FAA Aircraft Systems Federal Aviation

Administration
Information Security
Protection (ASISP)
Overview, Paper #132

Presented to: Integrated

Communications, Navigation and
Surveillance (ICNS) Conference

Presented by:
Peter Skaves, FAA CSTA for Advanced
Avionics

Date: April 21, 2015

Many thanks for the help,
support, and slide material from:
 Brian Verna, AFS-360
 Steve Paasch, AIR-134
 Varun Khanna, ANM-111

Aviation Safety Federal Aviation 2

Administration
ASISP Topics
 A rose by any other name...
 Background
 e-Enabled Aircraft
 Potential Risks
 AVS Security Scope
 U.S. Government Services
 Non-Government Services
 Regulations, Policy, Standards and Guidance
 Future Direction of ASISP
 ARP 4754A

Aviation Safety Federal Aviation 3

Administration
A rose by any other name...
We’ve used several terms for security
from electronic attacks on networks
and systems: network security,
information security, systems
security, and cyber security
These terms are often used
interchangeably, which may cause
confusion as to their intended
meaning

Aviation Safety Federal Aviation 4

Administration
A rose by any other name...
We are now trying to standardize on
the term Aircraft Systems Information
Security Protection (ASISP)…
● …to indicate security from electronic attacks
on aircraft networks and systems
We’re talking here only about aircraft:
not air traffic services and providers
● U.S. governmental services have their own
programs for information security

Aviation Safety Federal Aviation 5

Administration
Background
Prior to the availability of e-Enabled
technologies, legacy aircraft have used
architectures with limited wired or wireless
connectivity to non-governmental service
providers
This is rapidly changing as aircraft are
incorporating Wi-Fi, Electronic Flight Bags,
wireless Field Loadable Software, real-time
aircraft health monitoring and reporting,
and Passenger Information and
Entertainment Systems
Aviation Safety Federal Aviation 6
Administration
Background
Aircraft operators and manufacturers
have identified potential economic and
safety benefits using e-Enabled
technology and software applications
e-Enabled applications will mean
increased aircraft connectivity to non-
governmental service providers

Aviation Safety Federal Aviation 7

Administration
Background
Aircraft operators have the option to include
a wireless network on e-Enabled aircraft to:
● Remotely upload software parts, aeronautical charts,
airplane flight manuals, electronic checklists,
performance information, flight plan information etc.,
to aircraft systems located anywhere in the world
● Continuously monitor health information from aircraft
systems and record data to an onboard
maintenance computer and send information to
airlines in real-time

Aviation Safety Federal Aviation 8

Administration
e-Enabled Aircraft, Domains and Connectivity

Today’s Aircraft Systems connectivity – grouped into domains

2

1 A/C External
threat

2
A/C Internal
threat

3 CNS/ATM
connectivity

3 Air Traffic Services Non-Government Services

CNS/ATM Network External

Networks
Control

Terminal 3 1
Command Center
Internet
s

En Route Tower

Aviation Safety Federal Aviation 9

Administration
Aviation Safety Federal Aviation 10
Administration
Potential Risks
Examples of potential ASISP risks:
● Erroneous maintenance messages
● Corrupted software loads to aircraft
systems
● Malware to infect an aircraft system
● An attacker to use onboard wireless to
access aircraft system interfaces

Aviation Safety Federal Aviation 11

Administration
Potential Risks
Examples of potential ASISP risks:
● Denial of service of wireless interfaces
● Misuse of personal devices that access
aircraft systems
● Misuse of off-board network
connections to access aircraft system
interfaces
● Denial of service of safety critical
systems
Aviation Safety Federal Aviation 12
Administration
Aviation Safety Federal Aviation 13
Administration
AVS Security Scope
 Recent designs for aircraft systems include
connectivity to non-governmental services such as
the internet, portable electronic devices, and
commercial-off-the-shelf technologies that have not
been certified and accredited for secure operations
by a government authority
● These designs can introduce ASISP vulnerabilities
beyond the scope of current airworthiness
regulations and traditional systems safety
assessment methods typically used to show
compliance with the airworthiness requirements
located in Title 14 CFR

Aviation Safety Federal Aviation 14

Administration
AVS Security Scope
e-Enabled technologies should be
evaluated to ensure that the security
controls are as good as, or better than,
the aircraft networks, systems, and
procedures that they are replacing

Aviation Safety Federal Aviation 15

Administration
U.S. Government Services
U.S. governmental Air Traffic Services
● Have been certified and accredited in
accordance with the Federal Information
Security Management Act (FISMA), FAA
Order 1370.82A Information Systems
Security Program and the FAA Information
Systems Authorization Handbook
● For purposes of ASISP, we consider U.S.
government Air Traffic Services to be secure

