220 likes | 412 Views
Cyber Security Research Plans for a Secure Aircraft Data Network (SADN) NITRD HCSS, Aviation Software Systems: Design for Certification Kevin Harnett Vince Rakauskas DOT/Volpe Center Infrastructure Protection and Operations Division. Briefing Agenda. Background
E N D
Cyber Security Research Plans for aSecure Aircraft Data Network (SADN)NITRD HCSS, Aviation Software Systems: Design for CertificationKevin HarnettVince RakauskasDOT/Volpe Center Infrastructure Protection and Operations Division
Briefing Agenda • Background • Aircraft Data Network (ADN) Cyber Security Issues • ADN-Related Program/Systems Assessment • Gap Analysis • Recommendations
Volpe Center Task (from NASA Glenn Research Center - GRC) Interviews conducted with: • NASA • FAA (AVS, AIR-120, ATO, ARD) • Joint Planning and Development Office (JPDO) • U.S. Air Force/ESC • DoD Technical Support Working Group (TSWG) • DHS • ARINC/AEEC • Aircraft manufacturers (Boeing) • Avionics manufacturers (Honeywell) • Airlines (United) • Sensis Corporation Task 1: Baseline SADN Cyber Security Research Requirement • Discussions with the FAA, AC/avionics manufacturers and others • Document candidate SADN R&D technology research areas (focus on B787 and A380/350) • Understand current Boeing 787 and Airbus 380 ADN cyber security issues • Provide “lessons learned” to apply to cyber security requirements for the Next Generation Aircraft Task 2: Leverage Related SADN Program • Investigate direction of related ADN initiatives (e.g. FAA’s SSDS and the AEEC’s SEC groups) • Leverage cyber security requirements for potential SADN R&D “partnerships”
ADN Cyber Security Issues Vulnerabilities CabinServices ADN IFE AircraftControl CrewDevices PsgrDevices Internal802.11 Internal802.11 VHF/HF SATCOM New vulnerabilities are added $ External802.11 Technology Advances enable new, cost-effective connectivity between on-board Networks and Airline Ground Networks Broadband Revenue from passenger services provides funding for increased infrastructure costs Airlines will use Broadband Internet connectivity to support passenger services then use existing bandwidth to support operations.
ADN Cyber Security Issues VIRUSES WORMS TROJAN HORSES CabinServices ADN IFE AircraftControl CrewDevices PsgrDevices Internal802.11 Internal802.11 VHF/HF SATCOM External802.11 Broadband Mission-critical systems are potentially susceptible to attack Hackers Cyber Criminals Cyber Terrorists
ADN Cyber Security Issues • These cyber security vulnerabilities are not only new but have not been anticipated. • Since it has not been a concern in the past, the existing Code of Federal Regulations does not specifically address cyber security vulnerabilities • Consequently, there are no existing Policies, Certification Criteria or Procedures that provide assurances that cyber security vulnerabilities will not cause unsafe flight conditions • Cyber security vulnerabilities in the ADN will be irrevocably bound to the safety of flight. • Unmitigated, these vulnerabilities will have a definite negative effect on the safety of flight.
Key ADN-Related Program/Systems • FAA • AIR-120 SDSS Program (Network Security and Safety Aircraft LAN Study) • Automated Airborne Flight Alert System (AAFAS) • AVS Boeing 787 Security Issue Papers (domain separation and EDS) • Airborne Internet (A.I.) • Industry • ARINC/AEEC) Subcommittees (particularly ADN and SEC) • ATA E-Biz's Digital Security Working Group (DSWG) and Certipath • Eurocae's WG-72 (Aeronautical System Security) Working Group • DoD • United States Air Force Airborne Network (AN) Project • USAF Multi-sensor Command and Control Aircraft (MC2A) • Coast Guard C-130J • DoD Global Information Grid (JPDO) • Technical Support Working Group (TSWG)
Other ADN-Related Program/Systems • FAA • GCNSS Network-enabled Operations (NEO) Airspace Security Demo • ISS R&D Program Planning Team (PPT) • NASA • Mobile Communications Network Architecture (MCNA) • ADS-B Security Project • Aircraft Centric Data and Information Communications Systems Security • Assessment report • Policy report • Industry • Transatlantic Secure Collaboration Program-TSCP • Wireless Communications Consortium • DoD • TWIC (& HPSD-12) - logical access smart cards • DHS's Computer Security Information Assurance (CSIA) R&D Working Group
Next Generation Air Transportation System • JPDO NGATS Integrated Plan, Dec 2005 • NGATS vision is to “harmonize and integrate” the Civilian and Military ATC systems • System-wide safety and security monitoring allows analysis of failure, threat, and vulnerability trends in real-time, based on data gathered throughout the system • NGATS allow more creative sharing of airspace capacity for civil, LEA, DoD, and commercial users through access to operational information JPDO NGATS goals can not be possible without “secure and safe Aircraft Data Network (ADN) and applications…”
