Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.

Published byNorman Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group."— Presentation transcript:

1 Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group Activities AMHS Security Security Sub-Group Activities ATS Message Handling System (AMHS ) Implementation Workshop Chennai, India December, 15-16 th 2008 Vic Patel FAA/ATO-P Security Engineering Group William J. Hughes FAA Technical Center Atlantic City International Airport Atlantic City, NJ 08405 USA

2 Federal Aviation Administration Federal Aviation Administration 2 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Presentation Overview 2 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.  Security Policy  Security Checklist  Security Guidance Document  Technical Controls for AMHS Security  Other Regional Security Documents  System-wide Risk Assessment  Contingency Plan  Incident Response Plan

3 Federal Aviation Administration Federal Aviation Administration 3 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Asia/Pacific ICG Strategic Objective: Security 3  Task (1) Update System Integrity Policy as needed Asia/Pacific ATN System Security Policy Document Adopted by ICAO Asia-Pacific as of October 2008  Task (2) Develop Information Security Checklist Asia/Pacific ATN Develop Security Checklist  Task (3) Develop Information Security Guidance Asia/Pacific ATN Security Guidance Document  Task (4) Develop Information Security Solution for Initial and Enhanced Services To be included in Asia/Pacific ATN Security Guidance Document AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

4 Federal Aviation Administration Federal Aviation Administration 4 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Policy The Asia/Pacific region has developed an ATN System Security Policy The Policy was previously called the “System Integrity Policy” and was somewhat broader in scope. –It was agreed at the September Security Sub-Group meeting that the requirements for Interoperability be removed from this document and it was re-named the System Security Policy. The policy requires that ATN systems be verified to have appropriate security controls. The policy requires that ATN systems be formally approved for operation a Designated Approval Authority for each state/organization. 4 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

5 Federal Aviation Administration Federal Aviation Administration 5 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Policy 5 Security Policy Outline: –Purpose. –Applicability. –Authority. –Implementation and Enforcement. –System Integrity Requirements. –System Integrity Services Confidentiality Data Integrity Authenticity. Availability. Accountability. Interoperability. –System Integrity Policy Statements Functional Policy Statements –Verification and Authorization AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

6 Federal Aviation Administration Federal Aviation Administration 6 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Checklist A checklist serves to see that controls are in place It is generally the basis on which the Approving Authority grants approval At the April 2008 meeting of the Security Subgroup it was agreed that the controls would be derived from the following document: –NIST SP 800-53, Recommended Security Controls for Federal Information Systems, December 2006 –The SP 800-53 controls were reviewed by the Security Subgroup and the Subgroup identified which of the Technical, Operational, and Management controls applied to an ATN system. At the September meeting of the Security Subgroup the controls were converted to a Checklist format. 6 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

7 Federal Aviation Administration Federal Aviation Administration 7 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Guidance Document The Security Sub-Group is developing a region should develop a Security Guidance Document which provides guidance on the implementation of management, technical, and operational controls. Management controls focus on management of system and associated risks Security reviews, security risk assessments Technical controls address specific types of threats may be sub-typed as: preventative technical controls, recovery technical controls, and support technical controls Operational controls focus on operational procedures, personnel security measures, and physical security measures This document was previously called the “Security Implementation Plan” 7 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

8 Federal Aviation Administration Federal Aviation Administration 8 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Guidance Document AMHS Technical Controls 8 Network Security Provisions From User Terminal to Message Server or Between Message Servers (Routers) End-to-End Security Provisions Defined in ICAO Doc 9705 Edition 3 using the ATN Digital Signature Scheme May not be implemented if region does not move to ATN air- ground security provisions AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

9 Federal Aviation Administration Federal Aviation Administration 9 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Guidance Document AMHS Technical Controls 9 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

10 Federal Aviation Administration Federal Aviation Administration 10 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Guidance Document AMHS Technical Controls 10 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

11 Federal Aviation Administration Federal Aviation Administration 11 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Guidance Document AMHS Technical Controls 11 Network Security Secure Communications from User Agents to MTA Server Technique depends on connectivity Internet Protocol Security (IPsec) Transport Layer Security (TLS) (formerly Secure Sockets Layer (SSL)) Layer 2 Protocols (Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F) Secure Shell (SSH) AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

12 Federal Aviation Administration Federal Aviation Administration 12 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Guidance Document AMHS Technical Controls 12 Network Security Secure Communications between Routers which support MTA Servers Communications Security IDRP Security Initially pre-shared keys Longer term - PKI Audit Logs TCP, IP, BGP Logs AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

13 Federal Aviation Administration Federal Aviation Administration 13 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Security Guidance Document Technical Control Summary Technical controls may initially consist of securing IDRP router connections –Initially using pre-shared keys –Migrate to limited use of certificates For TCP/IP MTA-to-MTA connections either TLS or IPsec may be used. For User Terminal to MTA connections layer 2 provisions may also be used As the AMHS evolves to enhanced services, including directory services, AMHS application security may be employed Firewalls and other security appliances should be introduced as needed. 13 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

14 Federal Aviation Administration Federal Aviation Administration 14 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Contingency Plan The Security Sub-group has been tasked to develop a “Contingency and Disaster Recovery Plan. This plan identifies the coordination activities, processes, and procedures to be followed in the event that an AMHS system is unavailable. 14 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

15 Federal Aviation Administration Federal Aviation Administration 15 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Contingency Plan NIST SP800-34, Contingency Planning Guide for Information Technology Systems, June 2002 “ IT contingency planning refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption. Contingency planning generally includes one or more of the approaches to restore disrupted IT services: Restoring IT operations at an alternate location Recovering IT operations using alternate equipment Performing some or al of the affected business processes using non-IT (manual) means ” 15 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

16 Federal Aviation Administration Federal Aviation Administration 16 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Incident Response Plan The Security Sub-group has been tasked to develop an Incident Response Plan The incident response plan would specify common procedures for identifying, reporting, and responding to computing incidents. 16 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

17 Federal Aviation Administration Federal Aviation Administration 17 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration Incident Response Plan NIST SP 800-61, Computer Security Incident Handling Guide, January 2004, specifies that an incident response capability should include the following actions: Creating an incident response policy Developing procedures for performing incident handling and reporting, based on the incident response policy Setting guidelines for communicating with outside parties regarding incidents Selecting a team structure and staffing model Establishing relationships between the incident response team and other groups, both internatl and external Determining what services the incident response team should provide Staffing and training the incident response team 17 AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

18 Federal Aviation Administration Federal Aviation Administration 18 Our Vision: Service and Safety Challenges of a Growing Aviation System April 12, 2005 Federal Aviation Administration 18 Questions AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15 th -16 th, 2008.

Download ppt "Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
AMHS/SWIM Seminar Chiang Mai, Thailand 5-6 March 2012

AMHS/SWIM Seminar Chiang Mai, Thailand 5-6 March 2012
FAA AMHS Subnetwork Overview

FAA AMHS Subnetwork Overview
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
ICAO Provisions for Safety Management

ICAO Provisions for Safety Management
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices

Network security policy: best practices
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)

Similar presentations

Ads by Google