Administration of Aircraft & Related Ground Support Network Security Programs

Transcription

1 DRAFT CAAP 232A-1(0) Civil Aviation Advisory Publication February 2013 Administration of Aircraft & Related Ground Support Network Security Programs CAAPs provide guidance, interpretation and explanation on complying with the Civil Aviation Regulations (CAR) or Civil Aviation Orders (CAO). This CAAP provides advisory information to the aviation industry in support of a particular CAR or CAO. Ordinarily, the CAAP will provide additional how to information not found in the source CAR, or elsewhere. A CAAP is not intended to clarify the intent of a CAR, which must be clear from a reading of the regulation itself, nor may the CAAP contain mandatory requirements not contained in legislation. te: Read this advisory publication in conjunction with the appropriate regulations/orders. The relevant regulations and other references CAR 2 and 232A CASR Parts 21, 23, 25, 26, 27 and 29 CAO This CAAP will be of interest to This Civil Aviation Advisory Publication (CAAP) applies to all Australian registered aircraft requiring aircraft network security program considerations. Why this publication was written This CAAP provides guidance material for the introduction and continued airworthiness of aircraft network security program. Status of this CAAP This is the first CAAP to be written on the subject For further information For application and policy advice contact CASA s (Telephone ).

2 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs 2 Contents 1. Acronyms 2 2. Definitions 3 3. Background 4 4. Applicability 5 5. Aircraft network architecture 5 6. Threats to aircraft network security program 7 7. Risk mitigation 9 8. Security countermeasures Countermeasure methods Recommended practices 18 APPENDIX A - Aircraft network security program operator checklist Acronyms 3G/4G 3rd and 4th generation of mobile phone technology Set of standards for wireless local area network AMI Aircraft Modifiable Information ARINC Aeronautical Radio Incorporated CA Certificate Authority CAO Civil Aviation Order CASA Civil Aviation safety Authority CRL Certificate Revocation List EDS Electronic Distribution of Software FAA Federal Aviation Administration (of the USA) LAN Local Area Network LSP Loadable Software Part MIL-STD United States Military Standard MSD Mass-Storage Device MSP Media Set Part NIST National Institute of Standards and Technology RTCA Radio Technical Commission for Aeronautics TCP/IP Transmission Control Protocols/Internet Protocols

3 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs 3 2. Definitions 3G/4G 3rd and 4th generation of mobile phone technology. As specified by the International Telecommunications Union (ITU) Set of standards for wireless local area network. Created by Institute of Electrical and Electronics Engineers (IEEE). AIRCRAFT MODIFIABLE INFORMATION Information that an operator is allowed to make without certification approval. The operator generates the AMI data file to specify preferences for functions such as cabin management data recording, report generation and formatting, and services provided to the various passenger seating zones. ASSETS Resources of the aircraft and systems which are subject to possible cyber-attack or may be used as part of an cyber-attack, including functions, systems, items, equipment, data, interfaces, and information. ARINC Aeronautial Radio Incorporated. Provides standards for avionics equipment. ATTACK An assault on the system that derives from an act that is an attempt to violate the security policy of a system. This includes intentional and unintentional acts. ATTACK VECTOR The path, interface and actions by which an attacker executes an attack. ATTACKER The entity that initiates and directs an attack. This includes intelligent attacker(s) as well the automatic actions of attack code such as a bot or worm and the authors of such code. AUTHORISED MANUFACTURER The Original Equipment Manufacturer (OEM), a Supplementary Type Certificate (STC) holder, or 3rd party organisation approved by OEM or STC holder. AVAILABILITY Ensuring authorised users have access to information and associated assets when required. BLUETOOTH Wireless protocol for transmission of data over short distances. CERTIFICATE A set of data that uniquely identifies a key pair and an owner that is authorised to use the key pair. The certificate contains the owner s public key and possibly other information, and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner. CERTIFICATE AUTHORITY (CA) The entity in a Public Key Infrastructure (PKI) that is responsible for issuing certificates and exacting compliance with a PKI policy. CERTIFICATE REVOCATION LIST Revoked certificates that should not be relied upon. CRATE - Collection of digital files that can be sent electronically. CRYPTOGRAPHY Branch of applied mathematics concerned with transformations of data for security. DIGITAL SIGNATURE The result of a cryptographic transformation of data that, when properly implemented, provides a mechanism for verifying origin authentication, data integrity and signatory non-repudiation.

