ICAO Symposium Security Overview. EVYYS Juan DOMINGO LOBATO

Similar documents
Cyber Threats, Trends, and Security Configurations. June 2, Shevaun Culmer-Reid, Program Manager

The Protection Mission a constant endeavor

Civil Aviation and CyberSecurity Dr. Daniel P. Johnson Honeywell Aerospace Advanced Technology

Looking at the SANS 20 Critical Security Controls

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Integrated Solution for Onboard Information Management. eenabled Aircraft Solutions

ATM Security. Emergent challenges and opportunities focusing on increasing automation and cyber-security. Antonio Nogueras

IN FLIGHT SECURITY INCIDENT MANAGEMENT

Physical Security of Remote Pilot Stations and Aircrafts (when On Ground)

Jumpstarting Your Security Awareness Program

THE TOP 4 CONTROLS.

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

Security Management. Keeping the IT Security Administrator Busy

Critical Controls for Cyber Security.

Protecting critical infrastructure from Cyber-attack

Check Point and Security Best Practices. December 2013 Presented by David Rawle

State of Oregon. State of Oregon 1

Cyber-hijacking Airplanes:

5 Steps to Advanced Threat Protection

Emerging Threats from Cyber Security in Aviation Challenges and Mitigations

SANS Top 20 Critical Controls for Effective Cyber Defense

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

SCAC Annual Conference. Cybersecurity Demystified

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Design & Manufacture Seminar SOFTWARE SECURITY & DESIGN ASSURANCE JAYSON ROWE SENIOR ENGINEER AVIONICS

Assessing the Effectiveness of a Cybersecurity Program

Defending Against Data Beaches: Internal Controls for Cybersecurity

Communication, Navigation, Surveillance (CNS) engineers and executives of Airports Authority of India

Mobile Technology: Learn About Managing Mobility

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Code of Practice for Cyber Security in the Built Environment

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Great Now We Have to Secure an Internet of Things. John Pescatore SANS Director, Emerging Security

Electronic Flight Bag: Real-Time Information Across an Airline s Enterprise

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

BOEING 1. Copyright 2015 Boeing. All rights reserved.

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Internet of Things Security Companion to the CIS Critical Security Controls (Version 6)

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Protecting Organizations from Cyber Attack

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy

Global Network Mobility RIPE 48

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

IT Networking and Security

Aerodrome Advisory Circular

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Cybersecurity Health Check At A Glance

Supplier Security Assessment Questionnaire

Attachment A. Identification of Risks/Cybersecurity Governance

Aircraft Tracking & Flight Data Recovery

THE UNIVERSAL SECURITY AUDIT PROGRAMME (USAP)

Click to edit Master title style

Enterprise Security Tactical Plan

Opening the European Sky to UAS From military to civilian

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

External Supplier Control Requirements

SUMMARY: The FAA seeks comments on current policy, guidance, and procedures that

DEPARTMENT OF DEFENSE COMMERCIAL AIR TRANSPORTATION QUALITY AND SAFETY REQUIREMENTS INTRODUCTION

Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi

The Connectivity Challenge: Protecting Critical Assets in a Networked World. A Framework for Aviation Cybersecurity. An AIAA Decision Paper

Aircraft Hacking Practical Aero Series

Aerospace Cyber Physical Systems Challenges in Commercial Aviation

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

CAUSES OF AIRCRAFT ACCIDENTS

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Guideline on Auditing and Log Management

ABB s approach concerning IS Security for Automation Systems

University of Sunderland Business Assurance Information Security Policy

Strategic Plan On-Demand Services April 2, 2015

The Ministry of Information & Communication Technology MICT

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Emirates Airline. Cargo Security The EK Experience

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

FAA AIRCRAFT SYSTEMS INFORMATION SECURITY PROTECTION OVERVIEW. Abstract

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

State of Montana Montana Board of Crime Control. Agency IT Plan Fiscal Year

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Top Ten Technology Risks Facing Colleges and Universities

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

OCIE CYBERSECURITY INITIATIVE

Date: 9/30/15 AC No: Initiated by: AFS-300 Change: 0

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Thales Satcom and Connectivity

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Invitation to Dialogue

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Cybersecurity: What CFO s Need to Know

Qualification Specification. Level 4 Certificate in Cyber Security and Intrusion For Business

ISO 27002:2013 Version Change Summary

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

DRAFT. Date: DRAFT Initiated by: AFS-300

Integration of QMS, SMS,

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ELECTRICAL & POWER DISTRIBUTION

Transcription:

EVYYS Juan DOMINGO LOBATO ICAO Symposium Security Overview

Why we need Security Page 2

PHYSICAL THREAT OUTLOOK Selected Examples (Non exhaustive list) Aircraft misappropriation (seizure) for blackmail purpose or for using it as mass destruction weapon (ex : 9/11) Contamination of crews and passengers with CBRN agents Unruly passenger, Hijacker, Terrorist Electromagnetics Interferences (Impulses Jamming) Laser Illuminations Aircraft ground attacks (ManPADS, lasers, drones,...) Ground attack (Bomb, missile ) Gate Outstation Operations & Dispatch centre Aircraft sabotage on ground (unsecured aircraft vicinity / Insiders) Maintenance & Engineering Centre Improvised Explosive Devices (IED) on board (or incendiary devices) Hangar Aircraft data & parts suppliers Warehouse May-16 Footer

