The Cyber Security Landscape
In recent years, many European countries have recognised the growing cyber threats against both civilian infrastructure and defence systems, and have responded by developing national cyber security policies which define the objectives for the protection of critical national infrastructure against cyber attacks, and a range of strategies for achieving these objectives.
The Advent of the MILS Architecture
Commercial organisations and European national governments have long categorised information at different security classifications, based on criteria such as information value, sensitivity, and the impact of disclosure. Historically, information at different security classifications has been physically isolated in separate domains, initially in manual systems, and subsequently in computerised systems.
More recently, as organisations have become increasingly reliant on computer systems, there has been a drive towards automation of the information flow process between different security domains. This enables decision-making to be accelerated in fields as diverse as commercial business, banking, government and armed forces. Traditionally, multi-level secure (MLS) computer systems were built as bridges between these domains using multiple, physically separated computers, networks, and displays. This technique, known as “air gap” security, required expensive equipment and occupied a large footprint in terms of Size, Weight and Power (SWaP), and has limitations in the cyber era.
The Multiple Independent Levels of Security (MILS) architecture was proposed as an alternative approach for secure embedded systems many years ago. MILS uses a layered software architecture, with a separation kernel (SK) built on four fundamental security policies:
1) Data Isolation, which ensures that a partition cannot access resources in other partitions.
2) Periods Processing, which ensures that applications within partitions cannot consume more than their allocated share of CPU usage.
3) Information Flow, which defines the permitted information flows between partitions.
4) Fault Isolation, which defines that a failure in one partition does not impact any other partition within the system.