Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
module can be verified. Installation of OS patches to fix a reported security flaw will have a<br />
higher potential impact on system safety.<br />
Many commercial companies require extensive test<strong>in</strong>g before deploy<strong>in</strong>g these types of vendor<br />
patches. Similar procedures need to be followed on at least a fleet-wide basis. The DoD also<br />
has policies for test<strong>in</strong>g and deploy<strong>in</strong>g security patches (e.g., the <strong>in</strong>formation assurance<br />
vulnerability alert process). Similar processes and procedures should be part of the aircraft’s<br />
software update system that was discussed <strong>in</strong> section 7.1. Updates should only be authorized to<br />
become available to aircraft after a level of analysis, test<strong>in</strong>g, and verification commensurate with<br />
the safety criticality of the system they are updat<strong>in</strong>g has been completed. Updates should only<br />
occur with<strong>in</strong> the aircraft after the <strong>in</strong>tegrity and authorization of the update package is established.<br />
As discussed <strong>in</strong> section 6.1.1, the U.S. DSS [81] provides a mature foundation to enable secure<br />
software load deliveries (new parts, security patches, software updates, etc.), <strong>in</strong>clud<strong>in</strong>g the<br />
update of protection software. The DSS standard provides an explicit mechanism to ensure the<br />
authenticity and <strong>in</strong>tegrity of signed software. The signer’s PKI identity is provided as a<br />
constituent part of the signature. Should the sign<strong>in</strong>g have occurred with<strong>in</strong> the auspices of<br />
officially sanctioned and well-def<strong>in</strong>ed <strong>FAA</strong> processes and mechanisms, then that signed identity<br />
can be leveraged to provide authentication and authorization with<strong>in</strong> the airplane to determ<strong>in</strong>e<br />
whether the received code is authorized and trustworthy. Once that determ<strong>in</strong>ation has been<br />
made, then the <strong>FAA</strong>-approved onboard software update system can securely distribute the<br />
software to update the appropriate device <strong>in</strong> a safe manner. This process is discussed <strong>in</strong> section<br />
10.6.<br />
9.6 RESPONDING TO SECURITY BREACHES.<br />
The aircraft’s IATF conformant defense-<strong>in</strong>-depth security design will attempt to block those<br />
security attacks that can be prevented, detect those that cannot be prevented, respond to those<br />
that are detected, and cont<strong>in</strong>ue to operate through those that cannot be stopped. If the aircraft<br />
system architecture adequately addresses these four steps (see section 5.1), then analysis of<br />
onboard security failures that do not adversely affect safety of flight can be handled as<br />
ma<strong>in</strong>tenance events.<br />
Respond<strong>in</strong>g to security breaches is a policy issue, so the stakeholders (manufacturer, owner,<br />
government agency, etc.) should determ<strong>in</strong>e what type of network monitor<strong>in</strong>g to conduct and how<br />
to respond to <strong>in</strong>cidents. There are a wide range of policies <strong>in</strong> the commercial and DoD doma<strong>in</strong>s<br />
for <strong>in</strong>cident response that could be considered; however, the eng<strong>in</strong>eer<strong>in</strong>g process should focus on<br />
elim<strong>in</strong>at<strong>in</strong>g any safety-related events.<br />
The flight crew will probably not have the expertise or time to perform anyth<strong>in</strong>g beyond a<br />
m<strong>in</strong>imal response to a security breach. The only exception would potentially be to address a<br />
safety condition. If the issue directly impacts the operational safety of the aircraft, then the pilots<br />
must be alerted.<br />
In section 6.1, the impact of security controls upon airplane safety was considered. The<br />
architecture recommended by this study explicitly has focused on safety with<strong>in</strong> networked<br />
128