4 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs 4 ELECTRONIC DISTRIBUTION OF SOFTWARE (EDS) Processes whereby aircraft loadable software is moved from a supplier or repository to a remote user site without physical media (wired or wireless). LOADABLE SOFTWARE PART (LSP) A software data set (i.e., group of files) designed for transferring into its target hardware without physically altering the hardware Local Area Network (LAN) Group of computers and associated devices that share a common communications line or wireless link. MALWARE Malicious software that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim s data, applications, or operating system or of otherwise annoying or disrupting the victim. Mass-Storage Device (MSD) A large capacity nonvolatile storage medium for software or data entities. Example: A hard disc drive or CD-ROM, which contains multiple files, loads, databases, etc. MEDIA SET PART (MSP) Where Loadable Software Parts (LSPs) that is too large for a single media device, multiple media members are used, and the group of media members is referred to as a media set. The media set part number should cover all media members. It is also possible for a media set to hold more than one LSP where a group of LSPs for a particular system may be packaged together. MIL-STD United States Military Standard. Standards in equipment for the US Department of Defence. NIST National Institute of Standards and Technology. PRIVATE KEY A cryptographic key, used in public-key cryptographic algorithm process, which is uniquely associated with an entity and is secret. The private key is associated with a public key in an association known as a key pair. Depending on the algorithm, the private key may be used to; compute the corresponding public key, compute a digital signature that may be verified by the corresponding public key, decrypt keys that were encrypted by the corresponding public key, or compute a shared secret during a key-agreement transaction. PUBLIC KEY A cryptographic key may be known by anyone and, depending on the algorithm, may be used to; verify a digital signature that is signed by the corresponding private key, encrypt keys that can be decrypted using the corresponding private key, or compute a shared secret during a key-agreement transaction. RTCA Radio Technical Commission for Aeronautics. TRANSMISSION CONTROL PROTOCOLS/INTERNET PROTOCOLS (TCP/IP) TCP verifies the correct delivery of data from client to server. IP moves packet of data from node to node. 3. Background 3.1 The latest generation of aircraft, such as the Boeing 787 and Airbus A350, include aircraft data networks which introduce potential new cyber security vulnerabilities. 3.2 Legacy aircraft design involved the use of data busses such as ARINC 429/629 or MIL-STD Latest aircraft designs use non-aviation standard TCP/IP to convey a wide variety of digital information including flight critical avionics, passenger information and entertainment systems. Experience has shown that this type of technology is prone to a wide variety of attacks.

5 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs Unless properly managed, any networked aviation system, if successfully attacked, can affect aircraft software configuration. Operators must follow the instructions regarding information network security recommended by type certificate holders, CASA regulations and policy in order to remain airworthy. 3.4 Loadable Software Parts or Field Loadable Software are types of software applications used to alter aircraft software configuration. It is important to regard software with the same airworthiness intent as physical based parts. Loadable software parts will require authorised release certificates. 3.5 The handling of these software based parts requires the understanding of some unique concepts. Changes in software applications change the aircraft software configuration. 4. Applicability 4.1 This AC is applicable to aircraft network security program considerations. It provides guidance on the implementation and development, in conjunction with approved authorised manufacturer s instructions for implementation of a program for information network security. 4.2 Legacy aircraft certified with limited external connectivity are not subject to this guidance. Communications & Navigation data links (e.g. radio navigation, ATC systems, or maintenance ground systems) are already covered under existing regulatory guidance & policy. 4.3 Any modification that adds an active external network link (including 3G/4G and or other wireless methods) to the existing aircraft systems must be assessed for airworthiness security concerns. 4.4 This CAAP provides guidance for compliance with Regulation 232A of Civil Aviation Regulations (CAR) Operational procedures in relation to computers. 5. Aircraft Network Security architecture 5.1 Local Area Network (LAN) systems in an aircraft and interconnections with external public networks or wireless connections, exposes previously isolated aircraft systems to newer classes of failures. These failures can result from either accidental or intentionally malicious attacks. 5.2 Software is constantly being reviewed and improved. Once a version is certified there are two methods of updating aircraft software applications: Ground Support Equipment (GSE) hardwired to the aircraft (eg. Laptop or other data loading device); and Wireless connection (3G/4G/802.11/Gatelink ARINC 751 or other similar technology) 5.3 An Electronic Distribution of Software (EDS) Crate is one method currently used to distribute data over unsecured networks between authorised manufacturers and operators. See Figure 1: Crating Process. Electronically generated crates contain Loadable Software Parts or other data. Crates are transported via the internet (see Figure 2: Electronic Distribution of Software) are then validated at the receiver prior to use.

