Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
• ARP 4761 section 4.4. Common Cause Analysis is unlikely to recognize the gamut of<br />
possibly subtle effects result<strong>in</strong>g from the postattack actions of a compromised network<br />
device. This is true for all analysis mechanisms: zonal safety analysis, particular risks<br />
analysis, and common mode analysis.<br />
• ARP 4761 section 5 states:<br />
“Where the detection method is identified to be provided by test,<br />
assurance must be provided that the test procedures <strong>in</strong> fact detect the<br />
latent failures of concern.”<br />
However, “failures of concern” <strong>in</strong> networked environments <strong>in</strong>clude latent software bugs<br />
that may not become visible or known until attacked. This possibility was not considered<br />
by ARP 4761.<br />
• Similarly, the functional hazard assessments (see ARP 4761 Appendix A) also need to<br />
address software <strong>in</strong>tegrity issues (<strong>in</strong>clud<strong>in</strong>g software downloads and updates), network<br />
availability, and network security <strong>in</strong>tegrity and availability.<br />
10.2 HOW DOES SECURITY ASSURANCE FIT INTO OVERALL CERTIFICATION<br />
PROCESS?<br />
Security assurance is needed to provide <strong>in</strong>tegrity and availability protections to ensure that the<br />
DO-178B and ARP 4754 safety protections rema<strong>in</strong> viable over time. If the Biba Integrity Model<br />
is used to extend ARP 4754 <strong>in</strong>to network environments as this study recommends, then a<br />
mapp<strong>in</strong>g between the <strong>in</strong>tegrity of security controls and the <strong>in</strong>herent DO-178B and ARP 4754<br />
safety concepts is needed. The nature of this mapp<strong>in</strong>g needs to be further studied, but the current<br />
study recommends that <strong>in</strong>sights from the University of Idaho’s study [72, 73, and 93] be used to<br />
provisionally equate the CC’s EAL 5 with DO-178B Level A (see section 6.5).<br />
10.3 WHAT SHOULD NETWORK SECURITY ASSURANCE PROCESS CONTAIN TO<br />
MEET XX.1309?<br />
This study’s conclusions and recommendations section (see section 11) together with the<br />
exemplar airborne network architecture (see section 8.3) provides the answer to this question.<br />
XX.1309 mentions many practical and important issues that the recommended architecture<br />
directly seeks to address and mitigate. Nevertheless, the current text of XX.1309 conta<strong>in</strong>s many<br />
statements and concepts that will be challeng<strong>in</strong>g to achieve <strong>in</strong> airborne network environments:<br />
• The mean<strong>in</strong>g of the word “system” <strong>in</strong> Section 23.1309 changes significantly with<strong>in</strong> the<br />
context of an airborne environment. For one th<strong>in</strong>g, systems become arbitrarily large <strong>in</strong><br />
networked environments and, unless partitioned by VPNs, theoretically <strong>in</strong>clude all the<br />
devices and humans that can directly or <strong>in</strong>directly access any part of the network. This<br />
creates the potential for danger and risk with<strong>in</strong> airborne network environments <strong>in</strong> that<br />
equipment, which had no potential safety hazards <strong>in</strong> nonnetwork<strong>in</strong>g environments may<br />
have direct and potentially catastrophic safety effects through their fate shar<strong>in</strong>g<br />
132