THE IMPACT OF COTS COMPONENTS ON BUILDING TRUSTWORTHY SYSTEMS Arthur Pyster
description
Transcript of THE IMPACT OF COTS COMPONENTS ON BUILDING TRUSTWORTHY SYSTEMS Arthur Pyster
THE IMPACT OFTHE IMPACT OFCOTS COMPONENTS COTS COMPONENTS
ON BUILDING ON BUILDING TRUSTWORTHY TRUSTWORTHY
SYSTEMSSYSTEMS
Arthur Pyster
Deputy Assistant Administrator for Information Services and
Deputy Chief Information Officer
February 7, 2001
2/7/01 2
The FAA’s JobThe FAA’s Job
Each day at 1000 staffed facilities, the FAA manages 30,000 commercial flights, using 40,000 major pieces of equipment, by 48,000 FAA employees, to safely move 2,000,000 passengers.
2/7/01 3
National Airspace SystemNational Airspace System
• ~ 500 FAA Managed Air Traffic Control Towers
• ~ 180 Terminal Radar Control Centers
• 20 Enroute Centers
• ~ 60 Flight Service Stations
• ~ 40,000 Radars, VORs, Radios, …
2/7/01 4
CIO’s Security MissionCIO’s Security Mission
Establish and lead a comprehensive program to minimize information systems security risks
Ensure critical systems are certified as secure
Ensure all FAA staff and contractors know and do what is required to maintain information systems security
Ensure cyber attacks are detected and repelled and that successful attacks have minimal effect
Maintain effective outreach to industry, government, and academia
Protect the FAA’s information infrastructure and help the aviation industry reduce security risks through leadership in innovative information assurance initiatives
2/7/01 5
COTS Use within FAA (Part 1)COTS Use within FAA (Part 1)
>$2B annually in IT acquisitions
Most recent and planned systems are heavily COTS-based; e.g.
FAA Telecommunications Infrastructure
National Airspace Systems Information Management System
Next generation messaging
Rapid movement towards TCP/IP-based networking and Oracle-based DBMS
2/7/01 6
COTS Use within FAA (Part 2)COTS Use within FAA (Part 2)
Even many “custom” air traffic control systems may be used by air traffic control authorities in many countries CTAS – advise order in which aircraft should
land
COTS is key to rapid and affordable deployment of new capabilities
Almost all heavily proprietary systems are old legacy ARTS – primary system for terminal air traffic
control
2/7/01 7
COTS-related System VulnerabilitiesCOTS-related System Vulnerabilities(Part 1)(Part 1)
Source code known to many outside FAA, but not to those inside FAA
Knowledge of source code not controlled by FAA
Security often an “afterthought” in commercial systems – security not often a commercial success criteria
New releases of software could introduce new vulnerabilities and invalidate old mitigations
Hackers often go after vulnerabilities in COTS components
2/7/01 8
COTS-related System VulnerabilitiesCOTS-related System Vulnerabilities(Part 2)(Part 2)
COTS rely heavily on commercial protocols and standards that are widely known, making it easier to exploit vulnerabilities
Easily available tools and knowledge mean less sophisticated hackers can exploit many vulnerabilities in COTS components
Generality of COTS components makes them more likely to have vulnerabilities and to introduce new vulnerabilities when integrated with other components.
Built-in COTS security features can be widely implemented, reducing vulnerability!
