Art Pyster - Center for Software Engineering
Download
Report
Transcript Art Pyster - Center for Software Engineering
THE IMPACT OF
COTS COMPONENTS
ON BUILDING
TRUSTWORTHY
SYSTEMS
Arthur Pyster
Deputy Assistant Administrator for
Information Services and
Deputy Chief Information Officer
February 7, 2001
The FAA’s Job
Each day at 1000 staffed facilities,
the
FAA
manages
30,000
commercial flights, using 40,000
major pieces of equipment, by
48,000 FAA employees, to safely
move 2,000,000 passengers.
2/7/01
2
National Airspace System
• ~ 500 FAA
Managed Air
Traffic Control
Towers
• ~ 180 Terminal
Radar Control
Centers
• 20 Enroute
Centers
• ~ 60 Flight
Service Stations
• ~ 40,000 Radars,
VORs, Radios,
…
2/7/01
3
CIO’s Security Mission
Protect the FAA’s information infrastructure and help the
aviation industry reduce security risks through leadership
in innovative information assurance initiatives
Establish and lead a comprehensive program
minimize information systems security risks
Ensure critical systems are certified as secure
Ensure all FAA staff and contractors know and do what
is required to maintain information systems security
Ensure cyber attacks are detected and repelled and that
successful attacks have minimal effect
Maintain effective outreach to industry, government, and
academia
2/7/01
to
4
COTS Use within FAA (Part 1)
>$2B annually in IT acquisitions
Most recent and planned systems are
heavily COTS-based; e.g.
FAA Telecommunications Infrastructure
National Airspace Systems Information
Management System
Next generation messaging
Rapid movement towards TCP/IP-based
networking and Oracle-based DBMS
2/7/01
5
COTS Use within FAA (Part 2)
Even many “custom” air traffic control
systems may be used by air traffic control
authorities in many countries
CTAS – advise order in which aircraft should
land
COTS is key to rapid and affordable
deployment of new capabilities
Almost all heavily proprietary systems are
old legacy
ARTS – primary system for terminal air traffic
control
2/7/01
6
COTS-related System Vulnerabilities
(Part 1)
Source code known to many outside FAA, but not
to those inside FAA
Knowledge of source code not controlled by FAA
Security often an “afterthought” in commercial
systems – security not often a commercial success
criteria
New releases of software could introduce new
vulnerabilities and invalidate old mitigations
Hackers often go after vulnerabilities in COTS
components
2/7/01
7
COTS-related System Vulnerabilities
(Part 2)
COTS rely heavily on commercial protocols and
standards that are widely known, making it easier to
exploit vulnerabilities
Easily available tools and knowledge mean less
sophisticated hackers can exploit many vulnerabilities
in COTS components
Generality of COTS components makes them more
likely to have vulnerabilities and to introduce new
vulnerabilities when integrated with other components.
Built-in COTS security features can be widely
implemented, reducing vulnerability!
