Federal Aviation Administration FAA Information Security R&D Workshop on Critical Research Presented to: Areas in Aerospace Software By: Ernest Lucier, Advisor on High Confidence Systems Date: Tuesday,
Download ReportTranscript Federal Aviation Administration FAA Information Security R&D Workshop on Critical Research Presented to: Areas in Aerospace Software By: Ernest Lucier, Advisor on High Confidence Systems Date: Tuesday,
Federal Aviation Administration FAA Information Security R&D Workshop on Critical Research Presented to: Areas in Aerospace Software By: Ernest Lucier, Advisor on High Confidence Systems Date: Tuesday, August 9, 2005 Chief Information Office (CIO) OUR MISSION – The Chief Information Officer’s (CIO) mission is to provide agency policy and direction in the areas of: • Information Technology (IT) Strategic Planning • IT Investment Analysis • Process Engineering • Information Management • Information Security – This mission will be achieved by working with our key constituents to understand the information technology needs of the agency and teaming with other organizations to carry out the mission. FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 2 2 CIO Strategic Goals Agency Goal: Increased Safety INTRODUCE Safety Management System (SMS) PROCESSES • Introduce SMS processes FAA-wide to assess risk and to monitor effectiveness of risk-mitigation strategies. – Continuously improve processes that are critical to maintaining, enhancing and assuring the safety and security of the National Airspace System (NAS) . – Incorporate safety and security best practices within the Acquisition Management System (AMS) and related FAA systems and software engineering guidelines and handbooks – Continue to integrate safety and security engineering processes, methods, and tools – Continue the collaboration with other government and industry organizations on adoption of 'best practices‘ FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 3 3 CIO Strategic Goals Agency Goal: Organizational Excellence • • • • • • • Cyber-Security Plan – Improve the protection of the FAA information infrastructure FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 4 4 FAA Organization Administrator Chief of Staff Chief Operating Officer, Air Traffic Organization Deputy Administrator ATO Office of Chief Counsel AGC Office of the Civil Rights ACR Assistant Adm. for Region and Center Operations ARC Office of Govt. & Industry Affairs AGI Assistant Adm. for Aviation Policy, Planning & Environment AEP AEE APO Associate Administrator for Commercial Space Transportation Office of Communications AOC Assistant Adm. for Information Services AIO Assistant Adm. for International Aviation API AEU ALC APC Assistant Adm. for Security & Hazardous Materials ASH ADG AEO AHS Assistant Adm. for Human Resource Management AHR AHA AHD AHL AIN AHP AIS Assistant Adm. for Financial Services ABA ABU AFC AFM ASN ARD Associate Administrator for Airports Associate Administrator for Aviation Safety ARP AVS Air Traffic Organization (ATO) Vice Presidents AST Office of Airport Planning & Programming APP Alaskan Region Office of Airport Safety & Standards AAS Eastern Region Central Region AAL ACE AEA Great Lakes Region AGL New England Region ANE Northwest Mountain Region ANM Southwest Region ASW Western-Pacific Region AWP Southern Region ASO Mike Monroney Aeronautical Center AMC FAA Information Security R&D Tuesday, August 9, 2005 Office of Accident Investigation AAI Office of Aerospace Medicine AAM Flight Standards Service AFS Aircraft Certification Service AIR Office of Air Traffic Oversight AOV Office of Quality and Integration AQI Office of Rulemaking ARM Safety S En Route & Oceanic Service E Communications C Terminal Service T Operations Planning P Flight Services D Finance F System Operations Service R Acquisition & Business Services A Technical Operations Service W Federal Aviation Administration 5 5 Office of Information Technology Research and Development, ARD-1 OUR MISSION To improve the FAA’s capability to perform its mission by identifying and recommending secure, robust, technologies, solutions, and best practices and partnering to ensure their adoption. FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 6 6 ARD-1 Core Competencies Our Core Competencies (what we excel at) • Process standards and models • Enterprise architecture • Cyber-security • Advanced Information Technology • Information Technology (IT) and Information Systems Security (ISS) R&D Our Roles and Responsibilities (what we must do for FAA) • Chief Technology Officer • Chief Engineer for Process Improvement • Chief Enterprise Architect Success Factors, e.g., ARD-1 will be successful when its solutions and best practices are widely adopted across the FAA, and are recognized by national and international bodies FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 7 7 ARD-1 Principals • ARD-1’s mission is complex, but our strategy is straightforward: – Stay focused on AIO’s core missions and competencies – Enhance customer focus and support – Experiment with technology in operational settings, rolling out effective new technology – Achieve an adaptive culture and organization internally, while reinforcing positive shifts within the enterprise – Focus on enterprise-wide solutions – Engage with other agencies and organizations in pursuing common solutions to government problems – Provide leadership in introducing new technologies and ideas throughout the FAA FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 8 8 Potential changes/Issues • Next Generation Air Transportation System (NGATS) prepared by the Joint Planning and Development Office (JPDO) (www.jpdo.aero), year 2025 – – – – • Transition FAA point-to-point operational communications (NAS) to Internet Protocol (IP) – • FAA Telecommunications Infrastructure (FTI) Long-term supportability – – – – • • • DoD