Cyber Security on Commercial Airplanes

Similar documents
2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Cybersecurity and Commercial Aviation

Cybersecurity Overview

Aviation Cyber Security Efforts

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Secure Product Design Lifecycle for Connected Vehicles

Troubleshooting and Cyber Protection Josh Wheeler

End-to-End Trust, Segmentation and Segregation in the IIoT

Cybersecurity program & best practices

Cybersecurity, safety and resilience - Airline perspective

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

ANATOMY OF AN ATTACK!

Dell EMC Isolated Recovery

Why you should adopt the NIST Cybersecurity Framework

Securing Your Data ATA Spec 42. Regan Brossard - The Boeing Company June 2017

Designing and Building a Cybersecurity Program

MCGILL UNIVERSITY/PEOPIL CONFERENCE DUBLIN OCTOBER 2018

CISO as Change Agent: Getting to Yes

The NIST Cybersecurity Framework

Cyber Resilience. Think18. Felicity March IBM Corporation

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Introduction to Cyber Security Issues for Transportation

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cyber Security Requirements for Supply Chain. June 17, 2015

PREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation

Securing Industrial Control Systems

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

NW NATURAL CYBER SECURITY 2016.JUNE.16

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

Innovation policy for Industry 4.0

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Maintaining Resiliency Within the Defense Industrial Base Through Preparedness Response and Recovery

Medical Device Cybersecurity: FDA Perspective

How a global industry player addresses the Cybersecurity challenges of Air Transport

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

The Office of Infrastructure Protection

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

What It Takes to be a CISO in 2017

2016 Air Transport IT Summit Cybersecurity - tackling the threat the Airport Approach

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Changing face of endpoint security

Improving SCADA System Security

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Addressing the elephant in the operating room: a look at medical device security programs

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

CompTIA Mobility+ Certification

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

RSA Advanced Cyber Defence Summit

GPS Vulnerability and DHS Mitigation Efforts. David Wulf Acting Deputy Assistant Secretary Infrastructure Protection Department of Homeland Security

Cybersecurity and Communications Based Train Control

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

Digital Health Cyber Security Centre

THE POWER OF TECH-SAVVY BOARDS:

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Cybersecurity. Securely enabling transformation and change

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Defensible Security DefSec 101

Industrial Control System Cyber Security

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Critical Infrastructure Partnership

Security Survey Executive Summary October 2008

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

External Supplier Control Obligations. Cyber Security

0x70 Eric Bärenzung. Cyber risks. in the satellite industry

Statement for the Record

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Must Have Items for Your Cybersecurity or IT Budget in 2018

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Cyber risk management into the ISM Code

DHS Cybersecurity: Services for State and Local Officials. February 2017

National Policy and Guiding Principles

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Defensible and Beyond

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

PROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM

ACARE WG 4 Security Overview

The Cyber Threat. Bob Gourley, Partner, Cognitio June 22, How we think. 1

Heavy Vehicle Cyber Security Bulletin

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

K12 Cybersecurity Roadmap

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Transcription:

Cyber Security on Commercial Airplanes John Craig Chief Engineer Cabin and Network Systems The Boeing Company October 2014 1

Top ten tips Richard A. Clarke 1. Don t be in denial 2. Don t underestimate the problem 3. Don t be hostile to the government 4. Don t make it an issue buried in the bureaucracy, not just a CIO issue 5. Organize ISACs, sponsor R&D work 6. Think holistically 7. Don t attempt to defend the entire network 8. Identify the crown jewels 9. Look at worse case scenarios 10. Have an industry strategy 2

Cyber events of interest 1982 3 kiloton explosion of a Soviet Pipeline stolen software 1983 The Movie War Games released 2010 Microsoft names new virus Stuxnet 2011 General Michael Hayden, World Affairs Council April 2013 Hugo Tesso presents at Hack in the Box Conference and ACARS exploit September 2014 Target/Home Depot hacked 3

The cyber paradigm An advanced, persistent threat The speed of technology is unprecedented Social Networking has a tag line culture where you are judged in a moment Certification of airborne embedded systems becomes a challenge Perception is reality Wired Magazine 2005 Hacking the Friendly Skies Toyota Recall NASA/NHTSA study American Airlines Tweet Impact to Business Target attack $200M (38M insurance), new CEO, CISO, 46% drop in profit 4Q13 Home Depot Unknown Cyber security will force a new paradigm in aviation 4

A security culture A change in paradigm Aircraft Safety Issues Iterative Repetitive Procedural Sequential Safety Culture Emergent Unexpected Newly Formed Non-Sequential Security Culture 5

Top ten tips Richard A. Clarke 1. Don t be in denial 2. Don t underestimate the problem 3. Don t be hostile to the government 4. Don t make it an issue buried in the bureaucracy, not just a CIO issue 5. Organize ISACs, sponsor R&D work 6. Think holistically 7. Don t attempt to defend the entire network 8. Identify the crown jewels 9. Look at worse case scenarios 10. Have an industry strategy 6

