Issue link: https://read.uberflip.com/i/1293184
mrcy.com 6 Next-Generation Safe and Secure Processing Systems for Aerospace and Defense Applications The goal is to ensure that responses to new security threats do not affect the safety of the system and, likewise, ensure that the static nature of present safety systems does not force known vulnerabilities to persist in the field. As alluded to earlier, a malicious actor with a foothold on a system can degrade safety faster than any component failure. Reconciling Safety and Security Requirements The modern defense industry is creating new holistic capabilities and approaches that address the need of mission-critical systems to be both safe and secure. These approaches and technologies include: • Kirchhoff's principle. Adapting Kirchhoff's' cryptography principle for general security means designing a system that will be secure if everything about the system, except certain specific data, is public knowledge. That is, physical security seeks techniques that can be exposed for broad scrutiny as part of the safety-certification process while remaining secure. • Detect and react. Systems security engineering should either minimize reliance on 'detect and react' strategies or minimize their impact on potential failures as evaluated by failure mode effects and criticality analysis (FMECA) or other analysis methods. This reduces the need for situational awareness to determine if a hurried retreat to a more secure state is required because, if all states are equally secure, no action is required. • Another approach that minimizes the impact of 'detect and react' in safe systems is to restrict the asynchronous nature of these reactions by establishing a set of limited threat-detection reactions. Limiting the breadth of these reactions aids system determinism and mitigates any detrimental effect on these systems. • Fault-tolerant responses also reduce the impact of 'detect and react'. When implemented, the reaction to a detected cyber event is to move to a redundant container while cleaning the infected one, although this approach introduces its own issues, as redundant processing schemes are by their very nature a security risk. In general, 'detect and failover' can be easily made consistent with safety, while 'detect and change behavior' is more problematic. FIGURE 7 Mercury 's HDS6605 server-blades are trusted OpenVPX building blocks for integration into powerful embedded processing systems. These blades feature extreme environmental packaging and have options for proven, fourth- generation BuiltSECURE SSE for deployment anywhere. • Data path versus control path. This approach treats security software in a manner analogous to how maps and charts are treated on an aircraft. In this approach, continuously changing components (virus definitions, for example) are treated like data while the software that manages, manipulates and controls those changes is assured as safe and only modified if rigorous, overseeing control processes are in place. This approach may be viewed as an extension of DO-178 and DO-326. FIGURE 8 Combining demonstrable (public) system safety and proven security (private) is becoming increasingly manageable with new holistic design approaches. Kirchhoffs' Principle 'A cryptographic system should be secure even if everything about the system, except the key, is public knowledge.'