ICAO Symposium RPAS & ATS Security Topics CYBERSECURITY OUTLOOK Selected Examples (non exhaustive) Satellite Communications (SATCOM) Cabin links accessible to passengers (Cabin Wifi, plugs on cabin seats, FAP, bluetooth ) Aircraft - Ground links (HF, VHF, SATCOM ; GPS, ILS ) with in-flight access COTS, Plugs, Wifi Outstation Air/Ground Links ACARS HF & VHF Satcom Aircraft - Ground wireless links (Gatelink, GSM, Wifi, WiMax ) Gate GateLink (Wireless) Operations & Dispatch centre Maintenance & Industrial systems (PMAT, PDL, troubleshooting equipment, USB keys, ITcards ) Aircraft data & parts suppliers Supply chain (Embedded systems security, Transit of Software from Supplier to Aircraft ) Maintenance & Engineering Centre Hangar 4 Warehouse PMAT Page : Portable 4 Maintenance Terminal PDL : Portable Data-Loader FAP : Flight Attendant Panel 4

The reasons of fears Increased passenger connectivity Increased real-time data to operate the A/C Extensive use of connectivity is all the more worrying that, at the same time, economical constraints pushes the community to use General Public Commercial Of The Shelf (GP- COTS) products to support the connectivity needs. Better prediction and reactiveness for improved safety and aircraft operation Non time-critical data Performance analysis and big-data Better prediction of performance trends for sustained aircraft operation Page 5

The e-enabled aircraft : The times they are a Changin!! Simple Proprietary Obscure Isolated Closed Complex Standardized Documented Connected Open An evolution of capabilities but technology can be taken hostage ~144 Millions of new malwares samples recorded in 2014 12 millions per month Flight Operations Maintenance Cabin Crew Passengers Navigation Charts Airport Maps Weather Maps Performance 400.000 Calculations per day Electronic Manuals Technical Logbook 4.5 new malware variant Maintenance Tools Performance Analysis Monitoring Troubleshooting Maintenance Manuals Technical Logbook Cabin Logbook Cabin Management Cabin Systems Control Passenger Lists Electronic Manuals IFE Systems Internet Connectivity Phone Services OnBoard Intranet Service Page 6

Main Security Objectives Confidentiality* (access-controlled sensitive info) Integrity* (accuracy & completeness resources & System) Availability* (access at time resources & System) *Definitions taken from NATO Roadmap Page 7

Safety Vs Security

Aircraft: Always the Last Line of Defense! Intelligence Interdiction Passenger screening Intelligence Interdiction Airline Operations Airplane protection Airport Security CNS/ATM Airplane Page 9

Manufacturer regulatory framework Getting Airworthiness Continued Airworthiness CS-25 Certification Specifications + SC Design DOA Production tests Delivery POA Aircraft in operation TC HOLDER 21A.265 (c) Type Design 21A.165 (c)(1) Production 21A.265 (c) MODifications 21A.139 (v)(xvi) Tests and delivery Corrective actions 21A.139 (v)(xvi) MANO (Manuf. Occurences) 21A.3 (a) Continued Airworthiness Part 21 ICA Part M I S O Design secure Legend Produce secure Maintain secure OPERATORS Page 10

Break-Down Assets The ATM RPAS own assets Aircraft Control Station Data Link The mission and data ATM Hardware Software Networks Personnel Site Organisation RPA Data Link CONTROL STATION Aircraft Payloads Ground Station Page 11

ICAO Symposium RPAS & ATS Security Security Process: Assessment + Assurance Page 12

Information Security Assurance Cyber-Security Best Practices Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Access Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Page 13

Information Security Assurance Cyber-Security Best Practices Limitation and Control of Network Ports, Protocols, and Services Controlled Use of Administrative Privileges Maintenance, Monitoring, and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Protection (Encryption/Secure Erasing) Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises Page 14

Conclusions The safe execution of RPAS operations is highly dependent on the security of the RPAS and its environment. Security addresses all aspects (HW, SW, COMMS, Air Traffic,..) that affect RPAS operations. Security shall be involved in the whole lifecycle of the product (design conception, development, production, Customer services, disposal) Exchanging with Aircraft Manufacturers Education, awareness and training to create a security culture Page 15

References Manual on remotely piloted Aircraft Systems First Edition 2015 The Critical Security Controls for Effective Cyber Defense Version 5.0. Roadmap for the integration of civil Remotely-Piloted Aircraft Systems into the European Aviation System NATO Guidelines for the security Risk Assessment and risk management of Communication and Information Systems CIS - AC/35-D/lOl7-REV2 Page 16

Thank you! Any Questions? Page 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information