Overview of AEEC Information Security CONOPS Vic Patel, FAA/ATO-P WJHTC Security Engineering Simon Blake-Wilson, BCI and FAA April 19, 2004.

Slides:



Advertisements
Similar presentations
JCAHO –A HIPAA Business Associate National HIPAA Summit
Advertisements

Module N° 3 – ICAO SARPs related to safety management
The European Organisation for the Safety of Air Navigation UAS Security Antonio Nogueras Head DSS/CM/ATM Security Unit EU UAS Panel Workshop, th.
1 F E D E R A L A V I A T I O N A D M I N I S T R A T I O N A I R T R A F F I C O R G A N I Z A T I O N 1 William J. Hughes FAA Technical Center INFORMATION.
Module 1 Evaluation Overview © Crown Copyright (2000)
ACI/GM/3011/1.0 ACI's Portable ATN Software Products & Services Technology for next-generation aviation data communication… Presented by Forrest Colliver.
Architecture and institutional issues for AeroMACS.
Introduction to Military Certification Office
Ken Jacobs Airport Planning & Environmental Division March 3, 2010 Federal Aviation Administration Federal Aviation Administration 33.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Effective Design of Trusted Information Systems Luděk Novák,
Chapter 5: Asset Classification
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Overview FAA IT & ISS R&D: Security Today Security Tomorrow Marshall Potter Chief Scientist for Information Technology Federal Aviation Administration.
AMR Proprietary and Confidential FAA Compliance Training.
SOX & ISO Protect your data and be ready to be audited!!!
Session 3 – Information Security Policies
Runway Safety Teams (RSTs) Description and Processes Session 5 Presentation 1.
GSA Expo 2009 Impact of Secure Flight Program on DoD Travel Mr. George Greiling GSA Expo June 2009.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework
Security Control Families Management Class.
Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.
Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.
WAEA SFW Connectivity Update – Universal Sheraton - March 25, 2010 Presented by Jonathan Norris VP Cabin Design Office Aircraft Networks, Certification.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
ITS Standards Program Strategic Plan Summary June 16, 2009 Blake Christie Principal Engineer, Noblis for Steve Sill Project Manager, ITS Standards Program.
Copyright Safety Operating Systems 2008 TRAINING AUDITS AND SMS By: Captain Jack Casey, FRAeS Chief Operating Officer Safety Operating Systems, LLC.
Cargo Strategic Action Plan Prepared by: Cargo Strategic Action Group Air Carrier Maintenance Branch, AFS-330.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Enhanced Airworthiness Program for Airplane Systems (EAPAS) Presented by: Massoud Sadeghi FAA - Aging Systems Program Manager EAPAS Workshop November 2002.
Federal Aviation Administration 0 Complex Integrated Avionics and System Safety June 9, Complex Integrated Avionic Systems and System Safety Presentation.
Introduction to Information Security
Enterprise Cybersecurity Strategy
Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015.
IS3220 Information Technology Infrastructure Security
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
The NIST Special Publications for Security Management By: Waylon Coulter.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Business Continuity Planning 101
Safety Management Systems Session Four Safety Promotion APTA Webinar June 9, 2016.
Security and resilience for Smart Hospitals Key findings
Society for Maintenance and Reliability Professionals (SMRP)
Risk management.
AVIATION SYSTEM BLOCK UPGRADES (ASBU)
MGMT 203 Aeronautical Science, Aviation Professionalism, Careers, and Certification Module 1.
Introduction to the Federal Defense Acquisition Regulation
Security Engineering.
Air Carrier Continuing Analysis and Surveillance System (CASS)
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
IS4680 Security Auditing for Compliance
Operations Security (OPSEC)
HIPAA Security Standards Final Rule
Access to data requirementS
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

Overview of AEEC Information Security CONOPS Vic Patel, FAA/ATO-P WJHTC Security Engineering Simon Blake-Wilson, BCI and FAA April 19, 2004

AEEC is an association of airlines, organized by ARINC, that develop standards for avionics AEEC Information Security (SEC) Working Group formed to address increasing interest from airlines AEEC SEC participation includes airlines, airframers, avionics, IFE vendors, comms service providers FAA/ATO-P WJHTC Security Engineering Group participating in AEEC SEC AEEC SEC initial product is an Information Security Concept of Operations (CONOPS) AEEC Information Security Background

Goals of the Info Sec CONOPS include: Provide background in info sec for airline departments who have not dealt with it before Emphasize sound security practice Assist other AEEC groups thinking about information security Discuss issues that arise as the aircraft becomes part of the corporate LAN, and there is more connectivity between domains on the aircraft CONOPS is expected to be approved in mid AEEC Info Sec CONOPS

