View
229
Download
0
Category
Preview:
Citation preview
ICAO Symposium
Security Overview
9-10 May 2016 ICAO Symposium Security Overview
EVYYS Juan DOMINGO LOBATO
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium Security Overview
Why we need Security …
Page 2
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument. May-16 Footer
Hangar Maintenance & Engineering Centre
Warehouse
Aircraft data & parts suppliers
Outstation
Gate
Operations & Dispatch centre
Selected Examples
(Non exhaustive list)
PHYSICAL THREAT OUTLOOK
Unruly passenger, Hijacker, Terrorist
Aircraft misappropriation (seizure) for blackmail
purpose or for using it as mass destruction weapon
(ex : 9/11)
Improvised Explosive Devices (IED) on board (or incendiary devices)
Aircraft sabotage on ground (unsecured
aircraft vicinity / Insiders)
Ground attack (Bomb, missile…)
Laser Illuminations
Aircraft ground attacks (ManPADS, lasers, drones,...)
Contamination of crews and passengers with
CBRN agents
Electromagnetics Interferences
(Impulses – Jamming)
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium RPAS & ATS Security Topics
Page 4 4
4
Hangar Maintenance & Engineering Centre
Warehouse
Aircraft data & parts suppliers
Outstation
Gate
Operations & Dispatch centre
Air/Ground Links
Satellite Communications (SATCOM)
GateLink (Wireless)
COTS, Plugs, Wifi
ACARS HF & VHF Satcom
Supply chain (Embedded systems security, Transit of Software from Supplier to Aircraft…)
Cabin links accessible to passengers (Cabin Wifi, plugs
on cabin seats, FAP, bluetooth…)
Aircraft - Ground links (HF, VHF, SATCOM ; GPS, ILS…)
with in-flight access
Aircraft - Ground wireless links (Gatelink, GSM, Wifi, WiMax…)
Maintenance & Industrial systems (PMAT, PDL, troubleshooting equipment,
USB keys, ITcards…)
Selected Examples (non exhaustive) CYBERSECURITY OUTLOOK
PMAT : Portable Maintenance Terminal PDL : Portable Data-Loader FAP : Flight Attendant Panel
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium Security Overview
Page 5
The reasons of fears…
Increased passenger connectivity
Increased real-time data to operate the A/C
Better prediction and reactiveness for improved safety and aircraft
operation
Non time-critical data Performance analysis and
big-data Better prediction of performance
trends for sustained aircraft operation
Extensive use of connectivity is all the more worrying that, at the same time, economical
constraints pushes the community to use General Public Commercial Of The Shelf (GP-COTS) products to support the connectivity
needs.
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium Security Overview
Page 6
An evolution of capabilities…but technology can be taken hostage
Flight Operations Maintenance Cabin Crew Passengers
• Navigation Charts • Airport Maps • Weather Maps • Performance Calculations • Electronic Manuals • Technical Logbook • …
• Maintenance Tools • Performance Analysis • Monitoring • Troubleshooting • Maintenance Manuals • Technical Logbook • …
• Cabin Logbook • Cabin Management • Cabin Systems Control • Passenger Lists • Electronic Manuals • …
• IFE Systems • Internet Connectivity • Phone Services • OnBoard Intranet Service • …
The e-enabled aircraft : The times they are a Changin’ !!
Simple Proprietary Obscure Isolated Closed
Complex Standardized Documented
Connected Open
• ~144 Millions of new malwares samples recorded in 2014 • 12 millions per month • 400.000 per day 4.5 new malware variant
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium Security Overview
Main Security Objectives
•Confidentiality* (access-controlled sensitive info) • Integrity* (accuracy & completeness resources & System) •Availability* (access at time resources & System) *Definitions taken from NATO Roadmap
Page 7
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
Safety Vs Security
9-10 May 2016 ICAO Symposium Security Overview
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
Intelligence
Interdiction Airline
Operations
Airplane CNS/ATM
Aircraft: Always the Last Line of Defense!
9-10 May 2016
Intelligence
Interdiction
Airport Security
Passenger screening
Airplane protection
Page 9
ICAO Symposium Security Overview
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
Manufacturer regulatory framework
9-10 May 2016
Getting Airworthiness Continued Airworthiness
CS-25 Certification Specifications + SC
Aircraft in operation Production tests Delivery
POA TC HOLDER
Design
DOA
21A.265 (c) Type Design
Design secure Produce secure
21A.165 (c)(1) Production
21A.139 (v)(xvi) Tests and delivery
21A.139 (v)(xvi) MANO (Manuf. Occurences)
Maintain secure
21A.265 (c) MODifications
21A.3 (a) Continued Airworthiness
Corrective actions
Part 21
Part M ICA
OPERATORS
I S O
Legend
Page 10
ICAO Symposium Security Overview
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
CONTROL STATION
RPA
9-10 May 2016 ICAO Symposium Security Overview
Break-Down Assets
•The ATM •RPAS own assets Aircraft Control Station Data Link
•The mission and data
Page 11
• Hardware • Software • Networks • Personnel • Site • Organisation
Data Link
Aircraft Payloads
ATM
Ground Station
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium RPAS & ATS Security
Security Process: Assessment + Assurance
Page 12
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium Security Overview
Information Security Assurance
Page 13
Cyber-Security Best Practices
Inventory of Authorized and Unauthorized Devices
Inventory of Authorized and Unauthorized Software
Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Access Control
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium Security Overview
Information Security Assurance
Page 14
Cyber-Security Best Practices
Limitation and Control of Network Ports, Protocols, and Services
Controlled Use of Administrative Privileges
Maintenance, Monitoring, and Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring and Control
Data Protection (Encryption/Secure Erasing)
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium Security Overview
Conclusions
• The safe execution of RPAS operations is highly dependent on the security of the RPAS and its environment.
• Security addresses all aspects (HW, SW, COMMS, Air Traffic,..) that affect RPAS operations.
• Security shall be involved in the whole lifecycle of the product (design conception, development, production, Customer services, disposal)
• Exchanging with Aircraft Manufacturers • Education, awareness and training to create a security culture
Page 15
© AIRBUS Operations GmbH. Alle Rechte vorbehalten. Vertrauliches und geschütztes Dokument.
9-10 May 2016 ICAO Symposium Security Overview
References
• Manual on remotely piloted Aircraft Systems First Edition —
2015 • The Critical Security Controls for Effective Cyber Defense
Version 5.0. • Roadmap for the integration of civil Remotely-Piloted Aircraft
Systems into the European Aviation System • NATO Guidelines for the security Risk Assessment and risk
management of Communication and Information Systems CIS - AC/35-D/lOl7-REV2
Page 16
Recommended