Presentation on theme: "Presenter: Robert Klein Date:August 27, 2014 Federal Aviation Administration AAtS Information Exchange Vulnerability Assessment Threat-Scenario-Based."— Presentation transcript:
Presenter: Robert Klein Date:August 27, 2014 Federal Aviation Administration AAtS Information Exchange Vulnerability Assessment Threat-Scenario-Based Hazard Analysis and Risk Assessment
2 Federal Aviation Administration Data Exchange Comparison Reference Data Exchange Reference Model DATA Format AIXMFIXMWXXM Information Product NAS Standard TemplatesIndividual Flight ObjectsNAS Standard Weather Cal / Val Geospatially Corrected with Occasional Updates Geospatially Corrected with Dynamical Updates Geospatially Corrected with Dynamical Updates Authentication FAA Operator – to NESG (pub.) FAA - to NESG (pub.) Operator - to NESG (pub.) FAA - to NESG (pub.) Data & Information Description 1.Airport / Surface Templates 2.OCS, ICA, etc. 3.Flow Constrained Area 4.Standard Terminal Arrival Route (STAR) 5.Standard Instrument Departure (SID) 6.RNP Approaches, J-Routes, 7.Q-Routes, etc. 8.Temporary Flight Restriction (TFR) 9.Special Use Airspace (SUA) 10.eNOTAMs 11.Traffic Management Initiatives (TMIs) 12.Air Traffic / Traffic Flow Management 1.Flight Plan(s) 2.Approved RNAV Routing 3.RTAs 4.Flight History 5.Flight Object 6.Trajectory Option Set (TOS) 7.FF-ICE (Flight & Flow Information for a Collaborative Environment 1.METARs 2.SIGMETs and Convective SIGMETs 3.TAFs 4.Winds and Temps Aloft 5.AIRMETs 6.Real-time Surface Winds / Wind Field Profiles 7.PIREPs Primary Source FAAOperatorsNWS, FAA, and Operators
3 Federal Aviation Administration So what-? Why do we care? Collaborative Decision Making (CDM) Because... And... CDM = Operational Efficiency (η)
4 Federal Aviation Administration The Concern...
5 Federal Aviation Administration Meanwhile, in 12-A...
6 Federal Aviation Administration Airborne WiFi in the News
7 Federal Aviation Administration ‘Original Article’
8 Federal Aviation Administration AAtS Threat Portals Spoofing identity Information disclosure Elevation of privilege Denial of service Tampering with data Repudiation
9 Federal Aviation Administration Threat Categories & Descriptions Threat Number CategoryDescription TS-1 DImproper traffic originating from the EFB TS-2 E, DCabin gaining unauthorized access to DLS TS-3 E, TCabin user gains unauthorized access to Wireless Access Point TS-4 DConsumption of DLS Bandwidth TS-5 S, I, DUnauthorized Network Mapping by Authenticated User TS-6 S, E, DExternal Attacks with IP Address or Hostname TS-7 DWireless Access Point/Router DoS TS-8 S, E, IRogue access point impersonating Wireless Access Point TS-9 S, DEFB may make excessive queries, conducting a DoS TS-10 IUser in the cabin sniffing flight deck traffic TS-11 S, T, I, EAttack on the Certificate Authority and Rogue Certificates
10 Federal Aviation Administration FAA Risk Assessment Matrix Safety Risk Assessment Matrix from FAA ORDER A
11 Federal Aviation Administration Threat Scenario Risk Assessment Assessed Risk Number of Threats Unacceptable risk0 Acceptable Risk with Mitigations 5 Acceptable risk 6
12 Federal Aviation Administration Conclusions The ERAU report presents several interesting network security threat scenarios. There may be others... Threat Scenarios 1 thru 11 do not represent either Hazardous or Catastrophic risk severity from an operational perspective. We are continuing to evaluate this important issue.