Keeping the ICT systems and infrastructures of the Spanish Air Force secure is like fighting a many-headed dragon. So Col. Fernando Acero Martin, Director of Cyber Defence at the Spanish Air Force, told his audience at the OpenExpo Europe conference last month in Madrid. The solution lies in using Linux and other open source software.

The problems Col. Acero faces include:

• the balance between security and safety,
• the need for cybersecurity by design and default,
• the need for cybersecurity solutions and standards,
• control over the supply chain and technological dependence of manufacturing partners,
• shadow ICT,
• the obsolescence of software, hardware, firmware protocols, algorithms and interfaces, and
• preventive, corrective, perfective, evolutionary, predictive and adaptive maintenance.

Obsolescence an impediment

According to Col. Acero the solution lies in using Linux and other open source software. Security updates are our main issue; without them, we are at risk. An aeroplane, for example, has a lifetime of 30 years or more. The ICT systems for this aeroplane, however, have a lifespan of 10 years or less.

In the Air Force a product or system typically takes between two and six years from inception to launch. That means that in some cases the ICT systems are already obsolete when we receive an aircraft, as not infrequently the delivery time for an aircraft is longer than the lifespan of its supporting ICT systems. That is a major impediment in achieving effective cyberdefense.

Border Systems

That's why the Spanish Air Force has increasingly been building its systems on open source software in general and SUSE Linux in particular. We have several successful deployments of SLES12 and SUSE Studio, Col. Acero says, one of which is what we call the Border System. This consists of a bootable software image that can be used to run or install a minimal, hardened operating system on a stand-alone, isolated workstation. These are the only places where data from the outside — e.g. on a USB stick — can be imported to the protected infrastructure after being analysed thoroughly for malware.

At this moment we have more than 250 of these border systems in use — at almost no cost, as they are based on obsolete systems without any hard drives. They have significantly improved the security of our systems, reducing incidents and security events.

Returns

The returns of using open source are hard to quantify, says Col. Acero, as some of the profits are intangible. For example, I can now try out technologies without any cost or for a fraction of the cost, and I need fewer personnel for the management and maintenance of all our services. Just the management of proprietary licences can sometimes be very difficult.

Since we need resilient, redundant and resistant systems, we need the capability to deliver critical services using different technologies at the same time. Virtualisation of servers and desktops, hyper-convergence and containers are easy and straightforward to configure using readily available open source software. The SLES12 ecosystem, for example, provides us with 120 percent of our needs for production and testing technologies.

A secure European technological ecosystem

What's still lacking in the open-source world is a Linux distribution with a very long lifespan of say 30 years. We need a system having the right accreditations for our uses: Common Criteria for security and an aeronautical certification for safety, Col. Acero says. And it needs to properly handle legacy hardware and be highly modular. I think open source is the only way to go here, as market pressure makes this very hard to obtain in proprietary software. Open source software can run on many platforms, it has good legacy hardware support, it is modular, allowing you to select only the required packages, and it works on all sorts of embedded systems.

We don't have the capability to maintain a Linux distribution with a lifespan of 30 years ourselves. But there are other industries and applications with similar needs. Examples are shipping, energy supply and generation, air traffic control, water supply and purification, railroad and traffic control systems, aerospace and aircraft systems, medical systems, appliances and equipment, automotive manufacturing and on-board systems, and the Internet of Things.

So it would be very worthwhile to have such a system on a European level, managed by a supra-national, non-profit entity, as part of a solid, trusted and secure European technological ecosystem, thereby preventing the obsolescences that make critical systems vulnerable to cyberattacks. This need has been identified in several places, but as far as I know there currently are no serious initiatives to achieve this.