6 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs 6 Figure 1: Crating Process Figure 2: Electronic Distribution of Software 5.4 Crates can support and protect Loadable Software Parts (LSP) contents, attributes, and related data as well assuring the authenticity of their source. Crates can also accommodate Media Set Parts (MSP) distribution. MSP is a combination of several software applications for a specific task. One or more MSPs may be included in an EDS crate for distribution. 5.5 The following example of software distribution is typical of the process used to prepare and send software applications and other digital content. See Figure 3: Digital Distribution Process. Operator orders the software Operator extracts crate contents as appropriate Operator checks the software application and related digital contents for authenticity and integrity Manufacturer or vendor gathers related digital data to accompany the request. Operator validates the crate Operator stores the software and processes the related digital contents as appropriate Manufacturer or vendor builds and digitally signs the crate manifest Manufacturer or vendor transfers signed crate to receiver and extends notice of availability Operator makes the software available for use Figure 3: Digital Distribution Process

7 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs 7 6. Threats to aircraft network security program 6.1 Information security threats that can potentially impair the ability of digital systems to operate properly are manageable risks. 6.2 The assets can include functions, systems, items, resources, data, interfaces and information which are associated with airworthiness or airworthiness security. The goal of the aircraft network security program is to protect the airworthiness of the equipment (aircraft, aircraft system, or item) from attacks on data and interfaces, both intentional and unintentional. 6.3 Credible examples of potential misuse potentially include: Infection of an aircraft system from Malware (Malicious software). An attacker can use onboard wireless to access aircraft system interfaces. Denial of service of wireless interfaces. Denial of service of safety critical systems. Misuse of personal devices that could potentially access aircraft systems. Misuse of off-board network connections to access aircraft system interfaces. 6.4 A successfully executed attack can have an adverse effect on the aircraft and its occupants. A threat condition can lead to a failure condition. The difference is that a threat condition will occur through a willful action. Threats can cause a wide variety of failures see Table 1: Types of Failures. General Threat Identifiers Failure Denial Access Control Passive Attack Aircraft Data Network Threats Safe state of the aircraft system could be compromised in the event of a security penetration Aircraft system resources exhausted due to denial of service attack, system error, malicious actions Individual other than an authorized user may gain access to the aircraft system via unauthorised controller, masquerade or spoofing system error or an attack for malicious purposes Snooping or eavesdropping compromising security (misdirection). Flaws in security policies may lead to back door access Example of operational impact Access to the flight controls by unauthorized individuals affecting safety Critical services disrupted by system overload or traffic jamming Unauthorized Access Unauthorized corruption or destruction of data causing unsafe flight conditions Table 1: Types of Failures 6.5 Threat sources are the potential for an attack from external dependencies. The attack vector represents the possible ways that compromise aircraft information networks. 6.6 Examples of possible attack vectors include: Software distribution using malware, Wireless interfaces, Remote access interfaces,

