Photos: C

orel, Photodisk; P

hotodisk; Photodisk; C

omstock; D

OT

Electronic Flight Bag Security Use Case and Aircraft Security SimulatorPresented by: Chris Riley, CISSP (DOT/Volpe)

1

Electronic Flight BagThreat Assessment

Identify Security Threats to the EFB Environment using classic software techniques and tools

Define a repeatable process to associate security architectures within a system’s functional model

Produce security related requirements from identified threats

Produce commonly understood artifactso Information Asset Characterization (FIPS 199)oUse Case and Mis-Use Case (UML2)oRisk Assessment (NIST 800-30)

Volpe/UK Communications and Electronics Security Group (CESG) EFB Project Objectives

3

Develop an EFB Reference Implementation as a basis of Threat Assessment

Hold SME Workshops to:o Identify Function Thread of Interest (Performance

Calculation)o Identify Functional Requirements of the thread within the

context of the reference implementation.o Identify Information Assets for Functional Thread

Develop a Threat Assessment Approach leveraging UML Tools

Analysis Approach

4

Use case is designed as a simple method to identify functional requirements. Security controls overly complicates the diagrams

Security controls introduce technology into a functional model clouding functional objectives

System decomposition requires a Domain Specific Language for Security to communicate requirements throughout the model

Model must be easily understood by functional SME’s while containing enough detail for security experts to assess threats

Applying Security Controls to UML Use Case Modeling

5

Description Example Mitigations

Information Integrity and Authenticity - Third party information providers should provide different strength of controls based on the criticality of information to EFB Operations and timeliness of delivery

Digital Signatures, Virus Scanning, Transfer over authenticated/encrypted channels, Media Handling and Authenticity Procedures such as signature verification and media destruction

COTS Security Baseline Configuration and Management- Several paths to the EFB could make the Windows Environment un-reliable. Adopt Security Baselines, integrity tools (e.g. virus scan) and patch management to ensure reliability.

Center for Internet Security COTS Baselines, NIST Security Configuration Checklists Repository; Standardized Provisioning and Patch Management.

Device Authentication / Trust Paths - Operations such as Data Load have specific trust relationships with EFB. Additional controls should augment ARINC 615a to ensure software or data is not loaded from an un-authorized device

Transfer software and data via a digital authenticated point to point channel such as a VPN, Consider host-based firewalls

Platform Integrity / Application Authorization - Checksum technology verifies integrity of a source, it does not imply the application is authorized.

AntiVirus and Integrity Checkers can verify the integrity of the platform. Signed Applications can ensure applications are authorized to operate on the platform.

EFB Risk AssessmentFindings Summary

6

Airborne Network Security Simulator (ANSS)

Phase 2: Airborne Network Security Simulator (ANSS) Goals

• Identify potential information security threats in synthetic environment by simulating next generation aircraft communications systems.

• Share knowledge, tools and methodologies with academia and other interested stakeholders to extend research value.

• Act as coordinating authority for cyber security risk mitigation within the international aerospace & aviation community.

• Recommend appropriate technical & procedural standards for security risks to aid in the development of regulatory guidelines and policies.

• Influence industry bodies on cyber security best practice with respect to specifications, procedures, and recommendations used by the industry.

8

Current Situation

CLOSED

PRIVATE

PUBLIC

Control the Aircraft

Operate the Aircraft

Passenger Use

Controlled

Relatively Uncontrolled

Passenger-Owned Devices

Aircraft Control Domain

Airline Info Services Domain

Passenger Info & Entertainment Services Domain

VHF / HF / SatComVHF / HF / SatCom

Wireless LANWireless LAN

Broadband / CellularBroadband / Cellular

AirlineAirlineAir Traffic

Service Providers

Air Traffic Service

Providers

Passenger-Accessed 3rd

Party Providers

Passenger-Accessed 3rd

Party Providers

Airline 3rd Party

Providers

Airline 3rd Party

Providers

Air/Ground Broadband

Network (e.g.

INMARSAT)

Air/Ground Broadband

Network (e.g.

INMARSAT)

Airport Network

(e.g. Gatelink)

Airport Network

(e.g. Gatelink)

Air/Ground Datalink Service

(e.g. ACARS)

Air/Ground Datalink Service

(e.g. ACARS)

Mission-critical aircraft systems have increased in complexity & bandwidth requirements, in some cases accessing the InternetMission-critical aircraft systems have increased in complexity & bandwidth requirements, in some cases accessing the Internet

9

ANSS Functional Components

• Class 3 Electronic Flight Bag – Used as an Application Platform for realistic capability

• Gatelink – Realistic Aircraft to Gate Connectivity

• OPNet – Synthetic component development platform

• AviationSimNet – Standards based approach to real-time linkage of external simulators

10

Interfacing Standards - AviationSimNet

• AviationSimNet is a distributed simulation bridging environment in that it allows dissimilar simulation environments to operate together in a single simulation domain. To accomplish this, AviationSimNet hosts voice and data communications that allow facilities to interoperate within the same domain.

• AviationSimNet is focused towards supporting real-time human-in-the-loop Air Traffic Management simulations which can include a wide range of simulation components.

11

Demonstration Scenario; Airline AOC to AircraftAviationSimNet

ViaInternet

AviationSimNetVia

Internet

External Training

Simulator

OperationsSim

Flight Mngt

SystemSim

ANSS at WSU

ANSS Operational

Enclave

Gatelink

OPSController

Firewall

Aircraft Network

Control Domain

Information Domain

Passenger Domain

TWLU EFB

Load & Balance

Data

PerformanceCalculation

PerformanceCalculation

12

Demonstration Scenario

Final Pre-Flight Data

Man-in-the-Middle device captures data and sends it to

the Internet

Man-in-the-Middle device captures data and sends it to

the Internet Modified Pre-Flight Data

Hacker

13

• Kevin Harnett, Volpe Center Cyber Security Program Manger– Email: kevin.harnett@dot.gov– Email: Phone: 617-699-7086

• Chris Riley, Volpe Center Cyber Security Researcher– Email: riley@info-tools.com– Email: Phone: 508-672-6032

Contact Information

14