Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of AEEC Information Security CONOPS Vic Patel, FAA/ATO-P WJHTC Security Engineering Simon Blake-Wilson, BCI and FAA April 19, 2004.

Published byEvelyn Dobson Modified over 10 years ago

Similar presentations

Presentation on theme: "Overview of AEEC Information Security CONOPS Vic Patel, FAA/ATO-P WJHTC Security Engineering Simon Blake-Wilson, BCI and FAA April 19, 2004."— Presentation transcript:

1 Overview of AEEC Information Security CONOPS Vic Patel, FAA/ATO-P WJHTC Security Engineering Simon Blake-Wilson, BCI and FAA April 19, 2004

2 AEEC is an association of airlines, organized by ARINC, that develop standards for avionics AEEC Information Security (SEC) Working Group formed to address increasing interest from airlines AEEC SEC participation includes airlines, airframers, avionics, IFE vendors, comms service providers FAA/ATO-P WJHTC Security Engineering Group participating in AEEC SEC AEEC SEC initial product is an Information Security Concept of Operations (CONOPS) AEEC Information Security Background

3 Goals of the Info Sec CONOPS include: Provide background in info sec for airline departments who have not dealt with it before Emphasize sound security practice Assist other AEEC groups thinking about information security Discuss issues that arise as the aircraft becomes part of the corporate LAN, and there is more connectivity between domains on the aircraft CONOPS is expected to be approved in mid 2005. AEEC Info Sec CONOPS

4 The CONOPS emphasizes the importance of following an overall information security process to secure a system: Risk-based approach High-level to allow each step to be performed at an appropriate level of detail Strangely there are no existing standards for overall approach. Common Criteria and Federal Information Security Management Act (FISMA) provide pieces but are not coordinated. FAAs Security Certification and Authorization Package (SCAP) process includes FISMA requirements CONOPS Information Security Process

5 CONOPS Information Security Process (Cont) Step 1: Identify information security needs and objectives Step 2: Select and implement security controls Step 3: Operate and manage security controls Security review

6 Step 1: Security Needs and Objectives Step 1.1: Asset identification and security categorization Step 1.2.1: Analyze risks Step 1.2.2: Identify policies 1.2.3: Determine environment and assumptions 1.3: Characterize security objectives

7 Step 1.1: Asset Identification Airline Info. Services Pass, Support Aircraft Control Flight and Embed ded Control Cabin Core Pass. Info. and Entertain Services (PIES) Pass. Devices Control Aircraft Operate Airline Entertain Passenger Adminis trative Airplane Airline Air/Ground Broadband Services Airport Data Link Services Airline Approved 3rd Parties ATSP

8 Identify information types. Step 1.1: Asset Identification Information typeTypical ownerPrimary domain Aircraft control (AC) information Airline, ATSPControl the aircraft Airline operational communications (AOC) information AirlineOperate the airline Airline administrative communications (AAC) information AirlineOperate the airline Airline passenger communications (APC) information PassengersEntertain the passengers

9 Initial step to estimate how important security is for system. Step 1.1: Security Categorization Information typeSecurity categorization ConfidentialityIntegrityAvailability Aircraft control (AC) information LowHigh Airline operational communications (AOC) information Moderate (or High?) Medium Airline administrative communications (AAC) information Moderate (or High?) Low (or Mod?) Medium Airline passenger communications (APC) information High Medium

10 Identify threats based on high-level framework. Step 1.2.1: Analyze Risks Threat IdentifierThreat description T.ACCESSAn authorized user may gain unauthorized access to the aircraft system or to information controlled by the aircraft system via user error, system error, or an attack for malicious or non-malicious purposes. T.DEVELOPSecurity failures may occur as the result of problems introduced during implementation of the aircraft system. T.ENTRYAn individual other than an authorized user may gain access to the aircraft system or to information controlled by the aircraft system via system error or an attack for malicious purposes. T.MAINTAINThe security of the aircraft system may be reduced or defeated due to errors or omissions in the administration and maintenance of the security features of the aircraft system. T.PHYSICALSecurity-critical parts of the aircraft system may be subjected to a physical attack that may compromise security.

