Distributed MILS: A novel approach to advanced ATM communication services

Air Traffic Management (ATM) in the United States NEXTGEN as well as the European SESAR has embraced the concept of System Wide Information Management (SWIM) as the means to improve data exchange between various applications in different domains such as flight data management, weather and aeronautical information management. Enabling SWIM is a challenging change for ATM. Although many building blocks are already available, a full SWIM deployment will take time. While current functionality is based on historical grown technical restrictions, a performance-based and most efficient approach requires new paradigms to organize the commonly shared information and develop and deploy the associated changes in the different user systems and applications. In general, ATM services, covering voice and data, are migrating towards a global and seamless airspace. Driven by the availability of ever increasing bandwidth within wide area networks new technologies are emerging such as Cloud Computing. The safety critical nature of ATM requires secure and timely sharing of information between separate platforms and divers user groups. Producers and consumers of ATM related information together with the information elements themselves reside in multiple domains, requiring cross domain solutions. This contribution introduces a concept for Distributed Multiple Independent Layers of Security (MILS) for Dependable Information and Communication Infrastructures applied to ATM voice and data services. Safety and security requirements intrinsic to ATM networks present an ideal application for Distributed MILS architectures. This paper focuses on use cases requiring deployment in multiple instantiations for general system availability enhancements or to separate data between both untrusted and trustworthy domains. Use cases are derived from Communication Services representing a unique class of communications equipment serving special purposes in safety of life critical and security sensitive ar- as. Distributed MILS methodologies are used to achieve the required system availability. Distributed MILS allows selected information elements to reside in all instantiated structures while completely prohibiting the propagation of faults from one side to the other and as such providing for a valid business continuity design. In the case of separated user domains the solution must not only ensure separation but also the integrity of voice and data streams on an end-to-end basis. Hardware virtualization techniques provide a new way of designing business continuity solutions for ATM solutions. It reduces cost and simplifies system designs through the separation of data and information elements from the underlying hardware. Hardware degrades to a commodity exchangeable and replaceable in size, and scales separated from the hosted applications via abstraction layer. Typical virtualization characteristics include partitioning, isolation, immediate multi-instantiation, and hardware independence. A discussion of the technical challenges arising from the use of Distributed MILS approach in a safety-critical environment concludes the contribution.