Title: Cyber Security Research Plans for a Secure Aircraft Data Network (SADN) NITRD HCSS, Aviation Software Systems: Design for Certification Kevin Harnett Vince Rakauskas DOT/Volpe Center Infrastructure Protection and Operations Division
1Cyber Security Research Plans for aSecure
Aircraft Data Network (SADN)NITRD HCSS,
Aviation Software Systems Design for
CertificationKevin HarnettVince Rakauskas
DOT/Volpe Center Infrastructure
Protection and Operations Division
2Briefing Agenda
- Background
- Aircraft Data Network (ADN) Cyber Security Issues
- ADN-Related Program/Systems Assessment
- Gap Analysis
- Recommendations
3Volpe Center Task (from NASA Glenn Research
Center - GRC)
- Task 1 Baseline SADN Cyber Security Research
Requirement - Discussions with the FAA, AC/avionics
manufacturers and others - Document candidate SADN RD technology research
areas (focus on B787 and A380/350) - Understand current Boeing 787 and Airbus 380 ADN
cyber security issues - Provide lessons learned to apply to cyber
security requirements for the Next Generation
Aircraft - Task 2 Leverage Related SADN Program
- Investigate direction of related ADN initiatives
(e.g. FAAs SSDS and the AEECs SEC groups) - Leverage cyber security requirements for
potential SADN RD partnerships
- Interviews conducted with
- NASA
- FAA (AVS, AIR-120, ATO, ARD)
- Joint Planning and Development Office (JPDO)
- U.S. Air Force/ESC
- DoD Technical Support Working Group (TSWG)
- DHS
- ARINC/AEEC
- Aircraft manufacturers (Boeing)
- Avionics manufacturers (Honeywell)
- Airlines (United)
- Sensis Corporation
4ADN Cyber Security Issues
Vulnerabilities
CabinServices
ADN
IFE
AircraftControl
CrewDevices
PsgrDevices
Internal802.11
Internal802.11
VHF/HF
SATCOM
New vulnerabilities are added
External802.11
Technology Advances enable new, cost-effective
connectivity between on-board Networks and
Airline Ground Networks
Broadband
Revenue from passenger services provides funding
for increased infrastructure costs
Airlines will use Broadband Internet connectivity
to support passenger services then use existing
bandwidth to support operations.
5ADN Cyber Security Issues
VIRUSES WORMS TROJAN HORSES
CabinServices
ADN
IFE
AircraftControl
CrewDevices
PsgrDevices
Internal802.11
Internal802.11
VHF/HF
SATCOM
External802.11
Broadband
Mission-critical systems are potentially
susceptible to attack
Cyber Criminals
Hackers
Cyber Terrorists
6ADN Cyber Security Issues
- These cyber security vulnerabilities are not only
new but have not been anticipated. - Since it has not been a concern in the past, the
existing Code of Federal Regulations does not
specifically address cyber security
vulnerabilities - Consequently, there are no existing Policies,
Certification Criteria or Procedures that provide
assurances that cyber security vulnerabilities
will not cause unsafe flight conditions - Cyber security vulnerabilities in the ADN will be
irrevocably bound to the safety of flight. - Unmitigated, these vulnerabilities will have a
definite negative effect on the safety of flight.
7One Potential Solution
8Key ADN-Related Program/Systems
- FAA
- AIR-120 SDSS Program (Network Security and Safety
Aircraft LAN Study) - Automated Airborne Flight Alert System (AAFAS)
- AVS Boeing 787 Security Issue Papers (domain
separation and EDS) - Airborne Internet (A.I.)
