Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Unless the safety risks of a networked system have been controlled by leverag<strong>in</strong>g the<br />
Biba Integrity Model, any such analysis would be improbable to perform adequately<br />
because of the many items <strong>in</strong>volved and their many possible (potentially very subtle)<br />
<strong>in</strong>teractions. Any such tests would be for the preattack environment and thus would<br />
represent an ideal that may become greatly modified dur<strong>in</strong>g or after attacks. Many of<br />
these issues are addressed <strong>in</strong> the control life cycle concepts that are an <strong>in</strong>tegral part of the<br />
IATF defense-<strong>in</strong>-depth approach.<br />
• Issues arise <strong>in</strong> regard to Section 25.1309 e:<br />
“(e) Each <strong>in</strong>stallation whose function<strong>in</strong>g is required by this subchapter, and<br />
that requires a power supply, is an ‘essential load’ on the power supply. …”<br />
The same logic that Section 25.1309 e expla<strong>in</strong>s <strong>in</strong> regard to power supplies is also needed<br />
<strong>in</strong> networked environments to be applied to all possible software <strong>in</strong>teractions that could<br />
affect aircraft operation. This <strong>in</strong>cludes obvious as well as subtle affects, <strong>in</strong>tended as well<br />
as non<strong>in</strong>tended, and preattack as well as postattack variants. These of issues are<br />
addressed <strong>in</strong> the control life cycle concepts that are an <strong>in</strong>tegral part of the IATF’s<br />
defense-<strong>in</strong>-depth approach.<br />
10.4 HOW WILL CONTINUED AIRWORTHINESS AND MAINTENANCE BE<br />
ADDRESSED?<br />
The conclusions (see section 11) and exemplar airborne network architecture (see section 8.3)<br />
addresses how this study recommends that airworth<strong>in</strong>ess be addressed.<br />
Ma<strong>in</strong>tenance <strong>in</strong> networked software environments can potentially differ significantly from<br />
current practice, depend<strong>in</strong>g on the actual software design, because authorized ma<strong>in</strong>tenance<br />
personnel no longer need to be physically proximate to the airplane to ma<strong>in</strong>ta<strong>in</strong> its software<br />
systems. Ma<strong>in</strong>tenance <strong>in</strong> networked environments requires a robust authentication of the<br />
ma<strong>in</strong>ta<strong>in</strong>er. This study recommends that ma<strong>in</strong>tenance personnel be authenticated by two<br />
factored authentication systems. For example, the adm<strong>in</strong>istrator’s PKI identity (presum<strong>in</strong>g that<br />
the civil aeronautical community selects PKI for its authentication technology) coupled with<br />
either what he knows (e.g., a pass phrase) or what he is (i.e., biometrics). It is often advisable<br />
that adm<strong>in</strong>istrative authorizations be restricted <strong>in</strong> terms of separation of duties with least<br />
privilege. For example, different people are authorized to adm<strong>in</strong>ister airborne security<br />
configurations than those who are authorized to handle the non-security-related network<br />
management functions, such as download<strong>in</strong>g software.<br />
It is important that all activities performed by adm<strong>in</strong>istrators be automatically logged. At a<br />
m<strong>in</strong>imum, the log files should state exactly the actions performed by the ma<strong>in</strong>tenance person,<br />
conta<strong>in</strong> the <strong>in</strong>dividual identification of the specific ma<strong>in</strong>tenance personnel who performed it, as<br />
well as a timestamp and the identification of the networked device from which the adm<strong>in</strong>istration<br />
occurred. All log records should be protected aga<strong>in</strong>st modification or erasure. One possible<br />
134