11 Assess threat likelihood and severity using High/Medium/Low. Severity can be derived in part from hazard analysis. Step 1.2.1: Analyze Risks Threat IdentifierThreat likelihoodThreat severity T.ACCESS T.ACCESS.1TBD T.ACCESS.2TBD T.CRASH T.CRASH.1TBD T.DENIAL T.DENIAL.1TBD Etc

12 Identify policies that may affect security choices. Step 1.2.2: Identify Policies Policy IdentifierPolicy Description P.AIRLINEThis policy area covers applicable airline information security policies. P.EXPORTThis policy area covers applicable national and international export laws concerning cryptography and security controls. P.PRIVACYThis policy area covers applicable national and international laws concerning privacy. P.REGULATIONThis policy area covers applicable national and international regulations concerning development and implementation of aircraft systems.

13 Identify drivers for selection of security controls. Step 1.3: Security Objectives Policy IdentifierPolicy Description O.COMMON- CONTROLS Aircraft systems should use common security controls. O.EXISTING- LIFECYCLE Development, operation, and maintenance of security controls for aircraft systems should fit within the existing aircraft lifecycle. O.MINIMIZE- ADMIN Security controls for aircraft systems should require minimal administration. O.MISSION- ACCOMPLISH Security controls for aircraft systems should not inhibit airline mission accomplishment (i.e. delivery of passengers from point A to point B).

14 Select security controls based on needs and objectives. Step 2: Security Controls IDControl NameIDControl Name ACAccess ControlMAMaintenance ATAwareness and TrainingMPMedia Protection AUAudit and AccountabilityPEPhysical and Environmental Protection CACertification, Accreditation and Assessment PLPlanning CMConfiguration Management PSPersonnel Security CPContingency PlanningRARisk Assessment IAIdentification and Authentication SASystem and Services Acquisition IRIncident Response

15 The CONOPS touches on many issues specific to the aeronautical industry: Airline IT and maintenance have traditionally been separate Security patches and certification Lack of IT support on aircraft Long lifecycles from design to deployment and use Security and safety Etc. Aeronautical Issues with Security Controls

16 The AEEC CONOPS identifies security process for airlines and discusses many aeronautical security issues Only known standard for overall security process – but can exploit Common Criteria, FISMA, and SCAP Process potentially applicable throughout the aeronautical industry FAA WJHTC Information Security Group is using the process within programs such as NEXCOM, Future Comms Study, CPDLC Summary

Download ppt "Overview of AEEC Information Security CONOPS Vic Patel, FAA/ATO-P WJHTC Security Engineering Simon Blake-Wilson, BCI and FAA April 19, 2004."

Similar presentations

JCAHO –A HIPAA Business Associate National HIPAA Summit

JCAHO –A HIPAA Business Associate National HIPAA Summit
Module N° 3 – ICAO SARPs related to safety management

Module N° 3 – ICAO SARPs related to safety management
The European Organisation for the Safety of Air Navigation UAS Security Antonio Nogueras Head DSS/CM/ATM Security Unit EU UAS Panel Workshop, 13-14 th.

The European Organisation for the Safety of Air Navigation UAS Security Antonio Nogueras Head DSS/CM/ATM Security Unit EU UAS Panel Workshop, th.
1 F E D E R A L A V I A T I O N A D M I N I S T R A T I O N A I R T R A F F I C O R G A N I Z A T I O N 1 William J. Hughes FAA Technical Center INFORMATION.

1 F E D E R A L A V I A T I O N A D M I N I S T R A T I O N A I R T R A F F I C O R G A N I Z A T I O N 1 William J. Hughes FAA Technical Center INFORMATION.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
ACI/GM/3011/1.0 ACI's Portable ATN Software Products & Services Technology for next-generation aviation data communication… Presented by Forrest Colliver.

ACI/GM/3011/1.0 ACI's Portable ATN Software Products & Services Technology for next-generation aviation data communication… Presented by Forrest Colliver.
Architecture and institutional issues for AeroMACS.

Architecture and institutional issues for AeroMACS.
Introduction to Military Certification Office

Introduction to Military Certification Office
Ken Jacobs Airport Planning & Environmental Division March 3, 2010 Federal Aviation Administration Federal Aviation Administration 33.

Ken Jacobs Airport Planning & Environmental Division March 3, 2010 Federal Aviation Administration Federal Aviation Administration 33.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Overview FAA IT & ISS R&D: Security Today Security Tomorrow Marshall Potter Chief Scientist for Information Technology Federal Aviation Administration.

Overview FAA IT & ISS R&D: Security Today Security Tomorrow Marshall Potter Chief Scientist for Information Technology Federal Aviation Administration.
AMR Proprietary and Confidential FAA Compliance Training.

AMR Proprietary and Confidential FAA Compliance Training.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google