- Industry
- ARINC/AEEC) Subcommittees (particularly ADN and
SEC) - ATA E-Biz's Digital Security Working Group (DSWG)
and Certipath - Eurocae's WG-72 (Aeronautical System Security)
Working Group - DoD
- United States Air Force Airborne Network (AN)
Project - USAF Multi-sensor Command and Control Aircraft
(MC2A) - Coast Guard C-130J
- DoD Global Information Grid (JPDO)
- Technical Support Working Group (TSWG)
9Other ADN-Related Program/Systems
- FAA
- GCNSS Network-enabled Operations (NEO) Airspace
Security Demo - ISS RD Program Planning Team (PPT)
- NASA
- Mobile Communications Network Architecture (MCNA)
- ADS-B Security Project
- Aircraft Centric Data and Information
Communications Systems Security - Assessment report
- Policy report
- Industry
- Transatlantic Secure Collaboration Program-TSCP
- Wireless Communications Consortium
- DoD
- TWIC ( HPSD-12) - logical access smart cards
- DHS's Computer Security Information Assurance
(CSIA) RD Working Group
10Next Generation Air Transportation System
- JPDO NGATS Integrated Plan, Dec 2005
- NGATS vision is to harmonize and integrate the
Civilian and Military ATC systems - System-wide safety and security monitoring allows
analysis of failure, threat, and vulnerability
trends in real-time, based on data gathered
throughout the system - NGATS allow more creative sharing of airspace
capacity for civil, LEA, DoD, and commercial
users through access to operational information
JPDO NGATS goals can not be possible without
secure and safe Aircraft Data Network (ADN) and
applications
11Gap Analysis
Partner Leverage
DoD DHS TSA
Aviation Industry
Potential Overlaps
Potential Gaps
FAA/ NASA
NGATS
Undiscovered Interdependencies
12ADN-Related Program/SystemsConclusions
- Leverage DoD GIG Activities
- Leverage USAF GIG activities to develop a
Airborne Network (AN) to support NGATS and the AN
Information Assurance (IA) Program - DoD/USAF have legacy (Joint-STARS, AWACS,) and
new Next-Generation Weapon Systems (e.g. USAF
MC2A, CG C-130J) with IP-based Airborne platforms
with security concerns - Opportunities for DoD /DHS and FAA to partner on
joint SADN requirements for Secure and
Net-centric ADNs - SADN could impact and support several overlapping
FAA A/G Demonstration Projects (NEO, SWIM, AAFAS,
and AI) - Recommend Government Oversight and Participation
on three key ADN Security Working Groups - AEEC SEC
- ATA DSWG
- EUROCAE WG-72
13Gap Analysis Conclusions
- There are many activities underway but the
ultimate technical solutions remain to be
determined - Determining solutions that will be viable for all
stakeholders will be a challenge - Additional Research and Development will need to
be funded which must include the full range of
stakeholder issues - Lack of direction, oversight and coordination
among the ADN-related FAA, DoD, and DHS and
Aviation Industry Security Work - Several redundant efforts and overlaps (but the
greater consequence is the potential for gaps,
conflicting results and undiscovered
interdependencies) - Non-government (commercial) projects driven by
cost likely to overlook elements of security
needed by the Federal Government - Much potential for gain through a managed
approach
14Research Development TopicsRecommendation
15Key RD Topics
SADN Policy SADN Certification
Criteria Auditing, IDS and Incident Response
16Our Progress
Seek Opportunities For Collaboration US Air
Force Airborne Network (AN) IA Project UK / US
Workshop On Aeronautical Telecommunications
Networks (ATN) Security Boeing 787 Security
Assessment Technical Support Working Group
(TSWG)
17Our RD Recommendationsfor You
Gain An Awareness Of Others Activities Understand
The Goals Of The Stakeholders Seek
Collaborative Opportunities For SADN RD
Projects Keep The Goals Of NGATS In Mind
18Our RD Recommendationsfor You
Security is Built In Not Bolted On
19Contacts
- Kevin Harnett, Volpe Center Cyber Security
Program Manger - Email harnett_at_volpe.dot.gov
- Phone 617-699-7086
- Vince Rakauskas, Security Engineer
- Email rakauskas_at_comcast.net
- Phone 508-339-0280
20Acronyms
AAFAS Automated Airborne Flight Alert System
ADN Aircraft Data Network ARP Aerospace
Recommended Practice AEEC Airlines Electronic
Engineering Committee AI Airborne
Internet ARD FAA Chief Technology Officer
(RD) ATA Air Transport Association C-130J Coast
Guard C-130J Helicopter CC Common
Criteria CONOPs Concept of Operations CSIA Compu
ter Security Information Assurance DSWG Digital
Security Working Group DSWG EDS Electronic
Distribution of Software EFB Electronic Flight
Bag FLS Field Loadable Software GIG-BE Global
Information Grid - Bandwidth Expansion HSPD-12 Ho
meland Security Presidential Directive -
12 IDS Intrusion Detection System IFE In-Flight
Entertainment
21Acronyms
IPS Intrusion Protection System ISS Information
System Security JPDO Joint Planning and
Development Office MC2A Multi-sensor Command and
Control Aircraft MCNA Mobile Communications
Network Architecture NEO Network Enabled
Operations NGATS Next Generation Air
Transportation System PKI Public Key
Infrastructure PO Program Office PPT Program
Planning Team RTCA Radio Technical Commission
for Aviation SADN Secure Aircraft Data
Network SCAP Security Certification and
Authorization Package SDSS Software and Digital
Systems System STE Security Test and
Evaluation SWIM System Wide Information
Management TSCP Transatlantic Secure
Collaboration Program TSWG Technical Support
Working Group TWIC Transportation Worker
Identification Credential