8 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs 8 External system dependencies. 6.7 Ground Support Equipment (GSE) that is hardwired to the aircraft, poses fewer security risks than a wireless connection when this equipment has integrity checking incorporated. A laptop or other similar devices used for data uploading and downloading should be treated in a similar manner to using a portable data loader. Some aircraft software may require storage or staging on aircraft on-board data repository prior to installation. 6.8 There are various levels to Aircraft network security program on an aircraft. Each progressive level has a higher level of interaction between other systems. See Table 2: Aircraft levels of system interaction. Level Aircraft level System level Item level Examples Combinations of integrated aircraft systems, aircraft networks, maintenance concepts Wheel Braking System, Flight Control Network, Control Surface Sensing System, Central Communications System, Maintenance System, In-Flight Entertainment System Wheels, Network Controller, Flight Surface Sensing Module, Router, Wireless Access Point, In-Seat Entertainment Unit Table 2: Aircraft levels of system interaction 6.9 Operators should address the dependency of airworthiness security on external systems. Identify external data interface access points both wired and wireless. Determine any threat sources to aircraft systems. Determine how external data interfaces can be potentially attacked, adversely affecting aircraft systems. Apply any mitigation required to reduce any potential threats, and vulnerabilities. Establish the security risk caused by a successful attack and the likelihood / plausibility of such a success. The mitigations must be sufficient to make the scenario unlikely or implausible A threat to an aircraft computer network system has the same priority as a failure. Many threat conditions can represent a loss of a security service for an asset, such as loss of integrity, loss of availability, or loss of confidentiality. Various threat conditions will require documentation through risk assessment process Adverse safety effects can occur from either failure of aircraft systems or a cyberattack to aircraft systems. Security countermeasures are one method used to protect the assets of the aircraft or system from a potential cyber-attack If a cyber-attack occurs on an aircraft system, it is also important to determine details about how the security countermeasures were overcome. It is important to determine any features or conditions of the aircraft equipment that were exploited by the cyber-attack, and the operational conditions at the time which exposed the equipment to attack An attacker may exploit features and weaknesses present in the equipment itself to attack it and other system. Vulnerabilities may exist through inadequate operational controls or procedures, despite the equipment being constructed correctly to an appropriate specification. Vulnerabilities may exist because of inadequate controls with external software providers.

9 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs An attack succeeds according to a threat scenario when: There was an attack during operation and/or maintenance of the equipment. Operational conditions exposed the vulnerabilities to the attack. Attacker exploited any vulnerability. Security countermeasures failed to prevent an attack As a result, the threat conditions are established and the airworthiness is adversely affected. It is possible for an attack to take place, while the aircraft is in maintenance but not manifest it until the aircraft is in service or results in undetected (latent) failures that occur over multiple flights An attacker can be in the form of: Computer hackers; Automatic hacking or Bot network operators; Criminal groups; Foreign intelligence services; Insiders; Phishers (individuals or groups attempting to steal identity or information for monetary gain); Spammers (solicitation of hidden or false information); Spyware/Malware (Programs that are used to snoop for information or malicious software); Terrorists; and Industrial Espionage. 7. Risk mitigation 7.1 The operator should establish a security assessment (see Table 3: Risk Assessment Matrix) in accordance with the Risk Matrix in RTCA/DO-326. This assessment identifies potential threats and determines their impact. Any safety-related aircraft network security program risks, which could adversely affect the safety of flight, require addressing and mitigating. Compliance with aircraft network security program requirements shows compliance with required aircraft configuration.

10 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs Risk Level Safety Effect Table 3: Risk Assessment Matrix Would have no effect on safety for example, would not affect the operational capability of the aircraft or increase crew workload. Minor Would not significantly reduce aircraft safety. Crew actions are well within their capabilities. May include, for example, a minor reduction in safety margins or functional capabilities, a slight increase in crew workload, such as routine flight plan changes, or some physical discomfort to passengers or cabin crew. Major Would reduce the capability of the aircraft or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for example, a major reduction in safety margins or functional capabilities, a significant increase in crew workload or in conditions impairing crew efficiency, or discomfort to the flight crew, or physical distress to passengers or cabin crew, possibly including injuries. Hazardous Would reduce the capability of the aircraft or the ability of the crew to cope with adverse operating conditions, to the extent that there would be: Catastrophic a hazardous reduction in safety margins or functional capabilities; physical distress or excessive workload such that the flight crew might not be relied upon to perform their tasks accurately or completely; or serious or fatal injury to a relatively small number of the occupants other than the flight crew Would result in multiple fatalities, usually with the loss of the aircraft.

