1 / 18

Presentation to: Name: Date:

Federal Aviation Administration. AMHS Security Security Sub-Group Activities ATS Message Handling System (AMHS ) Implementation Workshop Chennai, India December, 15-16 th 2008. Vic Patel FAA/ATO-P Security Engineering Group William J. Hughes FAA Technical Center

benedict-griffin
Download Presentation

Presentation to: Name: Date:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federal Aviation Administration AMHS SecuritySecurity Sub-Group ActivitiesATS Message Handling System (AMHS )Implementation WorkshopChennai, IndiaDecember, 15-16th 2008 Vic Patel FAA/ATO-P Security Engineering Group William J. Hughes FAA Technical Center Atlantic City International Airport Atlantic City, NJ 08405 USA Presentation to:Name:Date:

  2. Federal Aviation Administration Presentation Overview Our Vision: Service and Safety • Security Policy • Security Checklist • Security Guidance Document • Technical Controls for AMHS Security • Other Regional Security Documents • System-wide Risk Assessment • Contingency Plan • Incident Response Plan AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 2

  3. Federal Aviation Administration Asia/Pacific ICG Strategic Objective: Security Our Vision: Service and Safety • Task (1) Update System Integrity Policy as needed • Asia/Pacific ATN System Security Policy Document • Adopted by ICAO Asia-Pacific as of October 2008 • Task (2) Develop Information Security Checklist • Asia/Pacific ATN Develop Security Checklist • Task (3) Develop Information Security Guidance • Asia/Pacific ATN Security Guidance Document • Task (4) Develop Information Security Solution for Initial and Enhanced Services • To be included in Asia/Pacific ATN Security Guidance Document AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 3

  4. Federal Aviation Administration Security Policy Our Vision: Service and Safety • The Asia/Pacific region has developed an ATN System Security Policy • The Policy was previously called the “System Integrity Policy” and was somewhat broader in scope. • It was agreed at the September Security Sub-Group meeting that the requirements for Interoperability be removed from this document and it was re-named the System Security Policy. • The policy requires that ATN systems be verified to have appropriate security controls. • The policy requires that ATN systems be formally approved for operation a Designated Approval Authority for each state/organization. AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 4

  5. Federal Aviation Administration Security Policy Our Vision: Service and Safety • Security Policy Outline: • Purpose. • Applicability. • Authority. • Implementation and Enforcement. • System Integrity Requirements. • System Integrity Services • Confidentiality • Data Integrity • Authenticity. • Availability. • Accountability. • Interoperability. • System Integrity Policy Statements • Functional Policy Statements • Verification and Authorization AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 5

  6. Federal Aviation Administration Security Checklist Our Vision: Service and Safety • A checklist serves to see that controls are in place • It is generally the basis on which the Approving Authority grants approval • At the April 2008 meeting of the Security Subgroup it was agreed that the controls would be derived from the following document: • NIST SP 800-53, Recommended Security Controls for Federal Information Systems, December 2006 • The SP 800-53 controls were reviewed by the Security Subgroup and the Subgroup identified which of the Technical, Operational, and Management controls applied to an ATN system. • At the September meeting of the Security Subgroup the controls were converted to a Checklist format. AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 6

  7. Federal Aviation Administration Security Guidance Document Our Vision: Service and Safety • The Security Sub-Group is developing a region should develop a Security Guidance Document which provides guidance on the implementation of management, technical, and operational controls. • Management controls • focus on management of system and associated risks • Security reviews, security risk assessments • Technical controls • address specific types of threats • may be sub-typed as: preventative technical controls, recovery technical controls, and support technical controls • Operational controls • focus on operational procedures, personnel security measures, and physical security measures • This document was previously called the “Security Implementation Plan” AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 7

  8. Federal Aviation Administration Security Guidance DocumentAMHS Technical Controls Our Vision: Service and Safety • Network Security Provisions • From User Terminal to Message Server or Between Message Servers (Routers) • End-to-End Security Provisions • Defined in ICAO Doc 9705 Edition 3 using the ATN Digital Signature Scheme • May not be implemented if region does not move to ATN air-ground security provisions AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 8

  9. Federal Aviation Administration Security Guidance DocumentAMHS Technical Controls Our Vision: Service and Safety AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 9

  10. Federal Aviation Administration Security Guidance DocumentAMHS Technical Controls Our Vision: Service and Safety AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 10

  11. Federal Aviation Administration Security Guidance DocumentAMHS Technical Controls Our Vision: Service and Safety Network Security Secure Communications from User Agents to MTA Server • Technique depends on connectivity • Internet Protocol Security (IPsec) • Transport Layer Security (TLS) (formerly Secure Sockets Layer (SSL)) • Layer 2 Protocols (Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F) • Secure Shell (SSH) AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 11

  12. Federal Aviation Administration Security Guidance DocumentAMHS Technical Controls Our Vision: Service and Safety Network Security Secure Communications between Routers which support MTA Servers • Communications Security • IDRP Security • Initially pre-shared keys • Longer term - PKI • Audit Logs • TCP, IP, BGP Logs AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 12

  13. Federal Aviation Administration Security Guidance DocumentTechnical Control Summary Our Vision: Service and Safety • Technical controls may initially consist of securing IDRP router connections • Initially using pre-shared keys • Migrate to limited use of certificates • For TCP/IP MTA-to-MTA connections either TLS or IPsec may be used. • For User Terminal to MTA connections layer 2 provisions may also be used • As the AMHS evolves to enhanced services, including directory services, AMHS application security may be employed • Firewalls and other security appliances should be introduced as needed. AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 13

  14. Federal Aviation Administration Contingency Plan Our Vision: Service and Safety • The Security Sub-group has been tasked to develop a “Contingency and Disaster Recovery Plan. • This plan identifies the coordination activities, processes, and procedures to be followed in the event that an AMHS system is unavailable. AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 14

  15. Federal Aviation Administration Contingency Plan Our Vision: Service and Safety • NIST SP800-34, Contingency Planning Guide for Information Technology Systems, June 2002 “IT contingency planning refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption. Contingency planning generally includes one or more of the approaches to restore disrupted IT services: • Restoring IT operations at an alternate location • Recovering IT operations using alternate equipment • Performing some or al of the affected business processes using non-IT (manual) means” AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 15

  16. Federal Aviation Administration Incident Response Plan Our Vision: Service and Safety • The Security Sub-group has been tasked to develop an Incident Response Plan • The incident response plan would specify common procedures for identifying, reporting, and responding to computing incidents. AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 16

  17. Federal Aviation Administration Incident Response Plan Our Vision: Service and Safety • NIST SP 800-61, Computer Security Incident Handling Guide, January 2004, specifies that an incident response capability should include the following actions: • Creating an incident response policy • Developing procedures for performing incident handling and reporting, based on the incident response policy • Setting guidelines for communicating with outside parties regarding incidents • Selecting a team structure and staffing model • Establishing relationships between the incident response team and other groups, both internatl and external • Determining what services the incident response team should provide • Staffing and training the incident response team AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 17

  18. Questions Federal Aviation Administration Our Vision: Service and Safety AMHS Security: Security Sub-Group Activities AMHS IMPLEMENTATION WORKSHOP, Chennai, India December 15th-16th, 2008. Challenges of a Growing Aviation SystemApril 12, 2005 18

More Related