The CONOPS emphasizes the importance of following an overall information security process to secure a system: Risk-based approach High-level to allow each step to be performed at an appropriate level of detail Strangely there are no existing standards for overall approach. Common Criteria and Federal Information Security Management Act (FISMA) provide pieces but are not coordinated. FAAs Security Certification and Authorization Package (SCAP) process includes FISMA requirements CONOPS Information Security Process

CONOPS Information Security Process (Cont) Step 1: Identify information security needs and objectives Step 2: Select and implement security controls Step 3: Operate and manage security controls Security review

Step 1: Security Needs and Objectives Step 1.1: Asset identification and security categorization Step 1.2.1: Analyze risks Step 1.2.2: Identify policies 1.2.3: Determine environment and assumptions 1.3: Characterize security objectives

Step 1.1: Asset Identification Airline Info. Services Pass, Support Aircraft Control Flight and Embed ded Control Cabin Core Pass. Info. and Entertain Services (PIES) Pass. Devices Control Aircraft Operate Airline Entertain Passenger Adminis trative Airplane Airline Air/Ground Broadband Services Airport Data Link Services Airline Approved 3rd Parties ATSP

Identify information types. Step 1.1: Asset Identification Information typeTypical ownerPrimary domain Aircraft control (AC) information Airline, ATSPControl the aircraft Airline operational communications (AOC) information AirlineOperate the airline Airline administrative communications (AAC) information AirlineOperate the airline Airline passenger communications (APC) information PassengersEntertain the passengers

Initial step to estimate how important security is for system. Step 1.1: Security Categorization Information typeSecurity categorization ConfidentialityIntegrityAvailability Aircraft control (AC) information LowHigh Airline operational communications (AOC) information Moderate (or High?) Medium Airline administrative communications (AAC) information Moderate (or High?) Low (or Mod?) Medium Airline passenger communications (APC) information High Medium

Identify threats based on high-level framework. Step 1.2.1: Analyze Risks Threat IdentifierThreat description T.ACCESSAn authorized user may gain unauthorized access to the aircraft system or to information controlled by the aircraft system via user error, system error, or an attack for malicious or non-malicious purposes. T.DEVELOPSecurity failures may occur as the result of problems introduced during implementation of the aircraft system. T.ENTRYAn individual other than an authorized user may gain access to the aircraft system or to information controlled by the aircraft system via system error or an attack for malicious purposes. T.MAINTAINThe security of the aircraft system may be reduced or defeated due to errors or omissions in the administration and maintenance of the security features of the aircraft system. T.PHYSICALSecurity-critical parts of the aircraft system may be subjected to a physical attack that may compromise security.

Assess threat likelihood and severity using High/Medium/Low. Severity can be derived in part from hazard analysis. Step 1.2.1: Analyze Risks Threat IdentifierThreat likelihoodThreat severity T.ACCESS T.ACCESS.1TBD T.ACCESS.2TBD T.CRASH T.CRASH.1TBD T.DENIAL T.DENIAL.1TBD Etc

Identify policies that may affect security choices. Step 1.2.2: Identify Policies Policy IdentifierPolicy Description P.AIRLINEThis policy area covers applicable airline information security policies. P.EXPORTThis policy area covers applicable national and international export laws concerning cryptography and security controls. P.PRIVACYThis policy area covers applicable national and international laws concerning privacy. P.REGULATIONThis policy area covers applicable national and international regulations concerning development and implementation of aircraft systems.

Identify drivers for selection of security controls. Step 1.3: Security Objectives Policy IdentifierPolicy Description O.COMMON- CONTROLS Aircraft systems should use common security controls. O.EXISTING- LIFECYCLE Development, operation, and maintenance of security controls for aircraft systems should fit within the existing aircraft lifecycle. O.MINIMIZE- ADMIN Security controls for aircraft systems should require minimal administration. O.MISSION- ACCOMPLISH Security controls for aircraft systems should not inhibit airline mission accomplishment (i.e. delivery of passengers from point A to point B).

Select security controls based on needs and objectives. Step 2: Security Controls IDControl NameIDControl Name ACAccess ControlMAMaintenance ATAwareness and TrainingMPMedia Protection AUAudit and AccountabilityPEPhysical and Environmental Protection CACertification, Accreditation and Assessment PLPlanning CMConfiguration Management PSPersonnel Security CPContingency PlanningRARisk Assessment IAIdentification and Authentication SASystem and Services Acquisition IRIncident Response

The CONOPS touches on many issues specific to the aeronautical industry: Airline IT and maintenance have traditionally been separate Security patches and certification Lack of IT support on aircraft Long lifecycles from design to deployment and use Security and safety Etc. Aeronautical Issues with Security Controls

The AEEC CONOPS identifies security process for airlines and discusses many aeronautical security issues Only known standard for overall security process – but can exploit Common Criteria, FISMA, and SCAP Process potentially applicable throughout the aeronautical industry FAA WJHTC Information Security Group is using the process within programs such as NEXCOM, Future Comms Study, CPDLC Summary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.