Chantier « Sécurité et Vie Privée
26
Aircraft System Security: Evolutions and Perspectives Chantier « Sécurité et Vie Privée » Bertrand LECONTE 7 June 2018
Transcript of Chantier « Sécurité et Vie Privée
Aircraft System Security:Evolutions and PerspectivesChantier « Sécurité et Vie Privée »
Bertrand LECONTE7 June 2018
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
June 2018 Aircraft System Security: Evolutions and Perspectives2
History
Aircraft Cyber Security
Perspectives
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
June 2018 Aircraft System Security: Evolutions and Perspectives3
History
Aircraft Cyber Security
Perspectives
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Timeline
June 2018 Aircraft System Security: Evolutions and Perspectives4
1890 1900 1940
1970
2000
Clément ADER1890
WRIGHT brothers1903
KLM creation1919
Air France creation1933
ICAO – OACI1944
Airbus creation18/12/70
1933 – First knownhijacking
1970 2000
A300FF: 28/10/72EIS: 23/05/74
A320FF: 22/02/87EIS: 18/04/88
A330FF: 02/11/92EIS: 17/01/94
A380FF: 27/04/05EIS: 25/10/07
A350FF: 14/06/13EIS: 15/01/15
2010
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Safety vs Security
Safety– Relative to all hazard events and errors– Impacts on properties (aircraft fly ability…) and people’s health (injuries, casualties)– Accidental failure (or bug) Probabilistic approach is possible
Security– Relative to deliberate and malicious acts– Airbus stakes
– Aircraft operation safety– Operational reliability (delays…)– Commercial and business interests– Branding (Airlines or Airbus)
– Threats evolution – mostly external sources (knowledge) No probabilistic approach possible
June 2018 Aircraft System Security: Evolutions and Perspectives5
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
A320 & A330 Avionics
Avionics: Aviation Electronics– Set of controls, sensors, computers, actuators
25+ ATA chapters Systems are mainly independent ARINC 429 bus
– Unidirectional, point to multi-point– 32bit at a time: 8bit label and 19bit data
– Single value per label: speed, altitude…– Quite low speed: 100Kbps
Simple, Proprietary, Obscure, Isolated, Closed
June 2018 Aircraft System Security: Evolutions and Perspectives6
21 Air conditioning 32 Landing gear22 Auto flight 34 Navigation23 Communications 42 Integrated Modular Avionics24 Electrical power 44 Cabin systems27 Flight controls 45 Maintenance system28 Fuel 46 Information systems
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
A380 & A350 Avionics
Avionics Full DupleX – AFDX– Deterministic Ethernet– Based on Virtual Links
– Unidirectional, point to multi-points– Switches are enforcing Virtual Links and properties– Bi-directional communication needs two VL Integrated Modular Avionics
– ARINC 653 API– Time and Space partitioning– Incremental certification Open World
Complex, Standardized, Documented, Connected, Open
June 2018 Aircraft System Security: Evolutions and Perspectives7VL – Virtual LinksAPI – Application Programmable Interface
A320 A330 A380 A350Software parts
~30~100
~300
~450
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Digital transformation
Mandatory for all industries– Aircraft too
Digital continuity Integration of different Information Systems
– Airlines, maintainers, airport, authorities, passengers… Big data…
Expands surface of exposure of aircraft systems and data to cyber threats
June 2018 Aircraft System Security: Evolutions and Perspectives8
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
ARINC 664 – Aircraft domains
Aircraft Control Domain‒ Everything that controls the aircraft‒ Highest level of Safety‒ Classic Avionics
Airline Information Service Domain‒ Service to airlines, flight support, maintenance support,
cabin support
June 2018 Aircraft System Security: Evolutions and Perspectives
Aircraft Control Domain
Control the Aircraft Operate the Aircraft
Airline Information Service Domain
CLOSED PRIVATE
Passengers Information and Entertainment Service
Domain
Passengers Owned Devices
Inform and Entertain the passenger