11 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs Threat Scenario Likelihood Frequent Anticipated to occur routinely in the life of each aircraft. Probable t frequent, but anticipated to occur one or more times in the life of each aircraft. Remote Unlikely to occur to each aircraft during its total life but may occur several times when considering the total operational life of a number of all aircraft of the type. Extremely Remote t anticipated to occur to each aircraft during its total life but which may occur a few times when considering the total operational life of all aircraft of the type. Extremely Improbable So unlikely that they are not anticipated to occur during the entire operational life of all aircraft of one type A security risk assessment is not complete until it includes the effects of all intended security controls and agreements with any 3rd party organisations. The risk analysis process is, to some extent, a subjective process. Operators must consider impacts that might result from technical failures, malevolent third parties, public misunderstandings and human error Operators should consider wider ranges of possible threat scenarios in seeking to determine what the potential harms are associated with aircraft configuration and airworthiness. It is better to be over-inclusive with risks than under-inclusive in conducting this analysis. Changes to company policy may be required to mitigate particular risks by reducing the likelihood that they will occur While computer hacking once required a fair amount of skill or computer knowledge, attackers can now download attack scripts and protocols from internet sources and launch them against victim equipment The operator must periodically reassess the aircraft network security program to ensure that the security requirements continue to be valid. Changes in technology or changes to the operator s business processes can possibly affect the validity of an aircraft network security program Risk monitoring on an ongoing basis, provides organisations with the means to: Verify compliance; Determine the effectiveness of risk response measures; and Identify risk-impacting changes to organisational information systems and the environments in which those systems operate Maintaining risk assessments includes the following specific tasks: Monitoring risk factors identified in risk assessments on an ongoing basis and understanding subsequent changes to those factors; and Updating key components of risk assessments.

12 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs Operators should review and consider the information in An Introduction to Computer Security: The NIST Handbook, (NIST SP ) and also Risk Management Guide for Information Technology, (NIST SP ). 8. Security countermeasures 8.1 Security countermeasures can involve both aircraft equipment and organisational procedures. The means of mitigation should include preventative and restorative countermeasures. Documentation of countermeasures may be included in the documentation from the Original Equipment Manufacturer (OEM). 8.2 Countermeasures can exist at various levels on the aircraft: aircraft level security countermeasures implemented through systems or organisational procedures; system level security countermeasures implemented through items or organisational procedures; and item level security countermeasures implemented within items or organisational procedures. 8.3 There is an assurance in countermeasures when: There is a reduction in the occurrence of successful attack when the countermeasures are working as intended (strength of mechanism). Countermeasures work as intended (implementation assurance). 8.4 Risks also may require mitigation when dealing with external 3rd party organisations. Integrity of data is required when involving operations, maintenance, and management of security countermeasures as determined in company policy and procedures. 8.5 Characterisation of the attacker may include: Type of the attacker (e.g. human, external organizations, external systems, external networks and interfaces, virus, worm, Trojanised website). Access available to the attacker (e.g. what data access points or locations they are authorised to use). Types of attacks the attacker will conduct (e.g. co-option, disruption, denial of service, access to proprietary data). Depth of knowledge about the aircraft systems that is available to the attacker. 8.6 Examples of equipment used to cause an attack on aircraft computer network systems can include: Commercial workstation or networks of workstations. Aircraft proprietary equipment or applications. Custom-designed attack hardware. Publicly available attack applications. Laptops, tablets or other similar devices with wired or wireless connectivity.

13 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs Transferring data in order to change aircraft configuration, must be always in accordance with approved data. It is a reasonable understanding to expect an attack to occur from commercial off the shelf equipment during the lifetime of the aircraft. Protection on wireless nodes involves the use of authentication of users and data encryption. 8.8 The approved data used to change the aircraft configuration must be correct, consistent and complete. It is paramount that the operator establishes good practices over aircraft software & network security in a manner similar to IT security of an organisation. 9. Countermeasure methods 9.1 Encryption An encryption process transforms intelligible data, called plaintext, into an unintelligible form, called ciphertext by the use of a key. See Figure 4: Encryption process. Figure 4: Encryption process Decryption (see Figure 5: Decryption process) reverses this process, back to plaintext. Encrypted data does not require protection against disclosure. If the ciphertext changes in anyway, it will not decrypt correctly. Cryptography can therefore detect both intentional and unintentional modification. Cryptography does not protect files from accidental or deliberate modification. Figure 5: Decryption process Public Key Infrastructure (PKI) X.509 is one example of encryption. PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In order to decrypt a file, a key pair is required (see Figure 6: Public Key Encryption). The public key is widely distributed, whilst the recipient only has access to the private key. The public key verifies the signature process. Anyone can verify a correctly signed message using the public key. Decryption of an encrypted file utilises a private key. Security of the private key is important to keep the plaintext secret.