2/7/01 9
Exponential Growth in Security IncidentsExponential Growth in Security Incidents
262 417 774
3734
9859
21756
0
5000
10000
15000
20000
25000
VulnerabilitiesReported
Incidents Handled
199819992000
Recent CERT-CC Experiences
2/7/01 10
FAA’s 5 Layers of System ProtectionFAA’s 5 Layers of System Protection
Personnel
Security
Physical
Security
Compartmentalization/
Information Systems Security
Site Specific Adaptation
Redundancy
Archi
tectu
re an
d Eng
inee
ring A
wareness and Execution
2/7/01 11
… … and A Generic ISS Service Perspectiveand A Generic ISS Service Perspective
Access
Control
Confidentiality
Availability
Archi
tectu
re an
d Eng
inee
ring A
wareness and Execution
Authentication
Integrity
2/7/01 12
ISSCertifier
Sys Developer or Owner
CIO Certification
Agent
ThreatVulnerabilitiesLikelihoodImpact
Risk Management Plan
VA Report IS Security Plan ISS Test Plan &
Summary Results Protection Profile Certification
Statement
PrepareSCAP
Conduct Risk & VulnerabilityAssessments
System Certification &
Authorization Package
(SCAP)Package
• Certification Statement
• Authorization Statement
• Executive Summary
C&AStatements
to
DAADeploy
Comprehensive Certification ProcessComprehensive Certification Process
2/7/01 13
Integrated Facility SecurityIntegrated Facility Security
SecureFacilityBoundary
Personneland Physical
Barrier
Shared Networks
Service A
HOST
ManualDARC
HOST
Service B
Service C
ElectronicBarrier
Private Netw
orksPhone lines
ElectronicBarrier
DSR
Authenticated& Authorized
Traffic
2/7/01 14
Airport Traffic Control Tower andAirport Traffic Control Tower and Airport Surface Movement Airport Surface Movement
ASDE 3
• AOC
• AIRPORT
• RAMP CONTROL
Info Exchange
Air Traffic Control Tower
VoiceVoiceSwitch
Weather(AWOS/ASOS,
ITWS)
TDWR LTWIP
ACARS DL
AWOS/ASOS
Airport/Runway Equipment
SeparateStatus and
Control Devices
Tower Datalink-R WS
ARTCC
AMASS &ASDE-3 WS
ST
AR
SLA
N
TRACONSTARSLegend
Core INFOSECRequirements
INFOSECAdmin &
Management
NetworkScreeningService
CoreINFOSEC
Rqmtsincluding
Risk-driven
Tower Display Workstation(STARS Air
Traffic Display)
Flight DataI/O
Initial SMA(FFP1)
Weather(SupervisorWorkstation)
Integrated DisplaySystem Workstation(SAIDS)
In S
elec
ted
To
wer
s
E-IDS WS(Airport Status& Control)
SMA
TDLS-R WSWx (SupervisorWorkstation)
TDW(Air Traffic Display )
Voice VoiceSwitch
ATCT (Local Info. Servicesand LAN Control)
X
Target Data fromTRACON/STARS to
TDW
WANO-DVPN
O-DVPN
O-DVPN
• ASDE •Other FAA Facs• TDWR •AWOS/ASOS• ITWS •ACARS DL
Local Wx AWOS/ASOS, ITWS)
Software Updates
Remote Maintenance
AMASS/ASDE
ATCT
Legend
Core INFOSECRequirements Core INFOSEC
Requirements,including Risk-driven
INFOSECAdmin &
Management
Encrypted Interface
Plaintext Interface
ExtranetServer
XRemoval ofMalicious
Traffic from NW
O-DVPN
NAS Ops DataVirtual
Private NetworkNetwork Access
Control
NWAC
NetworkScreeningService
SStrongAuth of
NW Users
Common Network Security Interface
SNWAC
O-DVPNX
Current -2002 2003-2005
2/7/01 15
Selected CTAS Security MeasuresSelected CTAS Security Measures
Enable basic security measures in operating system
Shut off unused Internet protocols
Audit system use to detect unauthorized access or operation
Banners warn users about penalties for misuse
Virtual Private Network for secure communication
2/7/01 16
Selected FTI Security RequirementsSelected FTI Security Requirements
Basic Security Services Confidentiality, Integrity, Availability
Optional Enhanced Security Services Strong Authentication, Firewalls, Extranets,
VPNs, Enhanced confidentiality and integrity, Closed user groups, Enhanced remote access
2/7/01 17
Oracle8Oracle8ii Security Features Security Features
User Authentication DB, external, OS, network, global, N-Tier
Password Management Account locking, password aging, history and
complexity checking
Fine Grained Access Control Views, PL/SQL API, Virtual Private Database
Advanced Security Option Data Privacy, Data Integrity, Authentication and
Single Sign On, Authorization
2/7/01 18
Certifying COTS ComponentsCertifying COTS Components
ISO Protection Profiles establish standard security requirements for classes of systems such as firewalls, databases, operating systems, and even for a generic information system
COTS components can be “certified” for compliance with Protection Profiles by an official body such as the National Information Assurance Partnership.
Custom components can use tailored versions of COTS-oriented Protection Profiles.
2/7/01 19
Closing ThoughtsClosing Thoughts COTS present new security challenges daily, but use
of COTS is key to rapidly and affordably delivering new services.
The 5-layers of FAA security implemented through a comprehensive certification process to achieve integrated facility security ensure the National Airspace System remains protected.
Greatest COTS research challenges:
Testing the security characteristics of black-box COTS components Understanding the security properties of composed COTS
components Architecting COTS-based systems for security