overview of aeec information security conops n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Overview of AEEC Information Security CONOPS PowerPoint Presentation
Download Presentation
Overview of AEEC Information Security CONOPS

Loading in 2 Seconds...

play fullscreen
1 / 16

Overview of AEEC Information Security CONOPS - PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on

Overview of AEEC Information Security CONOPS. Vic Patel, FAA/ATO-P WJHTC Security Engineering Simon Blake-Wilson, BCI and FAA April 19, 2004. AEEC Information Security Background. AEEC is an association of airlines, organized by ARINC, that develop standards for avionics

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Overview of AEEC Information Security CONOPS' - papina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview of aeec information security conops

Overview of AEEC Information SecurityCONOPS

Vic Patel, FAA/ATO-P WJHTC

Security Engineering

Simon Blake-Wilson, BCI and FAA

April 19, 2004

slide2

AEEC Information Security Background

  • AEEC is an association of airlines, organized by ARINC, that develop standards for avionics
  • AEEC Information Security (SEC) Working Group formed to address increasing interest from airlines
  • AEEC SEC participation includes airlines, airframers, avionics, IFE vendors, comms service providers
  • FAA/ATO-P WJHTC Security Engineering Group participating in AEEC SEC
  • AEEC SEC initial product is an Information Security Concept of Operations (CONOPS)
slide3

AEEC Info Sec CONOPS

  • Goals of the Info Sec CONOPS include:
  • Provide background in info sec for airline departments who have not dealt with it before
  • Emphasize sound security practice
  • Assist other AEEC groups thinking about information security
  • Discuss issues that arise as the aircraft becomes part of the corporate LAN, and there is more connectivity between domains on the aircraft
  • CONOPS is expected to be approved in mid 2005.
slide4

CONOPS Information Security Process

  • The CONOPS emphasizes the importance of following an
  • overall information security process to secure a system:
  • Risk-based approach
  • High-level to allow each step to be performed at an appropriate level of detail
  • Strangely there are no existing standards for overall approach.
  • Common Criteria and Federal Information Security Management Act (FISMA) provide pieces but are not coordinated.
  • FAA’s Security Certification and Authorization Package (SCAP) process includes FISMA requirements
slide5

Step 1: Identify information security needs and objectives

Step 2: Select and implement security controls

Security review

Step 3: Operate and manage security controls

CONOPS Information Security Process (Cont)

slide6

Step 1.1: Asset identification and security categorization

Step 1.2.1: Analyze risks

Step 1.2.2: Identify policies

1.2.3: Determine environment and assumptions

1.3: Characterize security objectives

Step 1: Security Needs and Objectives

slide7

Airplane

Aircraft Control

Airline Info. Services

Pass. Info. and Entertain

Services (PIES)

Pass. Devices

Flight

and Embedded Control

Administrative

Pass, Support

Cabin

Core

Control Aircraft

Operate Airline

Entertain Passenger

Airline

Airline Approved 3rd Parties

ATSP

Airport

Data Link Services

Air/Ground Broadband Services

Step 1.1: Asset Identification

slide8

Step 1.1: Asset Identification

Identify information types.

slide9

Step 1.1: Security Categorization

Initial step to estimate how important security is for system.

slide10

Step 1.2.1: Analyze Risks

Identify threats based on high-level framework.

slide11

Step 1.2.1: Analyze Risks

Assess threat likelihood and severity using High/Medium/Low.

Severity can be derived in part from hazard analysis.

slide12

Step 1.2.2: Identify Policies

Identify policies that may affect security choices.

slide13

Step 1.3: Security Objectives

Identify drivers for selection of security controls.

slide14

Step 2: Security Controls

Select security controls based on needs and objectives.

slide15

Aeronautical Issues with Security Controls

  • The CONOPS touches on many issues specific to the
  • aeronautical industry:
  • Airline IT and maintenance have traditionally been separate
  • Security patches and certification
  • Lack of IT support on aircraft
  • Long lifecycles from design to deployment and use
  • Security and safety
  • Etc.
slide16

Summary

  • The AEEC CONOPS identifies security process for airlines and discusses many aeronautical security issues
  • Only known standard for overall security process – but can exploit Common Criteria, FISMA, and SCAP
  • Process potentially applicable throughout the aeronautical industry
  • FAA WJHTC Information Security Group is using the process within programs such as NEXCOM, Future Comms Study, CPDLC