Global Information Grid (GIG) Unmanned Aerial Vehicles (UAVs) Small Aircraft Transportation Systems (SATS) - More small high end commercial flights Etc. Verification and Validation (V&V) Certification Safety and Security ‘ilities More Commercial-Off-The-Shelf (COTS) Transition Research, Engineering, and Development (RE&D) to operations New systems and changes bring new vulnerabilities and risk (e.g., wireless networks and air-to-ground digital communications) FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 9 9 ARD –1 Cyber R&D Relationships • External relationships – – – – • Universities/Colleges – – – – – – • Air Force Research Laboratory (AFRL) National Science Foundation (NSF)/National Academy of Sciences (NAS) Advanced Research and Development Activity (ARDA) Technical Support Working Group (TSWG) Colorado State University (CSU) George Mason University (GMU) National Defense University/Information Resources Management College (IRMC) Naval Postgraduate School (NPS) State University of New York at Buffalo (SUNY) - Unintended Information Revelation (UIR) University of Southern California (USC) Center for Software Engineering (USC-CSE) – Security addition to COCOMO II (COnstructive COst MOdel II) Intergovernmental Organizations – Subcommittee on Networking and Information Technology Research and Development (NITRD) • • – – • High Confidence Software and Systems Coordinating Group (HCSS) Software Design and Productivity (SDP) Coordinating Group (SDP) INFOSEC Research Council (IRC) Cyber Security and Information Assurance (CSIA) Interagency Working Group (IWG) Consortiums – – Center for Identification Technology Research (CITeR) MIT Center for Information Systems Research (CISR) FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 10 10 Previous Accomplishments • Adaptive Quarantine – – • FAA Protection Profile Library and Acquisition Toolkit – – – • Defined and allocated implementation independent security requirements across the three FAA security enclaves: WAN, LAN, and application systems Produced 18 Protection Profiles, language to include in a Statement of Work (SOW), Data Item Descriptions (DIDs) for security assurance evidence, and requirements traceability matrix to NAS-SR-1000 Shared results with our internal customers and external business partners Integration of Common Criteria and C&A Security Evaluations – – • Initiated collaborative R&D project to isolate systems, networks components, and services to prevent them from becoming contaminated, corrupted, compromised, or misappropriated Completed laboratory evaluation, proof of concept demonstration, and field testing of reactive network-based tools Developed methodology to integrate Common Criteria and C&A security evaluations to reduce the time and cost to certify and deploy systems Identified how Common Criteria artifacts can be used to satisfy 19 of 29 (or 65.5%) of the subtasks required by NIST SP 800-37 C&A standard Web Services – Conducted a series of training courses to raise awareness about the benefits of web services FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 11 11 Previous Accomplishments • Enterprise Architecture (EA) – – – – – • Cyber Security Research and Development – – – – • Developed EA Project Plan. The EA project Plan details necessary task for success in both the OMB and GAO framework assessments. Developed EA Security Certification and Authorization Package (SCAP) package and completed SCAP process with approval to operate. Completed development of FEA EA reference models and data collection tool. Populated EA Repository with line of business artifacts from FAA staffs and lines of business. EA Governance is being developed to provide roles, responsibilities and processes. Air Force Research Laboratory (AFRL) – testing of Information Systems Security (ISS) products in the FAA Computer Security Incident Response Center (CSIRC) Colorado State University (CSU)/Air Force Research Laboratory (AFRL) - A “Vector” Model of Trust George Mason University (GMU) - Cyber Security Research and Development Enhanced Topological Vulnerability Analysis (TVA) and Visualization Naval Postgraduate School (NPS) – Wireless lessons learned Education – Sponsor FAA employees at the National Defense University, Information Resources Management College (IRMC) o o – More than 30 Information Systems Security (ISS) certifications in the past two years Two Advanced Management Program (AMP) certificates Distinguished Lecturer Series – provide Information Systems Security (ISS) and Information Technology (IT) lecturers and to improve security awareness FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 12 12 Cyber-Security Plan • Objective: Advance Information Assurance Capabilities in step with the new capabilities and evolving threats, risks and vulnerabilities • Importance: – Leading edge technology must be incorporated into the FAA Networks to reduce the number of IT security incidents. • Executable Exit Criteria: – Leverage R&D done by DoD and other Federal Agencies for eventual transition to FAA platforms. – Identify platforms for testing and evaluation of ARD-1 R&D efforts • Terms and conditions: – Identify transition opportunities within the FAA. Provide funding to other parts of the FAA to make operational testing of leading edge technologies possible within the operational community. • Customers: – All of FAA FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 13 13 Cyber-Security Plan • • Objective: Continue Adaptive Quarantine Effort and develop additional sponsorship Importance: – • Executable Exit Criteria: – • Successful completion of laboratory evaluations, proof of concept demonstrations, and field-testing for all products. Handoff of recommendations to FAA Technical Operations Services (ATO-W) and Computer Security Incident Response Center (CSIRC) for deployment Terms and Conditions: – • FAA needs the ability to