Gap Analysis Partner & Leverage Aviation Industry DoD DHS TSA Potential Overlaps Potential Gaps FAA/ NASA NGATS Undiscovered Interdependencies
ADN-Related Program/SystemsConclusions • Leverage DoD GIG Activities • Leverage USAF GIG activities to develop a Airborne Network (AN) to support NGATS and the AN Information Assurance (IA) Program • DoD/USAF have legacy (Joint-STARS, AWACS,) and new “Next-Generation Weapon Systems” (e.g. USAF MC2A, CG C-130J) with IP-based Airborne platforms with security concerns • Opportunities for DoD /DHS and FAA to partner on “joint” SADN requirements for Secure and Net-centric ADNs • SADN could impact and support several overlapping FAA A/G Demonstration Projects (NEO, SWIM, AAFAS, and AI) • Recommend Government Oversight and Participation on three key ADN Security Working Groups • AEEC SEC • ATA DSWG • EUROCAE WG-72
Gap Analysis – Conclusions • There are many activities underway but the ultimate technical solutions remain to be determined • Determining solutions that will be viable for all stakeholders will be a challenge • Additional Research and Development will need to be funded which must include the full range of stakeholder issues • Lack of direction, oversight and coordination among the ADN-related FAA, DoD, and DHS and Aviation Industry Security Work • Several redundant efforts and overlaps (but the greater consequence is the potential for gaps, conflicting results and undiscovered interdependencies) • Non-government (commercial) projects driven by cost likely to overlook elements of security needed by the Federal Government • Much potential for gain through a managed approach
Security Concept Research & Development topics Policy SADN Policy Certification SADN Certification Criteria Infrastructure Net-centric Security Architecture/Services PKI/Key Management Security Mechanisms Air to Ground Communications Perimeter and Boundary Defense Identification & Authentication EFB and Other Laptop Computers Malware EDS of FLS and Maintenance Procedures Maintenance Auditing, IDS and Incident Response Monitor, Deter, Detect, Respond Research & Development TopicsRecommendation
Key R&D Topics SADN Policy SADN Certification Criteria Auditing, IDS and Incident Response
Our Progress Seek Opportunities For Collaboration US Air Force Airborne Network (AN) IA Project UK / US Workshop On Aeronautical Telecommunications Networks (ATN) Security Boeing 787 Security Assessment Technical Support Working Group (TSWG)
Our R&D Recommendationsfor You Gain An Awareness Of Others Activities Understand The Goals Of The Stakeholders Seek Collaborative Opportunities For SADN R&D Projects Keep The Goals Of NGATS In Mind
Our R&D Recommendationsfor You Security is “Built In” Not “Bolted On”
Contacts • Kevin Harnett, Volpe Center Cyber Security Program Manger • Email: harnett@volpe.dot.gov • Phone: 617-699-7086 • Vince Rakauskas, Security Engineer • Email: rakauskas@comcast.net • Phone: 508-339-0280
Acronyms AAFAS Automated Airborne Flight Alert System ADN Aircraft Data Network ARP Aerospace Recommended Practice AEEC Airlines Electronic Engineering Committee AI Airborne Internet ARD FAA Chief Technology Officer (R&D) ATA Air Transport Association C-130J Coast Guard C-130J Helicopter CC Common Criteria CONOPs Concept of Operations CSIA Computer Security Information Assurance DSWG Digital Security Working Group DSWG EDS Electronic Distribution of Software EFB Electronic Flight Bag FLS Field Loadable Software GIG-BE Global Information Grid - Bandwidth Expansion HSPD-12 Homeland Security Presidential Directive - 12 IDS Intrusion Detection System IFE In-Flight Entertainment
Acronyms IPS Intrusion Protection System ISS Information System Security JPDO Joint Planning and Development Office MC2A Multi-sensor Command and Control Aircraft MCNA Mobile Communications Network Architecture NEO Network Enabled Operations NGATS Next Generation Air Transportation System PKI Public Key Infrastructure PO Program Office PPT Program Planning Team RTCA Radio Technical Commission for Aviation SADN Secure Aircraft Data Network SCAP Security Certification and Authorization Package SDSS Software and Digital Systems System ST&E Security Test and Evaluation SWIM System Wide Information Management TSCP Transatlantic Secure Collaboration Program TSWG Technical Support Working Group TWIC Transportation Worker Identification Credential