PUBLIC
Flight and Embedded Control Systems
Cabin Core Systems
Air / Ground Network Interface
Maintenance Support
Air / Ground Network Interface
Cabin Support
Flight Support
Administrative functions
Passenger Device Interface
Air / Ground Network Interface
On-board Web access
IFE
Passenger Internet
VHF/HF/Satcom Wireless Satcom/cellular
Sour
ce: A
RIN
C 6
64
Passengers Information and Entertainment Service Domain‒ Services oriented toward passengers‒ IFE, Internet onboard… Passenger Owned Devices‒ All devices owned by passengers and connected to the
aircraft
Security in Aeronautical Communications
9
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
June 2018 Aircraft System Security: Evolutions and Perspectives10
History
Aircraft Cyber Security
Perspectives
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Regulated industry
Regulations are for all stakeholders– Aircraft manufacturers, Airlines, Airports, Maintenance & Repair organizations…– Pilots, Maintainers, Controllers… Authorities
– For aircraft certifications (EASA, FAA)– For operational approbations (National AA) Currently Data Security is not yet addressed by CS-25/Part-25
– CRI (Certification Review Item) and IP (Issue Paper)– Special Condition: the rule– Means of Compliance Regulatory framework and regulations are evolving
– International (ICAO), regional (EASA, FAA), industrial committees (RTCA, EUROCAE), national– Not only aeronautical regulations: GDPR and NIS directives– Will include product specification (CS-25) but also organizations (Implementing Rules – IR 21/M/145…)
June 2018 Aircraft System Security: Evolutions and PerspectivesCRI – Certification Review Item
IP – Issue PaperICA – Instruction for Continued Airworthiness
11
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Environment hostility increases over time‒ New attack techniques are found and published‒ Attackers get more knowledgeable‒ Computers used for attacks get more and more powerful
System weaknesses arise over time‒ Vulnerabilities in COTS get published‒ Knowledge about system details leak over time
Aircraft security risk level naturally increase over time
Aircraft System Security: Evolutions and Perspectives
Aircraft security level during life time
12 June 2018
Edimburgh CastleSource: geograph.org.uk
Fire control post for medium and heavy batteries. Heerenduin, Ijmuiden, The Netherlands.© Jonathan Andrew
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Impact
Likelihood
Very Likely
Likely
Unlikely
Very Unlikely
Extremely Unlikely
Low Med Strong Very Strong
No
Risk analysis principle
Aircraft System Security: Evolutions and Perspectives
Threat evaluation
Risk = Impact × Likelihood
SecurityObjective
RISK Discussion
Risk accepted
as needed
Functions
Securityexpertise
ArchitectureEnvironment
SecurityImpact
ThreatsScenarios
Likelihood
Securitymeasures
AssetCould damage
Defined for
13
•Preparation means•Window of Opportunity•Execution Means•Attacker profile
June 2018
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Environment and assumptions
Environment identifies threat source profile to be considered Trust environment has to be defined Without any trust, nothing is possible, impossible to protect from everything and
everyone
Airline people are by default trusted Flight crews Cabin crews Maintainers
Nevertheless, by default the e-tools they use are not trusted Laptops (EFB, PMAT), tablets… USB sticks, SD cards…
Communications are by default not trusted
June 2018 Aircraft System Security: Evolutions and Perspectives14
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Security engineering
Writing security specification is a nightmare– Plain Requirement Based Engineering is not enough
Need for other activities
June 2018 Aircraft System Security: Evolutions and Perspectives15
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Threats to counterFood for thought for protection What can be done with what you functionally allow
‒ If you can ask nicely to perform a bad action, why bother doing something else?
