Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA

More documents

Recommendations

Info

level). This pairing potentially provides a framework for considering FAA and the CC processes and concepts in an integrated manner. Specifically, it is conceivable that the modest FAA confidentiality requirements (if any) roughly equate to the DoD public (i.e., basic) confidentiality level, such that the DO-178B software levels can be mapped into the public variant of the three different MAC levels to identify IA (i.e., security) requirements for FAA systems. Of course, since DoDI 8500.2 is a DoD document, this association is in terms of DoD processes, and not FAA processes. However, it does provide a possible intersection that may be relevant for increased synergy between the DoD and FAA. Therefore, DoDI 8500.2 may provide a starting point for potentially integrating airborne network safety and security concepts into a common federal system by leveraging established DoD processes that comply with federal law. Nevertheless, to pursue this, the FAA needs to study and verify whether the three MAC levels identified by DoDI 8500.2 provide adequate granularity for the NAS and airborne system requirements. If they do, then the FAA could potentially directly leverage current DoD processes, if appropriate, perhaps creating a government-wide integrated safety and security engineering system. Regardless, this study concludes that this issue needs further study to be useful. Consequently, at this time, it does not provide the assurances needed to underlie the exemplar airborne network architecture. Therefore, this study will tentatively relate safety and security issues in terms of the relative assurances provided by their respective certification processes. The CC has provided seven predefined security assurance packages, on a rising scale of assurance, which are known as evaluation assurance levels (EAL). EALs provide groupings of assurance components that are intended to be generally applicable. The seven EALs are as follows: • EAL 1—Functionally Tested • EAL 2—Structurally Tested • EAL 3—Methodically Tested and Checked • EAL 4—Methodically Designed, Tested, and Reviewed • EAL 5—Semiformally Designed and Tested • EAL 6—Semiformally Verified Design and Tested • EAL 7—Formally Verified Design and Tested EAL 1, therefore, is the entry level classification of the system. EAL 1 through EAL 4 (inclusive) are expected to be generic commercial products. EAL 5 through EAL 7 (inclusive) are considered to be high-assurance products. Carol Taylor, Jim Alves-Foss, and Bob Rinker of the University of Idaho have studied the issue of dual software certification [93] for CC and DO-178B. Figure 28 is copied from their study and shows a high-level gap analysis between the CC classes and the DO-178B processes. Their study provided a fairly detailed analysis of the differences. Their study suggested that security functionality certified at EAL 5 can be directly compared with DO-178B Level A. 92
Common Criteria Classes ACM—Configuration Management ADO—Deliver and Operation ADV—Development Software AGD—Guidance Documents ALC—Life Cycle Support ATE—Tests Software AVA—Vulnerability Assessment DO-178B Processes Software Configuration Management Software Development Process Software Planning Process Verification Process Software Quality Assurance Figure 28. Gap Analysis in the Alves-Foss, et al. Study [93] The study recommends the basis for equivalency between the integrity of security controls and DO-178B safety levels should be confirmed by further study. However, in the interim, the FAA can leverage the University of Idaho results to temporarily equate the assurance of security systems certified at the CC’s EAL 5 with airborne software certified at DO-178B Level A. This means that security controls deployed on aircraft that support DO-178B Level A software currently must be certified at CC EAL 5 or higher. 29 7. EXTENDING FAA CERTIFICATION TO AIRBORNE NETWORKS. The previous sections discussed the issues that underlie how FAA certification assurance could be extended to airborne network environments. The fundamental certification issue is that when airborne software becomes deployed in a network environment, the risks and dangers of the network environment need to be mitigated. Airborne network environments are inherently different than historic ARP 4754 environments for the reasons that were previously introduced in section 3. Section 6 discussed the foundational certification issues associated with formally extending DO-178B and ARP 4754 policies by means of the Biba Integrity Model into airborne network environments. The purpose of this section is to provide greater details as to how specifically ARP 4754 (section 7.1) and DO-178B (section 7.2) processes should be extended to handle airborne network deployments. A presupposition of this study is that all airborne entities that are currently assured to DO-178B criteria or ARP 4754 guidance will need to become re-evaluated if hosted within a networked airborne environment. Unless these entities are re-evaluated in the context of the networked environment, their security provisions and the safety of the resulting system would be indeterminate. 29 This section concludes that until more definitive studies are conducted, security controls that support Level A software should be certified at CC EAL 5 or higher. Please note that this is regarding security controls, not airborne software. Specifically, this study recommends that airborne software should continue to be ensured by using FAA processes rather than in terms of CC concepts. Please note that EAL 5 is the lowest of the CC’s high assurance levels. Few COTS products in the general case are currently certified at EAL 5 or above. While this should not be problematic for firewalls or HAGs (other than the fact there are few if any Biba Integrity Model HAG products today), it may be problematic for routers. 93
