PowerPoint PresentationThe FAA’s JobNational Airspace SystemCIO’s Security MissionCOTS Use within FAA (Part 1)COTS Use within FAA (Part 2)COTS-related System Vulnerabilities (Part 1)COTS-related System Vulnerabilities (Part 2)Exponential Growth in Security IncidentsFAA’s 5 Layers of System Protection… and A Generic ISS Service PerspectiveSlide 12Integrated Facility SecurityAirport Traffic Control Tower and Airport Surface MovementSelected CTAS Security MeasuresSelected FTI Security RequirementsOracle8i Security FeaturesCertifying COTS ComponentsClosing ThoughtsTHE IMPACT OFTHE IMPACT OFCOTS COMPONENTS COTS COMPONENTS ON BUILDING ON BUILDING TRUSTWORTHY TRUSTWORTHY SYSTEMSSYSTEMSArthur Pyster Deputy Assistant Administrator for Information Services andDeputy Chief Information OfficerFebruary 7, 20012/7/012The FAA’s JobThe FAA’s JobEach day at 1000 staffed facilities, the FAA manages 30,000 commercial flights, using 40,000 major pieces of equipment, by 48,000 FAA employees, to safely move 2,000,000 passengers.2/7/013National Airspace SystemNational Airspace System•~ 500 FAA Managed Air Traffic Control Towers•~ 180 Terminal Radar Control Centers•20 Enroute Centers•~ 60 Flight Service Stations•~ 40,000 Radars, VORs, Radios, …2/7/014CIO’s Security MissionCIO’s Security MissionEstablish and lead a comprehensive program to minimize information systems security risksEnsure critical systems are certified as secureEnsure all FAA staff and contractors know and do what is required to maintain information systems securityEnsure cyber attacks are detected and repelled and that successful attacks have minimal effectMaintain effective outreach to industry, government, and academiaProtect the FAA’s information infrastructure and help the aviation industry reduce security risks through leadership in innovative information assurance initiatives2/7/015COTS Use within FAA (Part 1)COTS Use within FAA (Part 1)>$2B annually in IT acquisitionsMost recent and planned systems are heavily COTS-based; e.g.-FAA Telecommunications Infrastructure-National Airspace Systems Information Management System-Next generation messaging-Rapid movement towards TCP/IP-based networking and Oracle-based DBMS2/7/016COTS Use within FAA (Part 2)COTS Use within FAA (Part 2)Even many “custom” air traffic control systems may be used by air traffic control authorities in many countries-CTAS – advise order in which aircraft should landCOTS is key to rapid and affordable deployment of new capabilitiesAlmost all heavily proprietary systems are old legacy-ARTS – primary system for terminal air traffic control2/7/017COTS-related System VulnerabilitiesCOTS-related System Vulnerabilities(Part 1)(Part 1)Source code known to many outside FAA, but not to those inside FAAKnowledge of source code not controlled by FAASecurity often an “afterthought” in commercial systems – security not often a commercial success criteriaNew releases of software could introduce new vulnerabilities and invalidate old mitigationsHackers often go after vulnerabilities in COTS components2/7/018COTS-related System VulnerabilitiesCOTS-related System Vulnerabilities(Part 2)(Part 2)COTS rely heavily on commercial protocols and standards that are widely known, making it easier to exploit vulnerabilitiesEasily available tools and knowledge mean less sophisticated hackers can exploit many vulnerabilities in COTS componentsGenerality of COTS components makes them more likely to have vulnerabilities and to introduce new vulnerabilities when integrated with other components.Built-in COTS security features can be widely implemented, reducing vulnerability!2/7/019Exponential Growth in Security IncidentsExponential Growth in Security Incidents26241777437349859217560500010000150002000025000VulnerabilitiesReportedIncidents Handled199819992000Recent CERT-CC Experiences2/7/0110FAA’s 5 Layers of System ProtectionFAA’s 5 Layers of System ProtectionPersonnelSecurityPhysicalSecurityCompartmentalization/Information Systems SecuritySite Specific AdaptationRedundancyArchitecture and EngineeringAwareness and Execution2/7/0111… … and A Generic ISS Service Perspectiveand A Generic ISS Service PerspectiveAccessControlConfidentialityAvailabilityArchitecture and EngineeringAwareness and ExecutionAuthenticationIntegrity2/7/0112ISSCertifierSys Developer or OwnerCIO Certification AgentThreatVulnerabilitiesLikelihoodImpactRisk Management PlanVA Report IS Security PlanISS Test Plan & Summary ResultsProtection ProfileCertification StatementPrepareSCAPConduct Risk & VulnerabilityAssessmentsSystem Certification & Authorization Package(SCAP)Package•Certification Statement•Authorization Statement•Executive SummaryC&AStatementsto DAADeployComprehensive Certification ProcessComprehensive Certification Process2/7/0113Integrated Facility SecurityIntegrated Facility SecuritySecureFacilityBoundaryPersonneland PhysicalBarrierShared NetworksService AHOSTManualDARCHOSTService BService CElectronicBarrierPrivate NetworksPhone linesElectronicBarrierDSRAuthenticated& AuthorizedTraffic2/7/0114Airport Traffic Control Tower andAirport Traffic Control Tower and Airport Surface Movement Airport Surface MovementASDE 3• AOC• AIRPORT• RAMP CONTROLInfo ExchangeAir Traffic Control TowerVoiceVoiceSwitchWeather(AWOS/ASOS, ITWS)TDWR LTWIPACARS DLAWOS/ASOSAirport/Runway EquipmentSeparateStatus andControl DevicesTower Datalink-R WSARTCCAMASS &ASDE-3 WSSTARSLANTRACONSTARSLegendCore INFOSE CRequirementsINFOS ECAdmin & ManagementNetworkScreeningSer viceCoreINFOSECRqmtsincludingRisk-drivenTower Display Workstation(STARS Air Traffic Display)Flight DataI/OInitial SMA(FFP1)Weather(SupervisorWorkstation)Integrated DisplaySystem Workstation(SAIDS)In Selected TowersE-IDS WS(Airport Status& Control)SMATDLS-R WSWx (SupervisorWorkstation)TDW(Air Traffic Display)VoiceVoiceSwitchATCT (Local Info. Servicesand LAN Control)X Target Data fromTRACON/STARS to TDWWANO-DVPNO-DVPNO-DVPN• ASDE •Other FAA Facs• TDWR •AWOS/ASOS• ITWS •ACARS DLLocal Wx AWOS/ASOS, ITWS)Software UpdatesRemote MaintenanceAMASS/ASDEATCTLegendCore INFOSECRequirementsCore INFOSECRequirements,including Risk-drivenINFOSECAdmin &ManagementEncrypted InterfacePlaintext InterfaceExtranetServerXRemoval ofMaliciousTraffic from NWO-DVPNNAS Ops DataVirtualPrivate NetworkNetwork
View Full Document