Presentation on theme: "Presenter: Robert Klein Date:August 27, 2014 Federal Aviation Administration AAtS Information Exchange Vulnerability Assessment Threat-Scenario-Based."— Presentation transcript:
Presenter: Robert Klein Date:August 27, 2014 Federal Aviation Administration AAtS Information Exchange Vulnerability Assessment Threat-Scenario-Based Hazard Analysis and Risk Assessment
2 Federal Aviation Administration Data Exchange Comparison Reference Data Exchange Reference Model DATA Format AIXMFIXMWXXM Information Product NAS Standard TemplatesIndividual Flight ObjectsNAS Standard Weather Cal / Val Geospatially Corrected with Occasional Updates Geospatially Corrected with Dynamical Updates Geospatially Corrected with Dynamical Updates Authentication FAA Operator – to NESG (pub.) FAA - to NESG (pub.) Operator - to NESG (pub.) FAA - to NESG (pub.) Data & Information Description 1.Airport / Surface Templates 2.OCS, ICA, etc. 3.Flow Constrained Area 4.Standard Terminal Arrival Route (STAR) 5.Standard Instrument Departure (SID) 6.RNP Approaches, J-Routes, 7.Q-Routes, etc. 8.Temporary Flight Restriction (TFR) 9.Special Use Airspace (SUA) 10.eNOTAMs 11.Traffic Management Initiatives (TMIs) 12.Air Traffic / Traffic Flow Management 1.Flight Plan(s) 2.Approved RNAV Routing 3.RTAs 4.Flight History 5.Flight Object 6.Trajectory Option Set (TOS) 7.FF-ICE (Flight & Flow Information for a Collaborative Environment 1.METARs 2.SIGMETs and Convective SIGMETs 3.TAFs 4.Winds and Temps Aloft 5.AIRMETs 6.Real-time Surface Winds / Wind Field Profiles 7.PIREPs Primary Source FAAOperatorsNWS, FAA, and Operators
3 Federal Aviation Administration So what-? Why do we care? Collaborative Decision Making (CDM) Because... And... CDM = Operational Efficiency (η)
4 Federal Aviation Administration The Concern...
5 Federal Aviation Administration Meanwhile, in 12-A...
6 Federal Aviation Administration Airborne WiFi in the News
7 Federal Aviation Administration ‘Original Article’
8 Federal Aviation Administration AAtS Threat Portals Spoofing identity Information disclosure Elevation of privilege Denial of service Tampering with data Repudiation
9 Federal Aviation Administration Threat Categories & Descriptions Threat Number CategoryDescription TS-1 DImproper traffic originating from the EFB TS-2 E, DCabin gaining unauthorized access to DLS TS-3 E, TCabin user gains unauthorized access to Wireless Access Point TS-4 DConsumption of DLS Bandwidth TS-5 S, I, DUnauthorized Network Mapping by Authenticated User TS-6 S, E, DExternal Attacks with IP Address or Hostname TS-7 DWireless Access Point/Router DoS TS-8 S, E, IRogue access point impersonating Wireless Access Point TS-9 S, DEFB may make excessive queries, conducting a DoS TS-10 IUser in the cabin sniffing flight deck traffic TS-11 S, T, I, EAttack on the Certificate Authority and Rogue Certificates
10 Federal Aviation Administration FAA Risk Assessment Matrix Safety Risk Assessment Matrix from FAA ORDER 8040.4A
11 Federal Aviation Administration Threat Scenario Risk Assessment Assessed Risk Number of Threats Unacceptable risk0 Acceptable Risk with Mitigations 5 Acceptable risk 6
12 Federal Aviation Administration Conclusions The ERAU report presents several interesting network security threat scenarios. There may be others... Threat Scenarios 1 thru 11 do not represent either Hazardous or Catastrophic risk severity from an operational perspective. We are continuing to evaluate this important issue.