Page 1 and 2:
DOT/FAA/AR-08/31 Air Traffic Organi
Page 3 and 4:
1. Report No. DOT/FAA/AR-08/31 4. T
Page 5 and 6:
5.4.2 Aircraft as a Node (MIP and M
Page 7 and 8:
11.1 Findings and Recommendations 1
Page 9 and 10:
22 Customer’s L3VPN Protocol Stac
Page 11 and 12:
LIST OF ACRONYMS AND ABBREVIATIONS
Page 13 and 14:
PBN PC PE PEP PFS PIB PIM-DM PIM-SM
Page 15 and 16:
This report states that the primary
Page 17 and 18:
1. INTRODUCTION. This is the final
Page 19 and 20:
protocol (IP)-based communications.
Page 21 and 22:
of linking aircraft-resident system
Page 23 and 24:
Industry and governments are extrem
Page 25 and 26:
2.1 NOTIONAL NETWORKED AIRCRAFT ARC
Page 27 and 28:
Other Control Sites Controller ATC
Page 29 and 30:
• The security viability of curre
Page 31 and 32:
alternative requires that parallel
Page 33 and 34:
Aircraft network security is a syst
Page 35 and 36:
4. NETWORK RISKS. This section spec
Page 37 and 38:
General Threat Identifiers FAILURE
Page 39 and 40:
esources so that the required real-
Page 41 and 42:
“With the rise of client-side att
Page 43 and 44:
• During an 11-month period (Apri
Page 45 and 46:
attempt the theft of passwords. Non
Page 47 and 48:
IP networks are organized in terms
Page 49 and 50:
either the user or the trusted soft
Page 51 and 52:
However, the previous paragraph beg
Page 53 and 54:
Table 1. Internet Engineering Task
Page 55 and 56:
Table 1. Internet Engineering Task
Page 57 and 58: Table 1. Internet Engineering Task
Page 59 and 60: • Lightweight directory access pr
Page 61 and 62: mechanism to overcome the key distr
Page 63 and 64: Deployments that need to support mu
Page 65 and 66: Today’s Reality: Islands of Commu
Page 67 and 68: Simultaneously, IP addresses are al
Page 69 and 70: in-depth manner. Defense-in-depth m
Page 71 and 72: Protection Detection Reaction / Neu
Page 73 and 74: encrypted and then encapsulated wit
Page 75 and 76: Internet (grouping of autonomous sy
Page 77 and 78: via that same IP address. Specifica
Page 79 and 80: deployments. Regional flights that
Page 81 and 82: neighbor as a next hop after “Hol
Page 83 and 84: Interface Interface Customer Site S
Page 85 and 86: Interface Customer’s Application
Page 87 and 88: Although the vast majority of PBN s
Page 89 and 90: 6. RELATING SAFETY AND SECURITY FOR
Page 91 and 92: 6.1.1 Integrity. As section 4.3 ind
Page 93 and 94: As mentioned in section 4.4, the hi
Page 95 and 96: 6.1.4 Confidentiality. Confidential
Page 97 and 98: their own classification level nor
Page 99 and 100: integrity is not permitted to obser
Page 101 and 102: software has been confirmed as leve
Page 103 and 104: • Both safety and security are co
Page 105 and 106: Device at Safety level X Device at
Page 107: in a Biba Integrity Model environme
Page 111 and 112: (see section 9.10). A secure mechan
Page 113 and 114: employed in security-critical appli
Page 115 and 116: concept, which is needed to create
Page 117 and 118: 4. Learn from past mistakes. Poor d
Page 119 and 120: exemplar airborne network architect
Page 121 and 122: • Requirement 8: Biba Integrity M
Page 123 and 124: Figure 31 shows how the recommended
Page 125 and 126: to-live (TTL) field in the IP heade
Page 127 and 128: using the traditional dual router i
Page 129 and 130: mechanism relies upon the controlle
Page 131 and 132: HAGs are high-assurance devices tha
Page 133 and 134: 8.3.5 Firewall. The firewall needs
Page 135 and 136: (AJ) or low probability of intercep
Page 137 and 138: design decisions that need to be de
Page 139 and 140: 9.2 INTEGRATED MODULAR AVIONICS IMP
Page 141 and 142: 9.3 USING PUBLIC IPs. The model and
Page 143 and 144: alerted the pilots because the fail
Page 145 and 146: environments. If the certification
Page 147 and 148: DSS (FIPS 186 [81]). Code signing i
Page 149 and 150: elationship with other equipment in
Page 151 and 152: approach is to keep the log informa
Page 153 and 154: 11. SUMMARY. Current civilian aircr
Page 155 and 156: environments should be extended to
Page 157 and 158: 12. COTS computer systems cannot be
Page 159 and 160:
14. NAS and airborne network archit
Page 161 and 162:
22. If SWAP considerations permit,
Page 163 and 164:
11.2 TOPICS NEEDING FURTHER STUDY.
Page 165 and 166:
9. Lee, Y., Rachlin, E., and Scandu
Page 167 and 168:
32. Loscocco, P., Smalley, S., Muck
Page 169 and 170:
59. Raisinghani, V. and Sridhar, I.
Page 171 and 172:
the following is a pointer to a rel
Page 173 and 174:
Department of Defense Instruction N
Page 175 and 176:
Information Assurance—The Departm
Page 177 and 178:
Threat source—Either (1) intent a
Page 179 and 180:
information found within these data
Page 181 and 182:
(HTTP) traffic (port 80), port scan
Page 183 and 184:
The simple network management proto
Page 185 and 186:
opportunities to crack the hosting
Page 187 and 188:
authorized to perform. 13 However,
Page 189 and 190:
sniffers, log-cleaning scripts, and
Page 191 and 192:
A.3.1 DENIAL OF SERVICE ATTACKS. Th
Page 193 and 194:
• Disclosure: Disclosure of routi
Page 195 and 196:
affected by the signal intermittenc
Page 197 and 198:
A-15. Barbir, A., Murphy, S., and Y
Page 199 and 200:
Survey Question What is the primary
Page 201 and 202:
Survey Question What is the primary
Page 203 and 204:
should be emphasized that there is
show all

Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?