Briefing Agenda
21
October 2006 1 Cyber Security Research Plans for a Secure Aircraft Data Network (SADN) NITRD HCSS, Aviation Software Systems: Design for Certification Kevin Harnett Vince Rakauskas DOT/Volpe Center Infrastructure Protection and Operations
description
Cyber Security Research Plans for a Secure Aircraft Data Network (SADN) NITRD HCSS, Aviation Software Systems: Design for Certification Kevin Harnett Vince Rakauskas DOT/Volpe Center Infrastructure Protection and Operations Division. Briefing Agenda. Background - PowerPoint PPT Presentation
Transcript of Briefing Agenda
October 2006 1
Cyber Security Research Plans for aSecure Aircraft Data Network (SADN)
NITRD HCSS, Aviation Software Systems: Design for Certification
Kevin HarnettVince Rakauskas
DOT/Volpe Center Infrastructure Protection and Operations Division
October 2006 2
Briefing Agenda
• Background
• Aircraft Data Network (ADN) Cyber Security Issues
• ADN-Related Program/Systems Assessment
• Gap Analysis
• Recommendations
October 2006 3
Task 1: Baseline SADN Cyber Security Research Requirement
• Discussions with the FAA, AC/avionics manufacturers and others
• Document candidate SADN R&D technology research areas (focus on B787 and A380/350)
• Understand current Boeing 787 and Airbus 380 ADN cyber security issues
• Provide “lessons learned” to apply to cyber security requirements for the Next Generation Aircraft
Task 2: Leverage Related SADN Program
• Investigate direction of related ADN initiatives (e.g. FAA’s SSDS and the AEEC’s SEC groups)
• Leverage cyber security requirements for potential SADN R&D “partnerships”
Volpe Center Task (from NASA Glenn Research Center - GRC)
Interviews conducted with: NASA FAA (AVS, AIR-120, ATO,
ARD) Joint Planning and
Development Office (JPDO) U.S. Air Force/ESC DoD Technical Support
Working Group (TSWG) DHS ARINC/AEEC Aircraft manufacturers
(Boeing) Avionics manufacturers
(Honeywell) Airlines (United) Sensis Corporation
October 2006 4
AircraftControl
CabinServices
PsgrDevices
IFEADN
External802.11
Broadband
CrewDevices
Internal802.11 Internal
802.11
Vulnerabilities
Airlines will use Broadband Internet connectivity to support passenger services then use existing
bandwidth to support operations.
Revenue from passenger services provides funding for
increased infrastructure costs
Newvulnerabilities
are added
ADN Cyber Security Issues
Technology Advances enable new, cost-effective
connectivity between on-board Networks and Airline Ground
Networks
VHF/HFSATCOM
October 2006 5
External802.11
Broadband
AircraftControl
CabinServices
PsgrDevices
IFEADN
CrewDevices
Internal802.11 Internal
802.11
VHF/HFSATCOM
Mission-critical systems are potentially
susceptible to attack
ADN Cyber Security Issues
October 2006 6
• These cyber security vulnerabilities are not only new but have not been anticipated.
• Since it has not been a concern in the past, the existing Code of Federal Regulations does not specifically address cyber security vulnerabilities
• Consequently, there are no existing Policies, Certification Criteria or Procedures that provide assurances that cyber security vulnerabilities will not cause unsafe flight conditions
• Cyber security vulnerabilities in the ADN will be irrevocably bound to the safety of flight.
• Unmitigated, these vulnerabilities will have a definite negative effect on the safety of flight.
ADN Cyber Security Issues
October 2006 7
One Potential Solution
October 2006 8
Key ADN-Related Program/Systems
FAA• AIR-120 SDSS Program (Network Security and Safety Aircraft LAN Study) • Automated Airborne Flight Alert System (AAFAS)• AVS Boeing 787 Security Issue Papers (domain separation and EDS)• Airborne Internet (A.I.)
