By Rance DeLong, Staff Scientist, The Open Group
A recent message to the staff of The Open Group by Steve Nunn, our President and CEO, quoted from the Company’s yearly strategy review document:
“As an organization, The Open Group is increasingly agile. However, more important at the moment, in particular, is the quality of resilience. Agility is a positive contributor to resilience, but being agile is not enough to be resilient. Resilience also requires continuity, recoverability, hardening, strength, forecasting, and many other capabilities. In our case, it also includes being open – operationally, culturally, technically, and in every other way. From a mission perspective, it demonstrates our progress “From Good to Great”. The Open Group has demonstrated its resilience several times in the past, and will continue to do so in the future.”
This, while being a very apt statement for our organization as a whole, especially in these times, is also a beautiful synopsis of the results of The Open Group Real-Time Embedded Systems (RTES) Forum and European Community (EC) project endeavors of recent years with respect to resilience and its supporting characteristic, agility. I’d like to share with you how our past activities are an embodiment of the principles inherent in this Strategy Statement. While there was no deliberate connection between the current strategy statement and these activities, the correspondence is a testament to the coherence of The Open Group endeavors and “mind set” over many years.
For about two decades now, The Open Group RTES Forum and related EC funded projects have pursued the development of the MILS architectural approach and its refinement to meet the challenges of new application domains. Two of those projects are the D-MILS Project (2012-2015) and the CITADEL Project (2016-2019). The objective of the CITADEL project was trustworthy resilience for critical infrastructure systems. The method, tools, and platform used to achieve this objective represented an innovative extension to the MILS architectural approach for high-assurance systems, following and building upon previous innovative extensions to MILS for distributed systems achieved in the D-MILS project. In both of these instances we have applied the principle of “conservative extension,” whereby functional extensions to the MILS platform undertaken to enable an increased scope of applicability must be accompanied by corresponding extensions to the underlying theoretical framework and tools that are crucial to maintaining demonstrable trustworthiness in MILS.
With respect to resilience, CITADEL applies to a concrete running system the paradigm expressed in the Open Dependability Through Assuredness (O-DA) Framework standard by providing a theoretically well-founded modeling, analysis, implementation and assurance realization of the O-DA Framework. CITADEL directly implements O-DA’s Failure Response Cycle, supports the Change Accommodation Cycle, and is extensible for future automation of new Change Accommodation use cases. The congruence of the CITADEL realization of O-DA and The Open Group Strategy Statement is not just superficial. In the strategy statement, “agility” represents a foundational contributing factor to “resilience.” In CITADEL, “dynamic reconfigurability” is the underlying enabling capability, and this is the concrete embodiment of agility in the MILS platform’s Foundational Plane. But agility in a system, like its physical counterpart, without discipline and training is a hollow virtue. The CITADEL Framework and approach builds upon the raw agility of an arbitrarily reconfigurable platform by providing a method and tools for resilience that correspond to the “continuity, recoverability, hardening, strength, forecasting, and many other capabilities” also required for resilience, as noted by the Strategy Statement.
Let me describe how this is done.
“Continuity” is achieved in CITADEL by requiring that accommodation to significant events are done within a formalizable model that can forecast the effects of change, and that low-level configuration changes made to achieve “recoverability” do not disrupt the overall ongoing operation, and necessary properties, of other parts of the system. The CITADEL Framework incorporates a Monitoring Plane that constantly senses internal and external conditions and raises alarms when essential properties are in jeopardy, an Adaptation Plane that responds to monitor alarms according to the system model and identifies a new target configuration that would be an appropriate response, and a Configuration Plane that creates and executes a plan to transition from the current configuration to the new target configuration by invoking the reconfiguration primitives of the agile platform. All of these mechanisms of the CITADEL Framework are protected by “hardening” afforded by the underlying assured MILS platform, and the overall “strength” of the CITADEL approach is based on sound compositional reasoning manifest in an assurance case that is created and maintained during system operation by the Certification Assurance Plane of the CITADEL Framework.
The aforementioned behaviors of the CITADEL Framework are accomplished by runtime automation that is able to escalate the handling of an exceptional situation, lying outside of the system’s formal model, to a higher level of automation or to human review and intervention, which like the O-DA Change Accommodation Cycle, is always subject to the requirement to maintain a valid assurance case for changes proposed, and to establish “accountability” for all changes applied.
The recent statement by Steve Nunn has set forth a view and an approach to the conduct of our organization in the current situation that is consistent with the Strategy Statement of The Open Group. This has also provided an opportunity to highlight the coherence of that view and approach with work that we have been doing on behalf of The Open Group for many years, and that embodies those principles in The Open Group standards and technologies.
Rance J. DeLong is Staff Scientist at The Open Group, co-director of the Real-Time and Embedded Systems Forum, Chairman of the MILS Working Group, and liaison to ISO SC27. He has 40+ years of software experience, emphasizing security and high-assurance. Rance has participated in 10 European Commission funded research projects, including as concept originator and technical director of D-MILS and CITADEL, and developer of an open source access control system for IIoT. His research includes methods and tools for compositional construction and assurance of critical systems, and he has been a contributor to MILS research for 17 years. He has contributed to the design of numerous secure operating systems and a MILS-based trusted smart phone. Rance holds three patents, degrees in Physics and Philosophy, plus extensive postgraduate study in Computer Science.