Federal Aviation Administration

Similar documents
U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION. Air Traffic Organization Policy

National Airspace System Security Cyber Architecture

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

FAA Telecommunications Infrastructure (FTI) NAS Boundary Protection System (NBPS) User s Guide. Volume II- For Non-NAS Users

Deploying Firewalls Throughout Your Organization

Chicago Center Fire Contingency Planning and Security Review

Cisco Advanced Services for Network Security

A Systems Approach to Protecting the U.S. Air Traffic Control System Against Cyber-Terrorism

Cisco Which VPN Solution is Right for You?

Bellevue University Cybersecurity Programs & Courses

Solution Guide for Segment 2A

ABB s approach concerning IS Security for Automation Systems

STATEMENT OF SYLVIA BURNS CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF THE INTERIOR BEFORE THE

Reliable, Repeatable, Measurable, Affordable

FAA Cloud Computing Strategy

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Industrial Security for Process Automation

SpiderCloud E-RAN Security Overview

FAA Cloud Computing Strategy

Cyber Situational Awareness for Enterprise Security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cybersecurity Delivering Confidence in the Cyber Domain

Network Services Internet VPN

NETWORK TO NETWORK INTERFACE PLAN

Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments

Swordfish

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

Networking for cloud computing

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Software Defined Perimeter Working Group. SDP Hackathon Whitepaper

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Lecture 02b Cloud Computing II

Network Virtualization Network Admission Control Deployment Guide

IT Networking and Security

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Zentera Cloud Federation Network for Hybrid Computing

Network Virtualization

Network Security Topologies. Chapter 11

NRC Cyber Security Policy &

Data Masking Best Practices

Injazat s Managed Services Portfolio

Conceptual Model for Monitoring NextGen FAA Services

How To Secure Your System From Cyber Attacks

Network Security Administrator

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

Cisco Application Networking for BEA WebLogic

Securing the Intelligent Network

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

Cisco Application Networking for IBM WebSphere

Defending against modern threats Kruger National Park ICCWS 2015

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

The Importance of Cybersecurity Monitoring for Utilities

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

SANS Top 20 Critical Controls for Effective Cyber Defense

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

How To Secure Your Business

Securely Connect, Network, Access, and Visualize Your Data

Secure Network Design: Designing a DMZ & VPN

Cisco Security Optimization Service

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Industrial Security Solutions

Protecting Your Organisation from Targeted Cyber Intrusion

NGFW is yesterdays news what is next in scope for the firewall in the threat intelligence age

Securing Virtual Applications and Servers

NOS for Network Support (903)

Forecast to Industry 2015

Secure networks are crucial for IT systems and their

POLICY ON THE USE OF COMMERCIAL SOLUTIONS TO PROTECT NATIONAL SECURITY SYSTEMS

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

The Protection Mission a constant endeavor

3GPP TS V9.0.0 ( )

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

CYBER SECURITY FOR LONG TERM EVOLUTION

Policy Management: The Avenda Approach To An Essential Network Service

Cisco and Visual Network Systems: Implement an End-to-End Application Performance Management Solution for Managed Services

An introduction to Cryptosoft

Transcription:

Federal Aviation Administration Current Contract Security Capabilities Prepared by: FAA Telecommunications Infrastructure (FTI)-2 Program Office, AJM-3170 Date: October 5, 2015 1

Table of Contents 1.0 Purpose... 3 2.0 Background... 3 3.0 Description of Current Environment... 3 4.0 FAA Critical Challenges... 4 5.0 Questions... 5 2

