Art Pyster - Center for Software Engineering

Download Report

Transcript Art Pyster - Center for Software Engineering 

THE IMPACT OF
COTS COMPONENTS
ON BUILDING
TRUSTWORTHY
SYSTEMS
Arthur Pyster
Deputy Assistant Administrator for
Information Services and
Deputy Chief Information Officer
February 7, 2001
The FAA’s Job
Each day at 1000 staffed facilities,
the
FAA
manages
30,000
commercial flights, using 40,000
major pieces of equipment, by
48,000 FAA employees, to safely
move 2,000,000 passengers.
2/7/01
2
National Airspace System
• ~ 500 FAA
Managed Air
Traffic Control
Towers
• ~ 180 Terminal
Radar Control
Centers
• 20 Enroute
Centers
• ~ 60 Flight
Service Stations
• ~ 40,000 Radars,
VORs, Radios,
…
2/7/01
3
CIO’s Security Mission
Protect the FAA’s information infrastructure and help the
aviation industry reduce security risks through leadership
in innovative information assurance initiatives

Establish and lead a comprehensive program
minimize information systems security risks

Ensure critical systems are certified as secure

Ensure all FAA staff and contractors know and do what
is required to maintain information systems security

Ensure cyber attacks are detected and repelled and that
successful attacks have minimal effect

Maintain effective outreach to industry, government, and
academia
2/7/01
to
4
COTS Use within FAA (Part 1)

>$2B annually in IT acquisitions

Most recent and planned systems are
heavily COTS-based; e.g.
 FAA Telecommunications Infrastructure
 National Airspace Systems Information
Management System
 Next generation messaging
 Rapid movement towards TCP/IP-based
networking and Oracle-based DBMS
2/7/01
5
COTS Use within FAA (Part 2)

Even many “custom” air traffic control
systems may be used by air traffic control
authorities in many countries
 CTAS – advise order in which aircraft should
land

COTS is key to rapid and affordable
deployment of new capabilities

Almost all heavily proprietary systems are
old legacy
 ARTS – primary system for terminal air traffic
control
2/7/01
6
COTS-related System Vulnerabilities
(Part 1)

Source code known to many outside FAA, but not
to those inside FAA

Knowledge of source code not controlled by FAA

Security often an “afterthought” in commercial
systems – security not often a commercial success
criteria

New releases of software could introduce new
vulnerabilities and invalidate old mitigations

Hackers often go after vulnerabilities in COTS
components
2/7/01
7
COTS-related System Vulnerabilities
(Part 2)

COTS rely heavily on commercial protocols and
standards that are widely known, making it easier to
exploit vulnerabilities

Easily available tools and knowledge mean less
sophisticated hackers can exploit many vulnerabilities
in COTS components

Generality of COTS components makes them more
likely to have vulnerabilities and to introduce new
vulnerabilities when integrated with other components.