quickly preempt, isolate, and contain adverse security events at all levels of the protocol stack to prevent disruption, compromise, or misappropriation of systems, networks, and/or information An automated response capability is new to FAA. As a result, initial deployment will be to the mission support resources and then the NAS Customers: – – Internal customers: ATO-W and CSIRC External customers: NSA, Advanced Research and Development Activity (ARDA), DOD, other federal agencies FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 14 14 Cyber-Security Plan • • Objective: Generate and staff enterprise information assurance strategy Importance: • Executable Exit Criteria: • Terms and Conditions: • – The FAA Enterprise Architecture (EA) and the NAS architecture should define the structure and relationship of components and the principles and guidelines governing their design and evaluation. Security should be defined relative to these definition and guidelines. – Integration of Information System Security (ISS) into the FAA EA and the NAS architectures based on the DoDAF (NAS Architecture) and the FEA Security and Privacy Profile (FAA EA). – Develop common security solutions based on the EA and the NAS architectures. – Identify ISS best practices and standards for application to the architecture – Identify R&D for incorporation into the To-Be architecture – Include ISS in the FAA EA and NAS architecture governance process. Customers: FAA IT stakeholders, users and developers FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 15 15 Cyber-Security Plan • • • Objective: Assure uniform, agency-wide Identity Management infrastructure, scalable to our needs and compliant with HSPD-12 and other Federal regulations. Importance: – Executable Exit Criteria: – – – • • Identity Management process must interoperate across the LOBs and with the Federal PKI Common Framework. – Identity Management Policy identifying • • • Roles and responsibilities, Technical Standards, and Governance. Identity Management Requirements integrated into the ISS Architecture Prototypical application of Web Service Security that illustrates interfaces to PKI infrastructure. Reflect HSPD-12 requirements in the FAA architectures Terms and conditions: – CIO council activity. Office of Security & Hazardous Materials (ASH) and Office of Information Systems Security (AIS) active participation. Customers: – FAA and Department of Transportation (DOT) FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 16 16 Improve Acquisition Processes • FAA integrated Capability Maturity Model® (FAA-iCMM®) – Continue infrastructure development and deployment of the across the FAA • Software Development Practices – Integrate safety and security best practices throughout acquisition lifecycle FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 17 17 Information Technology (IT) as a Strategic Enabler • Develop an IT strategy designed to maximize interoperability across all systems. – • • Defined interfaces for the PKI infrastructure. Interaction with Industry/Academia – – – – • Interoperability is a pre-condition to eliminating duplication and quickly adapting IT to changes in business processes Develop an IT strategy based on practices designed to maximize return on the FAA IT investment. Shared IT services justified by a business need will lead to cost savings and efficient operation of systems. Participate in Industry/University Cooperative Research Centers and other Industry/University Centers that leverage research into IT and ISS strategy. Participate in government-wide, government-industry-academia forums, and international strategic initiatives focusing on developing and improving IT practices and related standards (e.g., Federal CIO Council, CMMI Steering Group, DHS-DoD Software Assurance Forum, ISO standards development bodies) R&D Partnerships – – – Develop and enhance R&D partnerships with other Federal agencies and Organizations The FAA must leverage IT R&D investments with other Federal Government and academia to effectively develop and field new capabilities Partner with other Federal agencies and organizations in development and deployment of national and international standards to improve IT practices FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 18 18 Enterprise Architecture • • Support IT Investments Continue to develop Enterprise Architecture to support IT Investments • • • IT investments are second largest FAA cost; more IT requirements will be placed on FAA without a corresponding increase in the budget. • • • Develop and maintain EA policy and management process Develop EA data collection, reporting and analysis tools Develop EA reporting and analysis tools for solution architects EA Governance is being developed to provide roles, responsibilities and processes. Develop EA information systems security strategy • Integrate OMB guidelines and requirements for privacy and security into the strategy. FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 19 19 Areas for Research and Development • • • • • • • Enhanced methods and standards for engineering security into products and allowing continuous external monitoring of a system’s internal “vital signs” Improved ability to provide continual security risk assessment in a complex networked environment Improved adaptive “quarantine” through provision of dynamically configured “break points” in networks Modeling and simulation of heterogeneous networks to quantify tradeoffs between system functionality and security services and to optimize “throughput” in the face of latency and highly variable attacks Strong identification/authentication mechanisms in bandwidth constrained environments Improved methods for testing of security requirements Role-based network objects and allocation rules FAA Information Security R&D Tuesday, August 9, 2005 Federal Aviation Administration 20 20