What s our reference point? Board Leadership Understanding of threat and risk State of existing plans Plan forward National Infrastructure Protection Plan Protection of Critical Infrastructure / Key Resources Information Sharing & Analysis Centers (ISACs) Operational concept for sharing information within private sector Physical and cybersecurity focus Cyber Security Frameworks National Institute of Standards & Technology American Institute of Aeronautics & Astronautics 7

Newly-formed aviation ISAC Incorporated September 2014 Building membership International Leveraging other ISACs Services available User access credentials Crisis notification Government, partner and member alerts 24 x 7 watch desk Industry best practices Member contact directory Threat conference calls Trusted email Data feeds A-ISAC governance Membership fee based on revenue 8

Top ten tips Richard A. Clarke 1. Don t be in denial 2. Don t underestimate the problem 3. Don t be hostile to the government 4. Don t make it an issue buried in the bureaucracy, not just a CIO issue 5. Organize, ISACs, sponsor R&D work 6. Think holistically 7. Don t attempt to defend the entire network 8. Identify the crown jewels 9. Look at worse case scenarios 10. Have an industry strategy 9

The complexity of the commercial aviation system www Airline, ATM MRO SW Supplier Supplier Elec Parts IC s 10

Airplane technology is evolving Hardware functions transitioning to software hosted features Advanced features added to airplane ~ 28MB Connectivity demands increasing New connectivity entrants to market Connectivity 2010 None Ku L Band Air/Gnd Connectivity 2014 Ku Ka None L Band Air/Gnd < 1MB 777 787 Data Transmitted (MB / Flight) 11

Evolution of airplane data buses Today s Ethernet-based networks have much more complex protocols ARINC 429 simple one-way data bus that required a transmitter and receiver ARINC 629 protocol that enabled simple data transfer over a singletwisted pair Ethernet complex protocols underneath application data/activity 7 Layers of OSI User 1 Transmit User 1 Receive Application Presentation Session Transport Network Data Link Physical Physical Link System Owner Focus Network Protocols 12

Advanced security architectures Encompass both passenger and emerging operational connectivity Airplane Domain Firewalls/Guards VPN to ground Network Authentication Onboard Network/Log Analysis Secure Kernel Ground Airplane VPN termination Threat Management Plan (TMP) Ground Architecture (comply with TMP) Next Generation Firewalls Virtual Firewalls (Segregation of data) Data Encryption Methodology (From TMP) Machine Learning Secure Kernel Antennas Air to ground Satcom (L-band, Ku/Ka) Radio (VHF / HF) Services Boeing Passenger Operational Ground-based Cellular Terminal Wireless Sneakernet Airline Services 3 rd Parties 13

Top ten tips Richard A. Clarke 1. Don t be in denial 2. Don t underestimate the problem 3. Don t be hostile to the government 4. Don t make it an issue buried in the bureaucracy, not just a CIO issue 5. Organize ISACs, sponsor R&D work 6. Think holistically 7. Don t attempt to defend the entire network 8. Identify the crown jewels 9. Look at worse case scenarios 10. Have an industry strategy 14

Priority areas Defense in Depth Active Management Configuration Control Airborne log analysis Ground log analysis Physical interface AC 25-1309 design assistance DO 178B Software partitioning Domain isolation Maintenance alerting for anomalies Ground infrastructure alerting Information assurance Network interfaces Real time software inventory Deliberate change following regulatory change 15

Managing cyber Industry guidance NIST Cyber Security Framework 1.0 Identify 2.0 Protect 3.0 Detect 4.0 Respond 5.0 Recover 1.1 Asset Management 1.2 Business Environment 1.3 Governance 1.4 Risk Assessment 1.5 Risk Mgmt Strategy 2.1 Access 2.2 Awareness and Control 2.3 Training Data Security 2.52.6 Maintenance Protective Technology 3.1 Anomalies and Events 3.3 Detection Processes 4.1 Response 4.2 Communications Planning 4.3 Analysis 4.4 Mitigation 4.5 Improvements 5.1 Recovery Planning 5.3 Communications National Institute of Standards & Technology AIAA Cyber Security Framework Establish Standards Understand the threat Government & Industry Define design principles Communicate Threats security culture R&D Strengthen the defensive system Define operational principles Incident Reponse American Institute of Aeronautics & Astronautics 16

Top ten tips Richard A. Clarke 1. Don t be in denial 2. Don t underestimate the problem 3. Don t be hostile to the government 4. Don t make it an issue buried in the bureaucracy, not just a CIO issue 5. Organize ISACs, sponsor R&D work 6. Think holistically 7. Don t attempt to defend the entire network 8. Identify the crown jewels 9. Look at worse case scenarios 10. Have an industry strategy 17

The path forward Understand your system Network configuration Layered security security features Assess your maturity NIST Standards, AIAA Framework Incident response Have an incident response plan Leverage industry and partners for help Develop a Security Culture Establish trusting relationships Share information leveraging ISAC s, government, and private partnerships Encourage Good Cyber Hygiene Develop and incorporate advanced security features 18

Thank you 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback