This summer, Egis welcomed industry leaders from across aviation to our offices during the Farnborough International Air Show. As part of that event, I had the pleasure of sharing my thoughts about the future of security technologies for aviation, highlighting key topics that can provide foundational security to next generation aviation systems.
This post covers the first of these topics: containerization and the benefits it can bring to safety critical operational environments such as aviation.
Following the path from physical, to virtual, to containers.
In recent years, people have become familiar with the idea of Virtual Machines – logical servers all sitting inside a single physical machine and sharing resources. As a concept it’s easy to relate to – we know what a server looks like, and a virtual machine behaves just like a physical server except for its physical footprint. For most services that we use, it doesn’t matter to us if the server is virtual or physical – the function is the same.
One of the assurance challenges of virtual machines in aviation is documenting the confidence of ‘non-interference’ between virtual machines using shared hardware. Huge steps have been taken in proving not only that hardware contention is not an issue, but also that separate virtual machines are truly isolated from each other.
This has been a key issue in aviation, as our safety management is built on understanding and controlling the operating environment of systems – adding any uncertainty around the available resources at any moment in time can completely undermine foundational concepts that a safety argument might be built on.
Full fat vs diet on servers.
Regardless of the progress on assuring virtual servers, they are still built and managed like physical servers – with full operating systems and often a wide array of default software that is unused. The same familiar patching and update concerns hence apply. Of course, the virtual machine hosting infrastructure brings other benefits like snapshots, replication, and transparent backups, all of which generally provides a net benefit over using physical servers … but the vast majority of drawbacks still apply. It’s an all-inclusive approach which simplifies management and maintenance but can leave a treasure trove of tools for attackers.
The most functionally important aspect of a server is the application software – the Operating System and everything around it is there to give it an environment to run in, but typical Operating Systems are highly generalised and designed to support every conceivable application function. Traditional servers will normally have a huge amount of functional capability that is not needed to support the specific application.
Compared to Virtual Machines, containers take the technical separation capabilities of virtualisation but scale back the complexity and opt for a much leaner approach. They are built using just the core parts needed to run their specific application.
It isn’t just software though – containers also greatly simplify the idea of virtual hardware. Virtual machines have simulated hard drives, and graphics cards. Most application software really doesn’t care about such things and leaves it to the Operating System to deal with. Instead, containers provide an abstract operating environment for the software to run in, ringfenced from interference and from interfering with others – one implementation even goes so far as to refer to containers as ‘jails’.
The benefit of lean and lightweight.
There is a principle in cybersecurity called ‘reduction of the attack surface’. The idea is to give attackers the minimum leverage to get into a system – and unnecessary components or software installed on a system could be exactly that leverage. The slimmed down deployment of a container rather than a virtual machine aligns with that principle.
So, containers give us the VM-like separation around ‘applications’ (or ‘services’) rather than servers – which gives some benefits in system architecture – more capacity now is less about a bigger or more powerful server, but instead about ‘more of them’. This is often known as ‘scale-out’ rather than ‘scale-up’ system design. Combined with other modern datacentre technologies, the required computing resource can be scaled to the current demand – with associated economic and environmental benefits. The ‘cost’ is in rethinking the architectural approach and moving to a more distributed computing approach with small specialist components all working together to build a system, plus of course assuring the more distributed system.
And security is not the only argument for simpler (leaner) implementations. An equally persuasive argument can be made around resource usage and reduced environmental impacts, for the same functions.
Containers in aviation systems.
A container-based implementation approach encourages the use of ‘microservices’ – breaking down a problem into small tasks and distributing it across many small instances. This ‘many moving parts’ model has generally not been preferred in aviation as it increases the complexity of the assurance activities.
However, in my view, we are now reaching the stage where the resilience and security benefits of containers can justify the increased assurance complexity. Container based solutions are becoming more popular – especially where system designs have been built with the idea of parallel and distributed processing of data.
Systems that build containerisation concepts into their core design can benefit from the scalability and efficiencies that containers bring, whilst also being more hardened against attack than traditional systems. As part of a ‘defence in depth’ approach, containers can work hand in hand with other tools such as ‘orchestration’, ‘zero trust’ and machine learning to strengthen a holistic cybersecurity solution.
Credit where credit’s due.
It is worth considering how solutions from other industries can be successfully applied to our own. For example, the containerization concepts described here don’t sit solely in the realm of cybersecurity or aviation. The original design idea for containers came from a desire to reduce resource usage and more cleanly share physical servers between different workloads. The results of a clean solution to one problem can often be applied to another problem.
Working together, engineering architects, system engineers and safety specialists can bring tailored and environmentally sensitive solutions to real world problems. This is increasingly important as the environmental impact of our activities becomes better understood.
In future articles in this series, I will be sharing some of the ways my colleagues and I work together to share progress between sectors and industries.