Aviation Safety Federal Aviation 16

Administration
U.S. Government Services
Examples of government services:
● Global Navigation Satellite Systems (GNSS)
● Automatic Dependent Surveillance –
Broadcast (ADS-B)
● Ground Based Navigation Aids
● Instrument Landing Systems (ILS)
● Air Traffic Data and Voice Communications

Aviation Safety Federal Aviation 17

Administration
Non-Government Services
Examples of non-government service
providers
● Airline Networks (Airline Operations Centers)
● Airport Networks (e.g., GATELINK)
● Public Networks (e.g., Internet)
● Data Loaders (e.g., FLS and Databases)
● Wireless Aircraft Sensors and Sensor Networks
● Ground Support Equipment
● Universal Serial Bus (USB) devices
● Portable Electronic Flight Bags
● Cellular Networks
Aviation Safety Federal Aviation 18
Administration
Regulations, Policy, Standards, and Guidance
Regulations
● The following regulations do not specifically address
security requirements for aircraft networks and
systems
o § xx.1301 Function and Installation
o § xx.1309 Equipment, Systems, and Installation
● EASA published a pre-Regulatory Impact
Assessment (RIA); FAA commented; EASA reaction
was positive
o We have an approved Aviation Rulemaking
Advisory Committee which will convene during
March 2015

Aviation Safety Federal Aviation 19

Administration
Aviation Rulemaking Advisory Committee
ARAC
● As a result of the December 18, 2014 ARAC
meeting, the FAA assigned the ARAC a new task to
provide recommendations regarding ASISP
rulemaking, policy and guidance on best practices
for aircraft systems including both certification and
continued airworthiness.
● This new ARAC activity is soliciting membership for
the new ASISP working group.

Aviation Safety Federal Aviation 20

Administration
Regulations, Policy, Standards and Guidance

Policy
●The FAA issued a Policy Statement for
ASISP:
o PS-AIR-21.16-02, Establishment of
Special Conditions for Cyber
Security, March 6, 2014

Aviation Safety Federal Aviation 21

Administration
Regulations, Policy, Standards and Guidance

Policy
● PS-AIR-21.16-02 quote:
o“The Federal Aviation Administration
(FAA) will issue special conditions for
initial type certificate (TC), supplemental
type certificate (STC), amended TC, or
amended STC applications for aircraft
systems that directly connect to external
services and networks under………

Aviation Safety Federal Aviation 22

Administration
Regulations, Policy, Standards and Guidance

Policy
● PS-AIR-21.16-02 quote:
o………the following conditions:
1. The external service or network is
non-governmental;
2. The aircraft system receives
information from the non-governmental
service or network; and,
3. The failure effect classification of the
aircraft system is “major” or higher”.
Aviation Safety Federal Aviation 23
Administration
Regulations, Policy, Standards and Guidance
Policy
● PS-AIR-21.16-02
oDoes not require the issuance of special
conditions for airworthiness and
operational approval of field loadable
software (FLS), aeronautical data bases,
and the Aircraft Communications
Addressing and Reporting System
(ACARS); other policies, standards, and
guidance apply

Aviation Safety Federal Aviation 24

Administration
Regulations, Policy, Standards and Guidance

Policy
● We’re focusing in, for the most part, on
connectivity to the outside

Aviation Safety Federal Aviation 25

Administration
Regulations, Policy, Standards and Guidance

Standards and Guidance

● There are many information processing
standards and guidance that might be able
to be used in the ASISP context
oFederal Information Processing Standards
(FIPS)
oNational Institute of Standards and
Technology (NIST)
oInternational Standards Organization
(ISO)
Aviation Safety Federal Aviation 26
Administration
Regulations, Policy, Standards and Guidance
 Standards and Guidance
● There are industry activities such as:
o ARINC 811 Commercial Aircraft Information Security
Concept of Operation and Process
 ARINC 822 Aircraft/Ground IP Communication
(GATELINK822)
 ARINC 834-2 Aircraft Data Interface Function (ADF) for
Aircraft Interface Device
 ARINC 835 Guidance for Field Loadable Software
Using Digital Signatures
 ARINC 842 Guidance for Using Digital Certificates
 ARINC Network Infrastructure and Security (NIS)
Subcommittee (drafts/reports)
 ARINC AGIE/MAGIC Subcommittee (drafts/reports)

Aviation Safety Federal Aviation 27

Administration
Regulations, Policy, Standards and Guidance
Standards and Guidance
● There are industry activities such as:
o A4A (formerly ATA) Spec 42 Aviation Industry
Standards for Digital Information Security

Aviation Safety Federal Aviation 28

Administration
Regulations, Policy, Standards and Guidance
Standards and Guidance
● RTCA SC-216 produced the following
standard:
oDO-355 Information Security
Guidance for Continuing
Airworthiness
oAFS-300 plans to invoke the
guidance in DO-355

