Presentation is loading. Please wait.

Presentation is loading. Please wait.

Photos: Corel, Photodisk; Photodisk; Photodisk; Comstock; DOT Electronic Flight Bag Security Use Case and Aircraft Security Simulator Presented by: Chris.

Published byMildred Young Modified over 9 years ago

Similar presentations

Presentation on theme: "Photos: Corel, Photodisk; Photodisk; Photodisk; Comstock; DOT Electronic Flight Bag Security Use Case and Aircraft Security Simulator Presented by: Chris."— Presentation transcript:

1 Photos: Corel, Photodisk; Photodisk; Photodisk; Comstock; DOT Electronic Flight Bag Security Use Case and Aircraft Security Simulator Presented by: Chris Riley, CISSP (DOT/Volpe) 1

2 Electronic Flight Bag Threat Assessment

3 Identify Security Threats to the EFB Environment using classic software techniques and tools Define a repeatable process to associate security architectures within a system’s functional model Produce security related requirements from identified threats Produce commonly understood artifacts o Information Asset Characterization (FIPS 199) o Use Case and Mis-Use Case (UML2) o Risk Assessment (NIST 800-30) Volpe/UK Communications and Electronics Security Group (CESG) EFB Project Objectives 3

4 Develop an EFB Reference Implementation as a basis of Threat Assessment Hold SME Workshops to: o Identify Function Thread of Interest (Performance Calculation) o Identify Functional Requirements of the thread within the context of the reference implementation. o Identify Information Assets for Functional Thread Develop a Threat Assessment Approach leveraging UML Tools Analysis Approach 4

5 Use case is designed as a simple method to identify functional requirements. Security controls overly complicates the diagrams Security controls introduce technology into a functional model clouding functional objectives System decomposition requires a Domain Specific Language for Security to communicate requirements throughout the model Model must be easily understood by functional SME’s while containing enough detail for security experts to assess threats Applying Security Controls to UML Use Case Modeling 5

6 DescriptionExample Mitigations Information Integrity and Authenticity - Third party information providers should provide different strength of controls based on the criticality of information to EFB Operations and timeliness of delivery Digital Signatures, Virus Scanning, Transfer over authenticated/encrypted channels, Media Handling and Authenticity Procedures such as signature verification and media destruction COTS Security Baseline Configuration and Management- Several paths to the EFB could make the Windows Environment un-reliable. Adopt Security Baselines, integrity tools (e.g. virus scan) and patch management to ensure reliability. Center for Internet Security COTS Baselines, NIST Security Configuration Checklists Repository; Standardized Provisioning and Patch Management. Device Authentication / Trust Paths - Operations such as Data Load have specific trust relationships with EFB. Additional controls should augment ARINC 615a to ensure software or data is not loaded from an un- authorized device Transfer software and data via a digital authenticated point to point channel such as a VPN, Consider host- based firewalls Platform Integrity / Application Authorization - Checksum technology verifies integrity of a source, it does not imply the application is authorized. AntiVirus and Integrity Checkers can verify the integrity of the platform. Signed Applications can ensure applications are authorized to operate on the platform. EFB Risk Assessment Findings Summary 6

7 Airborne Network Security Simulator (ANSS)

8 Phase 2: Airborne Network Security Simulator (ANSS) Goals Identify potential information security threats in synthetic environment by simulating next generation aircraft communications systems. Share knowledge, tools and methodologies with academia and other interested stakeholders to extend research value. Act as coordinating authority for cyber security risk mitigation within the international aerospace & aviation community. Recommend appropriate technical & procedural standards for security risks to aid in the development of regulatory guidelines and policies. Influence industry bodies on cyber security best practice with respect to specifications, procedures, and recommendations used by the industry. 8

9 Current Situation CLOSEDCLOSED CLOSEDCLOSED PRIVATEPRIVATE PRIVATEPRIVATE PUBLICPUBLIC PUBLICPUBLIC Control the Aircraft Operate the Aircraft Passenger Use Controlled Relatively Uncontrolled Passenger-Owned Devices Aircraft Control Domain Airline Info Services Domain Passenger Info & Entertainment Services Domain VHF / HF / SatCom Wireless LAN Broadband / Cellular Airline Air Traffic Service Providers Passenger- Accessed 3 rd Party Providers Airline 3 rd Party Providers Air/Ground Broadband Network (e.g. INMARSAT) Airport Network (e.g. Gatelink) Air/Ground Datalink Service (e.g. ACARS) Mission-critical aircraft systems have increased in complexity & bandwidth requirements, in some cases accessing the Internet 9