14 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs 14 Figure 6: Public Key Encryption A digital signature is the electronic equivalent of a written signature. The digital signature provides assurance that the claimed signatory has signed the file. Modification of a signed data file is an advantage with digital signatures. Data changed in any way, will result in a different checksum or message digest. A changed file will result in failure of the validation process The digital signature can be stored or sent with the data or application. Digital signatures have an advantage that they can cryptographically bind an electronic identity to a file. The digital signature cannot copy to another document. Authorised manufacturers apply digital signatures to software applications for source authentication and for proof of software integrity. A digital certificate is an electronic identification file that establishes and verifies credentials when performing electronic transactions over an untrusted network like the internet. te: For more information on PKI refer to Introduction to Public Key Technology and the Federal PKI Infrastructure, NIST Special Publication Security Logs An aircraft network security program should be monitored with security logs. Computer security logs are audit logs that track any user authentication attempts. Security device logs are utilised to record any possible attacks to hardware. Log management is essential to ensure that computer security records are stored in sufficient detail for an appropriate period Routine log analysis, by either manual or automatic methods, is beneficial for: Identifying security incidents; Policy violations; Fraudulent activity; and Operational problems.

15 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs Logs are also useful when performing auditing functions, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. These logs may be useful in learning information which may prevent unauthorised access. A fundamental problem with log management is balancing a limited quantity of log management resources with a continuous supply of log data. Automatic methods for log analysis are recommended to reduce this burden Analysis of logs can be a proactive process by identifying ongoing activity and looking for signs of any impending problems. An example of an impending problem could be failures to authenticate or log in users. The values of logs are significantly reduced, without sound processes in place for analysis It can be difficult to detect a compromised network, but some patterns might be visible to warrant further investigation. An example that an attack could be taking place: Unusually heavy network traffic; Out of disk space or significantly reduced free disk space; Unusually high CPU usage; Creation of new user accounts; Attempted or actual use of administrator-level accounts; Locked-out accounts; Account in-use when an authorised user is not at work; Cleared log files; Full log files with unusually large number of events; Antivirus or other alerts; Disabled antivirus software and other security controls; Unexpected update changes; Machines connecting to outside IP addresses; Requests for information about the system (social engineering attempts); Unexpected changes in configuration settings; and Unexpected system shutdowns A certificate revocation list (CRL) in PKI, controls unauthorised users. A CRL is a list of revoked certificates and includes a list of serial numbers for keys. For revoked certificates, an operator needs to establish an agreed process between authorised users and authorised manufacturers. 9.3 Physical Access Control Physical Access Control seeks to limit physical access to aircraft network data ports. If physical security measures are inadequate, logical access controls may be circumvented by directly accessing the aircraft systems Access to any hardware required (eg laptop or tablet etc.) for data transfer should also be subject to tight controls. To monitor traffic on a wired network an attacker would have to gain physical access to the network via an access point.

16 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs Wireless Access Control The most significant difference between protecting wireless and wired networks is the relative ease of intercepting wireless network transmissions and inserting new or altered transmissions from presumably an authentic source. For a wireless network, an attacker simply needs to be within range of the wireless transmissions The location of antennae used for wireless communication is important in order to minimize exposure to the wireless network and nodes. Attackers can also use highly powerful directional antennae to extend a wireless network beyond the expected standard range Wireless access points and servers should be located on an isolated network with minimal connections to public networks. Devices can connect to simultaneous devices at once (eg. 3G/4G, LAN, Bluetooth etc). Wireless nodes also broadcast identifiers; these identifiers should be disabled if possible, in order to prevent casual snooping There are 2 types of Wireless specific attacks: passive and active attacks. Passive attack: an attack in which an unauthorised party only monitors wireless communications. The attacker does not generate, alter, or disrupt wireless communications. There are two types of passive attacks: º Eavesdropping: The attacker monitors wireless data transmissions for message content. º Traffic analysis: The attacker gains intelligence by monitoring the transmissions for patterns of communication. A considerable amount of information is contained in the flow of messages between communicating parties. Passive attacks provide no information for an operator to monitor electronically, as there are no transmissions from the attacker. It is important that any data remains encrypted when being sent wirelessly, so any data intercepted cannot be deciphered. Active attack: an attack in which an unauthorised party generates, alters, or disrupts wireless communications. All forms of an active attack are detectable through monitoring. Active attacks may take the form of one of the following types: º Masquerading: The attacker impersonates an authorised user to gain access to certain unauthorised privileges. º Replay: The attacker monitors transmissions (passive attack) and retransmits messages posing as the legitimate user. º Message modification: The attacker alters a legitimate message by deleting, adding to, changing, or reordering the message. º Denial of service (DoS): A DoS can occur inadvertently, such as other electronic devices causing interference, or it can occur intentionally, such as an attacker sending large numbers of messages at a high rate to flood the wireless network. º Misappropriation. The attacker steals or makes other unauthorised use of wireless services Operators should perform vulnerability monitoring for wireless software applications that they do for any other installed software. Identify any updates for wireless software applications and apply updates where required. Security configuration settings need to be verified and adjusted as needed. Any network devices that are not authorised need to be disabled, so that an unauthorised device cannot be enabled or circumvent any restrictions.

