assurance, and the EALs vary from EAL1 to the most rigorous level, EAL7. In the United States, NIAP [the National Information Assurance Partnership] defines protection profiles and manages the Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. When the evaluation is at EAL5 or higher, the NSA participates in the evaluation.

Markus Jastroch, a spokesman for Germany-based SYSGO GmbH, contended that SKPP and high EALs are insufficient for cybersecurity, however.

The NIAP decommissioned, or “sunset,” SKPP in 2011, “mainly due to two reasons,” Jastroch wrote in an email to Avionics International. “NIAP considers a Protection Profile for EAL5 and higher as inadequate, because at high assurance levels, the environment in which a system is deployed (e.g. embedded system versus desktop PC) is highly influential on the achieved level of security. This environment cannot be taken into account at the time of evaluation. And, from the announcement about the SKPP sunsetting, NIAP said that ‘security’ is not just about meeting requirements, but requires continuing effort, even after the ‘requirements’ are met, i.e. certificates need to be maintained.”

“While there are software products that have been certified according to the SKPP before its revocation, to our knowledge, no certificate maintenance has been performed in the nine years since so that any hardware and software vulnerabilities that have been discovered since then remain unmitigated in the certified products,” Jastroch wrote.

The SYSGO PikeOS is used on Thales’ FlytX avionics suite. Pictured here is a three-display version of that suite for helicopters. Photo: Thales

Jaenicke, however, responded that SKPP continues to be relevant and that, “while the statement that any hardware and software vulnerabilities discovered since 2011 remain uncorrected in the certified version is technically correct, it is irrelevant.”

“First, Green Hills is very proud that, to date, there have been zero CVEs [Common Vulnerabilities and Exposures] against INTEGRITY-178 or INTEGRITY-178 tuMP,” he wrote. “Second, using the SKPP-certified code as a basis, we work closely with our customers to provide new features and address new threats as they emerge.  For every program that requires the highest security assurance, we provide the latest security documentation and evidence at the same level as the SKPP that enables our customers to achieve high robustness certification.”

At the time NIAP and NSA decommissioned SKPP in 2011, NSA said that it still supported investment in Separation Kernels and the Least Privilege architecture as “sound design choices for security-critical systems” and that industry should continue to refer to the SKPP when building a Separation Kernel. The agency said, however, that it would no longer support certification of operating systems, including Separation Kernels, in general, and would focus on the assurance argument and evidence for a system and its whole context, not just the kernel.

In January, Collins Aerospace selected the INTEGRITY®-178 Time-Variant Unified Multi-Processing (tuMP™) RTOS  for the U.S. Navy’s Tactical Combat Training System Increment II (TCTS Inc. II) program. The system is to be interoperable with fourth and fifth generation fighter aircraft, complies with the Future Airborne Capability Environment (FACE™) 3.0 Technical Standard, and has a Multi-Level System architecture capable of four simultaneous encryption channels from unclassified to Top Secret. Green Hills said that a number of platforms, including the Lockheed Martin F-35 Lightning II fighter and the C-130J transport, use the INTEGRITY-178 RTOS for safety critical applications.

Like Green Hills Software’s INTEGRITY-178, SYSGO’s PikeOS is on a variety of platforms, including the Airbus A400M transport where PikeOS is used on the loadmaster workstation, and PikeOS powers the Thales FlytX avionics suite on Airbus’ future H160M Leopard light helicopter.

Last year, the Common Criteria Recognition Arrangement established a five year time limit on renewing certificates for its 31 members, including a number of European countries, the United States, and New Zealand. According to Jastroch, SYSGO “is continually renewing its certificates to keep an eye on any security issues that pop up” and addressing any cyber vulnerabilities that arise in SYSGO systems with the Bundesamt für Sicherheit in der Informationstechnik—BSI—Germany’s Federal Office for Information Security.




Receive the latest avionics news right to your inbox