10 ANSS Functional Components Class 3 Electronic Flight Bag – Used as an Application Platform for realistic capability Gatelink – Realistic Aircraft to Gate Connectivity OPNet – Synthetic component development platform AviationSimNet – Standards based approach to real-time linkage of external simulators 10

11 Interfacing Standards - AviationSimNet AviationSimNet is a distributed simulation bridging environment in that it allows dissimilar simulation environments to operate together in a single simulation domain. To accomplish this, AviationSimNet hosts voice and data communications that allow facilities to interoperate within the same domain. AviationSimNet is focused towards supporting real-time human-in-the-loop Air Traffic Management simulations which can include a wide range of simulation components. 11

12 Demonstration Scenario; Airline AOC to Aircraft AviationSimNet Via Internet AviationSimNet Via Internet External Training Simulator Operations Sim Flight Mngt System Sim ANSS at WSU ANSS Operational Enclave Gatelink OPS Controller Firewall Aircraft Network Control Domain Information Domain Passenger Domain TWLU EFB Load & Balance Data Performance Calculation Performance Calculation 12

13 Demonstration Scenario Final Pre-Flight Data Man-in-the- Middle device captures data and sends it to the Internet Modified Pre-Flight Data Hacker 13

14 Kevin Harnett, Volpe Center Cyber Security Program Manger –Email: kevin.harnett@dot.govkevin.harnett@dot.gov –Email: Phone: 617-699-7086 Chris Riley, Volpe Center Cyber Security Researcher –Email: riley@info-tools.com –Email: Phone: 508-672-6032 Contact Information 14

Download ppt "Photos: Corel, Photodisk; Photodisk; Photodisk; Comstock; DOT Electronic Flight Bag Security Use Case and Aircraft Security Simulator Presented by: Chris."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
The Future of PETAL Technology

The Future of PETAL Technology
GateFusion Wireless Content Delivery

GateFusion Wireless Content Delivery
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Photos: Corel, Photodisk; Photodisk; Photodisk; Comstock; DOT Airborne Network Security Simulator (ANSS) Master Plan Overview Presented by: Chris Riley.

Photos: Corel, Photodisk; Photodisk; Photodisk; Comstock; DOT Airborne Network Security Simulator (ANSS) Master Plan Overview Presented by: Chris Riley.
GAMMA Overview. Key Data Grant Agreement n° 312382 Starting date: 1 st September 2013 Duration: 48 months (end date 31 st August 2017) Total Budget: 14.837.981.

GAMMA Overview. Key Data Grant Agreement n° Starting date: 1 st September 2013 Duration: 48 months (end date 31 st August 2017) Total Budget:
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
The FI-WARE Project – Base Platform for Future Service Infrastructures NOVEMBER, 16th 2011Thierry Nagellen Workshop AAL Community.

The FI-WARE Project – Base Platform for Future Service Infrastructures NOVEMBER, 16th 2011Thierry Nagellen Workshop AAL Community.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
1 Multi-Domained, Multi-Homed Mobile Networks Mobile Platform Internet (MPI) mailing.

1 Multi-Domained, Multi-Homed Mobile Networks Mobile Platform Internet (MPI) mailing.
Chapter 4: Beginning the Analysis: Investigating System Requirements

Chapter 4: Beginning the Analysis: Investigating System Requirements
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Breakout Group 2: Software Quality Assurance Outcome 8/18/10 1.

Breakout Group 2: Software Quality Assurance Outcome 8/18/10 1.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Chapter 14 Managerial issues in networking. Overview Network design Network management – Hardware – Software Technology standards Role of government and.

Chapter 14 Managerial issues in networking. Overview Network design Network management – Hardware – Software Technology standards Role of government and.
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Similar presentations

Ads by Google