1.0 Purpose This paper provides an overview of the FAA s existing security capabilities in terms of the security services, architecture and the associated challenges as implemented today under the FAA Telecommunications Infrastructure (FTI) contract and documented in the FTI Telecommunications Services Description (FTSD). 2.0 Background FTI provides a wide range of telecommunications and security services to support operational requirements. FTI services are described in the FTSD and partitioned into service classes having common sets of general performance requirements including Reliability, Maintainability and Availability (RMA) category, latency, call set-up time, call blocking limits, and Service Delivery Point (SDP) to SDP security services. Basic security services for individual telecommunications services are generally an attribute of the telecommunications service class ordered. In some cases additional security features are desired for a particular telecommunication service; these additional security features are ordered as enhanced security service options. The security services for FTI are built to specifications that protect FAA users information within the FTI Wide Area Network (WAN), i.e., from the SDP in one facility to the SDP in another facility. FTI also provides boundary protection security services that enable communications between FAA programs in different domains and communications from any of the FAA domains with non-faa partners, such as airlines, providers of weather products, and non-u.s. Air Traffic Control. FTI security services enable a layered security architecture that includes: (1) a basic set of network security services such as authentication, perimeter security, and intrusion detection; and (2) enhanced network security features, such as enhanced access control lists and extranet gateway services, provide additional protection that are available on a service-by-service basis. The FTI Security Team is responsible for monitoring the heath, status, and configuration of all FTI security management systems and functions. The FTI Security Team has engineered and deployed enhanced monitoring solutions in strategic locations that allow for early detection should an intrusion occur. Dedicated security staff trained in incident detection monitor the network on a 24x7x365 basis and follow strict incident response protocols in the event of an intrusion. The FTI Security Operations Control Center (SOCC) monitors FAA s National Airspace System (NAS) and Administrative traffic for malicious activity utilizing the latest COTS cyber-security technology and FAA-integrated processes and procedures. The FTI SOCC ensures that FTI is hardened and protected from malicious activity. 3.0 Description of Current Environment The FAA employs a Defense-In-Depth approach to secure the FAA systems in the NAS as well as the environments in which the FAA systems operate. FTI provides the FAA s Wide Area Network (WAN) and also provides the boundary protection to the NAS, the NAS Programs are responsible for the individual Local Area Networks (LANs) at each facility and the components connected to those LANs. Increasingly, FAA systems have the need to communicate with non- 3

NAS entities, which is facilitated by the FTI NAS Enterprise Security Gateways (NESGs) that are engineered to provide additional layers of security for NAS systems. To further enhance security, communication is limited to only those non-nas entities that have received approval from the FAA. Multiple layers of separation and controls are implemented between the external environment and the secure NAS environment as shown in Figure 1 below. Figure 1: FAA NAS Defense-In-Depth The NESG architecture is flexible in that it can provide a number of security control combinations to accommodate external users and FAA programs. Ultimately, the gateways provide an important component of a consolidated, centrally managed and secure approach toward enterprise boundary protection. The boundary protection gateways will continue to evolve as NAS systems introduce new technology and standards. 4.0 FAA Critical Challenges A key challenge is the evolution of the FAA s security approach to address the transition to NextGen. The FAA is adapting to assure system and network security using all methods available from acquisition to design to operations. NextGen systems are being designed using industry standards for both security and operations as well as to integrate with the existing NAS approach to security. Designs for NextGen systems consider all elements of the system of 4

systems with attention paid to each interface to understand vulnerabilities and identify mitigating factors. The FAA will also need to continually evolve its NAS Operational IP network with state-of-the-art Boundary Protection capabilities, which provides secure mechanisms for collaboration with partners in a secure and reliable manner. These networking and boundary protection capabilities are being designed and developed in close collaboration with evolving NAS programs, including FAA Cloud Services; i.e. the evolution of NAS cyber security capabilities are being designed in close coordination with evolving NextGen systems and concepts of operations to ensure these new systems can effectively leverage advancements in infrastructure cyber security. 5.0 Questions 1. As FAA Programs increasingly communicate with non-nas entities and more information products are added to the NESG infrastructure, user demand will become more dynamic and difficult to predict. What considerations and potential technical solutions could help manage the FAA s Boundary Protection Gateway resources? 2. From a Defense-In-Depth perspective, should NAS boundary protection be offered as an enterprise service by the telecommunications service provider or provided by an independent entity? 3. As the need for additional end-to-end security monitoring increases, how can this be accomplished while avoiding impact on network performance or significant consumption of network management resources? 4. With the potential leverage of Cloud Processing in the NAS, what considerations or technologies could be helpful in developing an efficient and secure infrastructure for support the transition of some FAA functionality to FAA Cloud Services? Note: The scope of the existing FTI contract does not include Cloud computing services, but FTI is used to provide secure telecommunications connectivity between the Cloud Service Provider s data centers. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information