2/7/01
8
Exponential Growth in Security Incidents
Recent CERT-CC Experiences
25000
21756
20000
15000
9859
10000
1998
1999
2000
3734
5000
262 417 774
0
Vulnerabilities
Reported
2/7/01
Incidents
Handled
9
FAA’s 5 Layers of System Protection
Personnel
Security
Physical
Security
Compartmentalization/
Information Systems Security
Site Specific Adaptation
Redundancy
2/7/01
10
… and A Generic ISS Service Perspective
Authentication
Access
Control
Integrity
Confidentiality
Availability
2/7/01
11
Comprehensive Certification Process
Conduct Risk &
Vulnerability
Assessments
Threat
Vulnerabilities
Likelihood
Impact
Prepare
SCAP
System Certification
&
Authorization Package
(SCAP)
Package
Sys Developer
or Owner
ISS
Certifier
C&A
Statements
• Certification
Statement
• Authorization
Statement
CIO
Certification
Agent
• Executive
Summary
to
DAA
2/7/01
Deploy
Risk Management
Plan
VA Report
IS Security Plan
ISS Test Plan &
Summary Results
Protection Profile
Certification
Statement
12
Integrated Facility Security
Phone lines
Electronic
Barrier
Authenticated
& Authorized
Traffic
Service B
Service A
DSR
HOST
HOST
DARC Manual
Service C
Secure
Facility
Boundary
Personnel
and Physical
Barrier
2/7/01
Electronic
Barrier
13
Airport Traffic Control Tower and
Airport Surface Movement
Current -2002
2003-2005
TRACON
ARTCC
ATCT
STARS
Networ k
Screen ing
Ser vice
TDW
(Air Traffic Display )
SMA
STARS
LAN
Legend
Legend
AMASS/ASDE
Tower Display
Workstation
(STARS Air
Traffic Display)
INFOS EC
Admin &
Manag ement
Flight Data
I/O
Core
INFOSEC
Rqmts
including
Risk-driven
Initial SMA
(FFP1)
Network
Screening
Service
Weather
(Supervisor
Workstation)
TDWR LTWIP
ACARS DL
INFOSEC
Admin &
Management
Weather
(AWOS/ASOS,
ITWS)
Airport/Runway
Equipment
Separate
Status and
Control Devices
Integrated Display
System Workstation
(SAIDS)
Info Exchange
• AIRPORT
Local Wx AWOS/
ASOS, ITWS)
Core INFOSEC
Requirements,
including Risk-driven
NW
AC
Wx (Supervisor
Workstation)
TDLS-R WS
Network Access
Control
Voice
S
E-IDS WS
(Airport Status
& Control)
Voice
Switch
Strong
Auth of
NW Users
ATCT (Local Info. Services
and LAN Control)
Encrypted Interface
Tower Datalink-R
WS
AWOS/ASOS
• AOC
NAS Ops Data
Virtual
Private Network
In Selected Towers
Core INFOSE C
Require me nts
O-D
VPN
AMASS &
ASDE-3 WS
ASDE 3
X
PlaintextInterface
Common Network Security Interface
X
Extranet
Server
Removal of
Malicious
Traffic from NW
X
O-D
VPN
NW
AC
Air Traffic Control Tower
Voice
S
Software Updates
Remote
Maintenance
O-D
VPN
WAN
Voice
Switch
• RAMP CONTROL
2/7/01
Core INFOSEC
Requirements
• ASDE •Other FAA Facs
• TDWR •AWOS/ASOS
• ITWS •ACARS DL
O-D
VPN
O-D
VPN
Target Data from
TRACON/STARS to
TDW
14
Selected CTAS Security Measures
Enable basic security measures in operating
system
Shut off unused Internet protocols
Audit system use to detect unauthorized
access or operation
Banners warn users about penalties for misuse
Virtual Private Network for secure
communication
2/7/01
15
Selected FTI Security Requirements
Basic Security Services
Confidentiality, Integrity, Availability
Optional Enhanced Security Services
Strong Authentication, Firewalls, Extranets,
VPNs, Enhanced confidentiality and integrity,
Closed user groups, Enhanced remote
access
2/7/01
16
Oracle8i Security Features
User Authentication
DB, external, OS, network, global, N-Tier
Password Management
Account locking, password aging, history and
complexity checking
Fine Grained Access Control
Views, PL/SQL API, Virtual Private Database
Advanced Security Option
Data Privacy, Data Integrity, Authentication and
Single Sign On, Authorization
2/7/01
17
Certifying COTS Components
ISO Protection Profiles establish standard security
requirements for classes of systems such as
firewalls, databases, operating systems, and even
for a generic information system
COTS components can be “certified” for
compliance with Protection Profiles by an official
body such as the National Information Assurance
Partnership.
Custom components can use tailored versions of
COTS-oriented Protection Profiles.
2/7/01
18
Closing Thoughts
COTS present new security challenges daily, but
use of COTS is key to rapidly and affordably
delivering new services.
The 5-layers of FAA security implemented through
a comprehensive certification process to achieve
integrated facility security ensure the National
Airspace System remains protected.
Greatest COTS research challenges:
Testing the security characteristics of black-box COTS
components
Understanding the security properties of composed COTS
components
Architecting COTS-based systems for security
2/7/01
19