17 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs Preventative controls for user access, are generally preferable to detective controls, but it is even stronger to use both preventative and detective controls together. 9.5 Password Control Password control is considered the most simple and common form of user authentication. Password vulnerabilities can be reduced by using an active password checker that prohibits weak, recently used, or commonly used passwords. Ensuring the confidentiality of passwords is considerably more challenging and involves a number of security controls Changing passwords periodically also slightly reduces the risk posed by cracking. Password strength is based on several factors, including password complexity, password length, and user knowledge of strong password requirements. Operators should consider which factors are enforceable when establishing policy requirements for password strength, and also whether or not users will need to memorise the passwords Password expiration is also a source of frustration to authorised users, who are often required to create and remember new passwords on a regular basis for dozens of accounts, and thus tend to choose weak passwords Another weakness is the ease of third-party eavesdropping or passive attacks. Passwords transmitted over networks need protection from sniffing threats by encrypting the passwords or the communications containing them, or by other suitable means Password guessing attacks can be mitigated rather easily by ensuring passwords are complex and by limiting authentication attempts A specialised form of password is known as a passphrase. This is a relatively long password consisting of a series of words, such as a phrase or a full sentence. An example of a passphrase is Securityismy#1Priority!. The motivation for passphrases is that they can be longer than single-word passwords but easier to remember than a sequence of random letters, digits, and special characters Operators should protect the confidentiality of user identifiers, such as usernames or login IDs. Concealing identifiers makes it harder for attackers to perform targeted attacks There are 4 groups of password vulnerabilities: Capturing: an attacker acquires a password from storage, transmission, or user knowledge and behaviour. Passwords should not be stored in plaintext unless security controls can be applied. Examples of these controls can be: º Encrypting files that contain passwords. º Restrictions of access to files that contain passwords. º Storage of cryptographic hashes or message digests for authentication instead of actual passwords. Guessing: There are several forms of guessing: º brute force attack: the attacker attempts to guess the password using all possible combinations of characters; º dictionary attack: the attacker attempts to guess the password using a list of possible passwords; and º hybrid attack: combination of brute force and dictionary attack.

18 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs 18 Password Recovery: Password resets are also performed when a new account is created or when a password is forgotten. Social Engineering: Attackers may be able to trick users into unauthorised changes by using social engineering techniques. Another potential problem is that a malicious insider, such as a disgruntled current or former employee, may know valid passwords and share them with other parties. 10. Recommended practices 10.1 Changes from manufacturer Software loads are considered an aircraft component and any changes are a maintenance action. Aircraft network security program implementation forms part of the aircraft type design. Any changes are to be via a service bulletin or Part 21.M approval Operators must demonstrate how they comply with the OEM instructions concerning aircraft network security program. Any changes in the OEM aircraft network security program will require implementation within 90 days depending on any risk assessments to determine any urgency. Expediency with aircraft computer network updates will reduce any vulnerability Document any changes that are allowable for operators to make, via an Airline Modifiable Information process in their procedures manuals Devices used to implement updates or changes Controls are required for any devices (eg. laptops or tablets etc.) that update or change aircraft configuration. Only authorised personnel should access these devices. There needs to be a process in place for dealing with loss or corruption of these devices. Aircraft data networks and operator data networks used in this purpose must have protection against any unauthorised devices. These devices may include personal laptops, tablet type devices or other technology Risk Assessments Initial and ongoing risk assessments are required, to assess capability for potential data corruption. Where deficiencies in risk assessment are highlighted, appropriate mitigation is required. Mitigation may require changes in an operator s policy. Bypassed security countermeasures will require analysis for any causal factors. Risk analysis is also applicable to external software providers that are not currently authorised software providers When aircraft is undergoing maintenance, all safety precautions must be followed when implementing any changes to the aircraft configuration. During updating of software automated changes or actions may occur. Adherence to safety precautions is a requirement Countermeasures Documentation is required for countermeasures assurance. This information is on a confidential basis, and should not be common knowledge in the organisation. Limiting countermeasure knowledge in the organisation will mitigate unauthorised access. Wireless nodes require protection from unauthorised access Any wireless service providers used for transfer of data must be evaluated for security risks. These must be documented in policies and procedures.