Industry• ARINC/AEEC) Subcommittees (particularly ADN and SEC)• ATA E-Biz's Digital Security Working Group (DSWG) and Certipath• Eurocae's WG-72 (Aeronautical System Security) Working Group
DoD• United States Air Force Airborne Network (AN) Project • USAF Multi-sensor Command and Control Aircraft (MC2A)• Coast Guard C-130J• DoD Global Information Grid (JPDO)• Technical Support Working Group (TSWG)
October 2006 9
Other ADN-Related Program/Systems
FAA• GCNSS Network-enabled Operations (NEO) Airspace Security Demo• ISS R&D Program Planning Team (PPT)
NASA• Mobile Communications Network Architecture (MCNA)• ADS-B Security Project• Aircraft Centric Data and Information Communications Systems Security
• Assessment report• Policy report
Industry• Transatlantic Secure Collaboration Program-TSCP • Wireless Communications Consortium
DoD• TWIC (& HPSD-12) - logical access smart cards• DHS's Computer Security Information Assurance (CSIA) R&D Working Group
October 2006 10
JPDO NGATS Integrated Plan, Dec 2005
• NGATS vision is to “harmonize and integrate” the Civilian and Military ATC systems
• System-wide safety and security monitoring allows analysis of failure, threat, and vulnerability trends in real-time, based on data gathered throughout the system
• NGATS allow more creative sharing of airspace capacity for civil, LEA, DoD, and commercial users through access to operational information
Next Generation Air Transportation System
JPDO NGATS goals can not be possible without “secure and safe Aircraft Data Network (ADN) and applications…”
October 2006 11
DoDDHSTSA
FAA/NASA
NGATS
Aviation Industry
UndiscoveredInterdependencies
Partner & Leverage
Gap Analysis
Potential Gaps
Potential Overlaps
October 2006 12
Leverage DoD GIG Activities° Leverage USAF GIG activities to develop a Airborne Network
(AN) to support NGATS and the AN Information Assurance (IA) Program
° DoD/USAF have legacy (Joint-STARS, AWACS,) and new “Next-Generation Weapon Systems” (e.g. USAF MC2A, CG C-130J) with IP-based Airborne platforms with security concerns
° Opportunities for DoD /DHS and FAA to partner on “joint” SADN requirements for Secure and Net-centric ADNs
SADN could impact and support several overlapping FAA A/G Demonstration Projects (NEO, SWIM, AAFAS, and AI)
Recommend Government Oversight and Participation on three key ADN Security Working Groups
° AEEC SEC ° ATA DSWG° EUROCAE WG-72
ADN-Related Program/SystemsConclusions
October 2006 13
• There are many activities underway but the ultimate technical solutions remain to be determined
• Determining solutions that will be viable for all stakeholders will be a challenge
• Additional Research and Development will need to be funded which must include the full range of stakeholder issues
• Lack of direction, oversight and coordination among the ADN-related FAA, DoD, and DHS and Aviation Industry Security Work
• Several redundant efforts and overlaps (but the greater consequence is the potential for gaps, conflicting results and undiscovered interdependencies)
• Non-government (commercial) projects driven by cost likely to overlook elements of security needed by the Federal Government
• Much potential for gain through a managed approach
Gap Analysis – Conclusions
October 2006 14
SADN Policy
SADN Certification Criteria
Net-centric Security Architecture/Services
PKI/Key Management
Air to Ground Communications
Perimeter and Boundary Defense
Identification & Authentication
EFB and Other Laptop Computers
Auditing, IDS and Incident Response
Malware
EDS of FLS and Maintenance Procedures
Policy
Certification
Infrastructure
Security
Mechanisms
Maintenance
Monitor, Deter, Detect, Respond
Research & Development topicsSecurity Concept
Research & Development TopicsRecommendation
October 2006 15
Key R&D Topics
SADN Policy
SADN Certification Criteria
Auditing, IDS and Incident Response
October 2006 16
Our Progress
Seek Opportunities For Collaboration
US Air Force Airborne Network (AN) IA Project
UK / US Workshop On Aeronautical Telecommunications Networks (ATN) Security
Boeing 787 Security Assessment
Technical Support Working Group (TSWG)
October 2006 17
Our R&D Recommendationsfor You
Gain An Awareness Of Others Activities
Understand The Goals Of The Stakeholders
Seek Collaborative Opportunities For SADN R&D Projects
Keep The Goals Of NGATS In Mind
October 2006 18
Our R&D Recommendationsfor You
Security is
“Built In”
Not
“Bolted On”
October 2006 19
Contacts
• Kevin Harnett, Volpe Center Cyber Security Program Manger– Email: [email protected]– Phone: 617-699-7086
• Vince Rakauskas, Security Engineer– Email: [email protected]– Phone: 508-339-0280
October 2006 20
Acronyms
AAFAS Automated Airborne Flight Alert System ADN Aircraft Data NetworkARP Aerospace Recommended PracticeAEEC Airlines Electronic Engineering CommitteeAI Airborne InternetARD FAA Chief Technology Officer (R&D)ATA Air Transport AssociationC-130J Coast Guard C-130J HelicopterCC Common CriteriaCONOPs Concept of OperationsCSIA Computer Security Information AssuranceDSWG Digital Security Working Group DSWGEDS Electronic Distribution of SoftwareEFB Electronic Flight BagFLS Field Loadable Software GIG-BE Global Information Grid - Bandwidth ExpansionHSPD-12 Homeland Security Presidential Directive - 12IDS Intrusion Detection SystemIFE In-Flight Entertainment
October 2006 21
Acronyms
IPS Intrusion Protection SystemISS Information System SecurityJPDO Joint Planning and Development OfficeMC2A Multi-sensor Command and Control Aircraft MCNA Mobile Communications Network ArchitectureNEO Network Enabled OperationsNGATS Next Generation Air Transportation SystemPKI Public Key InfrastructurePO Program OfficePPT Program Planning TeamRTCA Radio Technical Commission for Aviation SADN Secure Aircraft Data NetworkSCAP Security Certification and Authorization PackageSDSS Software and Digital Systems System ST&E Security Test and EvaluationSWIM System Wide Information ManagementTSCP Transatlantic Secure Collaboration ProgramTSWG Technical Support Working GroupTWIC Transportation Worker Identification Credential