Built-in COTS security features can be widely
implemented, reducing vulnerability!
2/7/01
8
Exponential Growth in Security Incidents
Recent CERT-CC Experiences
25000
21756
20000
15000
9859
10000
1998
1999
2000
3734
5000
262 417 774
0
Vulnerabilities
Reported
2/7/01
Incidents
Handled
9
FAA’s 5 Layers of System Protection
Personnel
Security
Physical
Security
Compartmentalization/
Information Systems Security
Site Specific Adaptation
Redundancy
2/7/01
10
… and A Generic ISS Service Perspective
Authentication
Access
Control
Integrity
Confidentiality
Availability
2/7/01
11
Comprehensive Certification Process
Conduct Risk &
Vulnerability
Assessments
Threat
Vulnerabilities
Likelihood
Impact
Prepare
SCAP
System Certification
&
Authorization Package
(SCAP)
Package
Sys Developer
or Owner
ISS
Certifier
C&A
Statements
• Certification
Statement
• Authorization
Statement
CIO
Certification
Agent
• Executive
Summary
to
DAA
2/7/01
Deploy
 Risk Management
Plan
 VA Report
 IS Security Plan
 ISS Test Plan &
Summary Results
 Protection Profile
 Certification
Statement
12
Integrated Facility Security
Phone lines
Electronic
Barrier
Authenticated
& Authorized
Traffic
Service B
Service A
DSR
HOST
HOST
DARC Manual
Service C
Secure
Facility
Boundary
Personnel
and Physical
Barrier
2/7/01
Electronic
Barrier
13
Airport Traffic Control Tower and
Airport Surface Movement
Current -2002
2003-2005
TRACON
ARTCC
ATCT
STARS
Networ k
Screen ing
Ser vice
TDW
(Air Traffic Display )
SMA
STARS
LAN
Legend
Legend
AMASS/ASDE
Tower Display
Workstation
(STARS Air
Traffic Display)
INFOS EC
Admin &
Manag ement
Flight Data
I/O
Core
INFOSEC
Rqmts
including
Risk-driven
Initial SMA
(FFP1)
Network
Screening
Service
Weather
(Supervisor
Workstation)
TDWR LTWIP
ACARS DL
INFOSEC
Admin &
Management
Weather
(AWOS/ASOS,
ITWS)
Airport/Runway
Equipment
Separate
Status and
Control Devices
Integrated Display
System Workstation
(SAIDS)
Info Exchange
• AIRPORT
Local Wx AWOS/
ASOS, ITWS)
Core INFOSEC
Requirements,
including Risk-driven
NW
AC
Wx (Supervisor
Workstation)
TDLS-R WS
Network Access
Control
Voice
S
E-IDS WS
(Airport Status
& Control)
Voice
Switch
Strong
Auth of
NW Users
ATCT (Local Info. Services
and LAN Control)
Encrypted Interface
Tower Datalink-R
WS
AWOS/ASOS
• AOC
NAS Ops Data
Virtual
Private Network
In Selected Towers
Core INFOSE C
Require me nts
O-D
VPN
AMASS &
ASDE-3 WS
ASDE 3
X
PlaintextInterface
Common Network Security Interface
X
Extranet
Server
Removal of
Malicious
Traffic from NW
X
O-D
VPN
NW
AC
Air Traffic Control Tower
Voice
S
Software Updates
Remote
Maintenance
O-D
VPN
WAN
Voice
Switch
• RAMP CONTROL
2/7/01
Core INFOSEC
Requirements
• ASDE •Other FAA Facs
• TDWR •AWOS/ASOS
• ITWS •ACARS DL
O-D
VPN
O-D
VPN
Target Data from
TRACON/STARS to
TDW
14
Selected CTAS Security Measures

Enable basic security measures in operating
system

Shut off unused Internet protocols

Audit system use to detect unauthorized
access or operation

Banners warn users about penalties for misuse

Virtual Private Network for secure
communication
2/7/01
15
Selected FTI Security Requirements

Basic Security Services
 Confidentiality, Integrity, Availability

Optional Enhanced Security Services
 Strong Authentication, Firewalls, Extranets,
VPNs, Enhanced confidentiality and integrity,
Closed user groups, Enhanced remote
access
2/7/01
16
Oracle8i Security Features

User Authentication
 DB, external, OS, network, global, N-Tier

Password Management
 Account locking, password aging, history and
complexity checking

Fine Grained Access Control
 Views, PL/SQL API, Virtual Private Database

Advanced Security Option
 Data Privacy, Data Integrity, Authentication and
Single Sign On, Authorization
2/7/01
17
Certifying COTS Components

ISO Protection Profiles establish standard security
requirements for classes of systems such as
firewalls, databases, operating systems, and even
for a generic information system

COTS components can be “certified” for
compliance with Protection Profiles by an official
body such as the National Information Assurance
Partnership.

Custom components can use tailored versions of
COTS-oriented Protection Profiles.
2/7/01
18
Closing Thoughts

COTS present new security challenges daily, but
use of COTS is key to rapidly and affordably
delivering new services.

The 5-layers of FAA security implemented through
a comprehensive certification process to achieve
integrated facility security ensure the National
Airspace System remains protected.

Greatest COTS research challenges:
 Testing the security characteristics of black-box COTS
components
 Understanding the security properties of composed COTS
components
 Architecting COTS-based systems for security
2/7/01
19