19 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs Validation of EDS crates Any EDS crates used for storage of data need validation of authenticity prior to usage. Otherwise, a process for validating authenticity of EDS crates, with authorised manufacturers is required. Responsibility for verifying authenticity of software from the OEM rests with the operator. Aircraft configuration and software used for this purpose will require protection from data damage. This may include damage by unauthorised users, viruses or other malware, which will affect data integrity. Operators must follow instructions from authorised manufacturers. Any crates that are unable to be validated must be destroyed Logs and retention of records Operators must establish a log of authorised users, who have access to change or alter aircraft configuration. Logs are also required for any users who have access to alter security configurations. Software required for altering an aircraft configuration, must have an appropriately licensed person install the software. Keep any records of any changes to aircraft configuration for the life of the aircraft. Changes to aircraft configuration are required in accordance with CAO 100.5, under item 5 Retention of Aircraft Maintenance Records. However, in this application the documentation may be a data file. Operators will need to have a process in place that restricts any unauthorised software Protection of keys and certificates An operator has a responsibility to protect private keys and certificates from unauthorised access, disclosure or modification. Public keys require protection from unauthorised tampering or modification. A password management process is required, if passwords are a form of access control used. Documentation of this password management process and details of training for authorised users is required. A clearly documented and risk assessed approach is required for password loss or recovery. Password management should also address social engineering attacks and methods for mitigation. A process is required to deal with expired or invalid digital signatures and certificates. This process requires documentation in operator s procedures and in conjunction with authorised manufacturer s instructions Current configuration report A process needs to be in place for producing an authorised current configuration report for the aircraft. The operator must be able to verify the aircraft meets this authorised configuration Administrator An appointed administrator is responsible for controlling the organisation of data for aircraft network security program. This can be a separate role from control of aircraft configuration, which is an engineering function. The role of an administrator in this application is similar in requirement to an IT administrator. See Figure 7: Example of administration functions This role will be responsible in the organisation for: Managing any lost or stolen GSE devices that are required for changing aircraft configuration. Create and control authorised user accounts. Decommission equipment or parts in a way that no data is recoverable from them.

20 CAAP 232A-1(0): Administration of Aircraft & Related Ground Support Network Security Programs 20 Provide logs, reports or other data to CASA as required. Maintain a password management program for users. Maintain records for equipment usage. Restrict any services, protocols, connections or nodes that are not required. Control access and utilisation for associated hardware required for aircraft network security program. Quarantine any crates or files that contain invalid digital signatures, until there is a way of verifying the contents are authorised. Any invalidated crates must be deleted. Control of any cryptographic keys used in aircraft network security program. Control of any aircraft network security program certificate expiration dates. Ordering of aircraft software applications required for maintenance or modification of the aircraft configuration. Verify software applications and identify any issues with associated hardware used for their installation. Ensure suitable staging of software parts that will change aircraft configuration in a secure area, prior to installation on aircraft by appropriately licensed Maintenance Engineers. Retain and monitor of aircraft network security program logs for a minimum period of 90 days. Retain any changes to the aircraft configuration in accordance with CAO Keep track of any changes required by the authorised manufacturer s software security processes. Update digital signatures if required for aircraft network security program. Monitor any expiration of digital signatures. Eliminate any viruses or other malware that could affect the aircraft and/or systems required for the aircraft configuration.