Aviation Safety Federal Aviation 29

Administration
Regulations, Policy, Standards and Guidance
Standards and Guidance
● RTCA SC-216 also produced the following standard:
o DO-326A Airworthiness Security Process
Specification
 Contains guidance for Aircraft Certification to
address information security threats to aircraft
safety
 Applies only to part 25, Transport Category
Airplanes, with a passenger seating
configuration of more than 19 seats
 Invocation likely limited to part 25 Special
Conditions in the near future

Aviation Safety Federal Aviation 30

Administration
Regulations, Policy, Standards and Guidance
Standards and Guidance
● RTCA SC-216 also produced the following standard:
o DO-356 Airworthiness Security Methods and
Considerations
 A methods companion doc to DO-326A
 As with DO-326A, applies only to part 25,
Transport Category Airplanes, with a
passenger seating configuration of more than
19 seats
 Invocation also likely limited to part 25 Special
Conditions

Aviation Safety Federal Aviation 31

Administration
Future Direction for ASISP
AVS Strategic ASISP Plan (AKA 5 Year Plan)
Current Draft
● Obtain recommendations for rulemaking and best
practices for FAR Part 23, 25, 27, 29, including
Instructions for continued airworthiness
o GAMA has established an AD-HOC working
group to develop industry recommended best
practices for general aviation
o Also need to obtain recommendations on the use
of existing industry standards

Aviation Safety Federal Aviation 32

Administration
Future Direction for ASISP
AVS Strategic ASISP Plan Current Draft
● Obtain recommendations for rulemaking and
recommended best practices for FAR Parts 23, 25,
27, 29, including Instructions for Continued
Airworthiness
o For example, possibly on best practices for
wireless Field Loadable Software (FLS) security,
automatic fault logging and reporting for ASISP,
and EFB / iPADS security considerations

Aviation Safety Federal Aviation 33

Administration
Future Direction for ASISP
AVS Strategic ASISP Plan Current Draft
● Obtain recommendations for rulemaking and
recommended best practices for FAR Part 23, 25,
27, 29, including Instructions for Continued
Airworthiness
o Instructions for Continued Airworthiness (ICA) for
Transport Category Airplanes

Aviation Safety Federal Aviation 34

Administration
Future Direction for ASISP
AVS Strategic ASISP Plan Current Draft
● Update Policy Statement PS-AIR-21.16-02,
Establishment of Special Conditions for Cyber-
Security per accepted recommendations
● Revise Special Conditions and Companion Issue
Papers per recommendations
● Define RTCA Documents Applicability for ASISP
● Support RTCA follow-on activities for ASISP
● Develop and publish Designee Management
guidance and criteria for ASISP

Aviation Safety Federal Aviation 35

Administration
Future Direction for ASISP
AVS Strategic ASISP Plan Current Draft
● Support Research and Development for
ASISP
● Develop and publish training materials for
ASISP

Aviation Safety Federal Aviation 36

Administration
Future Direction for ASISP
Deciding ASISP placement in the
development of aircraft systems
requirements
● A separate process on it’s own, so to speak?
● Or not separate: part of the processes in
Society of Automotive Engineers (SAE)
Aerospace Recommended Practice (ARP)
4754A, Certification Considerations for
Highly Integrated or Complex Aircraft
Systems?

Aviation Safety Federal Aviation 37

Administration
ARP 4754A
Describes the Aircraft Systems Engineering
Process
● Requirements Capture
● Allocation of Requirements
● Architectural Considerations
● Software Design Assurance Level
Determination
● Hardware Level Assurance Level
Determination
● Integration
Aviation Safety Federal Aviation 38
Administration
ARP 4754A
Describes the Aircraft Systems Engineering
Process
● Safety Assessment Process (high level)
oFunctional Hazard Assessment (FHA)
oPreliminary System Safety Assessment
oSystem Safety Assessment, etc. (e.g.,
CCA)
● Requirements Validation
● System Verification

Aviation Safety Federal Aviation 39

Administration
 ARP 4754A
Safety Assessment Process Safety Assessment of Aircraft in
Guidelines & Methods Commercial Service
(ARP 4761) (ARP 5150 / 5151)
Intended
Function, Failure System
Aircraft
& Safety Design
Function
Information Information

Functional
Aircraft & System Development System
Processes Operation
(ARP 4754 / ED-79)

Guidelines for Integrated

Modular Avionics
(DO-297/ED-124)

Electronic Hardware Software Development

Development Life-Cycle Life-Cycle
(DO-254 / ED-80) (DO-178B/ED-12B)

Development Phase In-Service/Operational Phase

Aviation Safety Federal Aviation 40

Administration
Discussion, Questions, Wrap-up

?
Contact information:
Peter Skaves, FAA Chief Scientific and Technical
Advisor for Advanced Avionics
Peter.skaves@faa.gov
(425) 802 0395

Aviation Safety Federal Aviation 41

Administration