Attacks can be on infrastructure and software too‒ Buffer overflow attacks and others…
Denial of Services‒ Resource exhaustion‒ Flooding
Attacks on communication means‒ Spoofing‒ Man in the Middle‒ Jamming
Degraded & backup modes‒ They are simpler and not necessarily protected
June 2018 Aircraft System Security: Evolutions and Perspectives16
Monitoring & administration systems‒ They access all systems‒ They are a central point of attack‒ They could allow easy remote control‒ Front face plugs can be a threat too
Data loading‒ If the attacker can change the software used,
why protect…?‒ It’s a central point of attack
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Aircraft Protection Principles
Provide two security barriers in front of critical assets
Ensure that no common vulnerability can affect the two barriers
Provide at least one security barrier on any identified attack path
Security barrier must be fail-secure and not possible to bypass
System must be delivered free of malicious code
Security Assurance needed for all developments
Vulnerability management must be done during all product life
June 2018 Aircraft System Security: Evolutions and Perspectives17
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Aircraft Protection PrinciplesDigital signature of software Field Loadable Software
– Field: not in supplier’s premises, can be done on aircraft
– Loadable: can be changed or updated without specific tooling, without opening the box
– Software: Executables, configuration and customization files, databases
Need to ensure– Origin: FLS had been produced by an
authorized supplier– Integrity: FLS had not been modified since
production by the supplier
June 2018 Aircraft System Security: Evolutions and Perspectives18
Transfer (any mean)
Root certificate
AircraftSupplier
Supplier’s certificate
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Security evaluation principles
Provide a statement of security level and residual risks
Functional tests, organizational audits, code reviews, pen-tests…
Review of all information that give evidence of security efficiency
Verify security functions and counter-measures ‒ Correctness‒ Integrity‒ Strength‒ Appropriate implementation
Security functions and counter-measures cannot be bypassed
June 2018 Aircraft System Security: Evolutions and Perspectives19
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Weakest link dominates security
Attacker can use all possible attack paths
Aircraft System Security: Evolutions and Perspectives
Aircraft has to protect all pathsat the same level
June 201820
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Safety and Certification activities useful for Security
Regulatory environment, certification
Review of all modifications
Configuration management
June 2018 Aircraft System Security: Evolutions and Perspectives21
Safety does not imply SecurityBut some Safety related activities help to increase security level
Aircraft architecture
Paranoid programming
Assurance Level (DO178B/C)
Procedures and mitigations
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
General IT security vs Aircraft SecurityWhere are the particular difficulties? No on-board security administrator
– Monitoring cannot be done in real time by humans
Cycles are different– Update cycles cannot be the same– Development time are longer– Configuration Management is requested by
operations and imposes additional work– Systems are designed for the lifetime of an
aircraft – 25 to 50 years Diversity & multiplicity of interconnected systems
– E.g. ATM systems are different from one country to another during the same flight
June 2018 Aircraft System Security: Evolutions and Perspectives22
Certification– Certification process is long and costly– Need to convince Authorities
Taking into account existing architectures Consequences are usually bigger
– Safety– Liability
Communications– Cost– Roaming– Intermittence
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
June 2018 Aircraft System Security: Evolutions and Perspectives23
History
Aircraft Cyber Security
Perspectives
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Perspectives
June 2018 Aircraft System Security: Evolutions and Perspectives24
New functions
MobilityRemote actions
Automation
Less on-boardtreatments
Cloud computingBig data
Artificial IntelligenceSecurity solutions
FilteringUser & Device authentication
AttestationsIntrusion detection
Formal proofsRegulation evolutions
More connectivity
Connected operationsSecure communications
Key managementProtection for jamming, spoofing
Less footprintLess weight, power, volume, heatLower RC
VirtualisationSegregation
Consolidation
New methods
MBSEFaster updates
Development methodsAgile methods
Lower NRC
MBSE – Model Based System EngineeringRC – Recurrent CostNRC – Non-Recurring Cost
©AI
RBU
S O
pera
tions
S.A
.S. A
ll rig
hts
rese
rved
. Con
fiden
tial a
nd p
ropr
ieta
ry d
ocum
ent
Conclusion
Aircraft System Security: Evolutions and Perspectives25
Security is mandatoryWelcome in the 21st century!
Security to be included since the beginning life-cycleArchitectureTechnical measuresSecurity AssuranceMany processes
Ever evolving subjectNew technologies
(for attackers, for defenders, for functions)New vulnerabilities, new attack methods…
New regulationsAnticipation needed
Security involves many other actors
Airports, airlines, maintainers, air service providers, supply chain…
June 2018
Thank you
© AIRBUS Operations S.A.S. All rights reserved. Confidential and proprietary document. This document and all information contained herein is the sole property of AIRBUS Operations S.A.S. No intellectual property rights are granted by the delivery of this documentor the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS Operations S.A.S. This document and its content shall not be used for any purpose other than that for which it issupplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS Operations S.A.S will be pleased toexplain the basis thereof. AIRBUS, its logo, A300, A310, A318, A319, A320, A321, A330, A340, A350, A380, A400M are registered trademarks.
