1 / 20

FAA Information Security R&D

FAA Information Security R&D. Workshop on Critical Research Areas in Aerospace Software. Ernest Lucier, Advisor on High Confidence Systems. Tuesday, August 9, 2005. Chief Information Office (CIO). OUR MISSION

serafina
Télécharger la présentation

FAA Information Security R&D

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FAA Information Security R&D Workshop on Critical Research Areas in Aerospace Software Ernest Lucier, Advisor on High Confidence Systems Tuesday, August 9, 2005

  2. Chief Information Office (CIO) OUR MISSION • The Chief Information Officer’s (CIO) mission is to provide agency policy and direction in the areas of: • Information Technology (IT) Strategic Planning • IT Investment Analysis • Process Engineering • Information Management • Information Security • This mission will be achieved by working with our key constituents to understand the information technology needs of the agency and teaming with other organizations to carry out the mission.

  3. CIO Strategic Goals Agency Goal:Increased Safety INTRODUCE Safety Management System (SMS) PROCESSES • Introduce SMS processes FAA-wide to assess risk and to monitor effectiveness of risk-mitigation strategies. • Continuously improve processes that are critical to maintaining, enhancing and assuring the safety and security of the National Airspace System (NAS) . • Incorporate safety and security best practices within the Acquisition Management System (AMS) and related FAA systems and software engineering guidelines and handbooks • Continue to integrate safety and security engineering processes, methods, and tools • Continue the collaboration with other government and industry organizations on adoption of 'best practices‘

  4. CIO Strategic Goals Agency Goal: Organizational Excellence • • • • • • • Cyber-Security Plan • Improve the protection of the FAA information infrastructure

  5. Administrator Chief of Staff Chief Operating Officer, Air Traffic Organization ATO DeputyAdministrator Office of Chief Counsel AGC Office of Govt. & Industry Affairs AGI Office of Communications AOC Assistant Adm. for Human Resource Management AHR Office of the Civil Rights ACR AHA Assistant Adm. for Aviation Policy, Planning & Environment AEP Assistant Adm. for Region and Center Operations ARC Assistant Adm. for Information Services AIO AHD AHL AHP AIS AEE APO ARD Associate Administratorfor Commercial Space Transportation AST Associate Administratorfor Airports ARP Associate Administrator for Aviation Safety AVS Air Traffic Organization (ATO) Vice Presidents Office of AccidentInvestigation AAI Office of Airport Planning& Programming APP Safety S En Route & Oceanic Service E Assistant Adm. for Financial Services ABA Assistant Adm. for International Aviation API Assistant Adm. for Security & Hazardous Materials ASH Office of AerospaceMedicine AAM Office of Airport Safety& Standards AAS Communications C Terminal Service T Flight StandardsService AFS Operations Planning P Flight Services D Aircraft CertificationService AIR Finance F System Operations Service R Office ofAir Traffic Oversight AOV ADG ABU AEU Office ofQuality and Integration AQI Acquisition & Business Services A Technical Operations Service W AEO AFC ALC Office ofRulemaking ARM AHS AFM APC AIN ASN AlaskanRegion AAL EasternRegion AEA CentralRegion ACE Great LakesRegion AGL New EnglandRegion ANE NorthwestMountain Region ANM SouthernRegion ASO SouthwestRegion ASW Western-PacificRegion AWP Mike MonroneyAeronautical Center AMC FAA Organization

  6. Office of Information Technology Research and Development, ARD-1 OUR MISSION To improve the FAA’s capability to perform its mission by identifying and recommending secure, robust, technologies, solutions, and best practices and partnering to ensure their adoption.

  7. ARD-1 Core Competencies Our Core Competencies (what we excel at) • Process standards and models • Enterprise architecture • Cyber-security • Advanced Information Technology • Information Technology (IT) and Information Systems Security (ISS) R&D Our Roles and Responsibilities (what we must do for FAA) • Chief Technology Officer • Chief Engineer for Process Improvement • Chief Enterprise Architect Success Factors, e.g., ARD-1 will be successful when its solutions and best practices are widely adopted across the FAA, and are recognized by national and international bodies

  8. ARD-1 Principals • ARD-1’s mission is complex, but our strategy is straightforward: • Stay focused on AIO’s core missions and competencies • Enhance customer focus and support • Experiment with technology in operational settings, rolling out effective new technology • Achieve an adaptive culture and organization internally, while reinforcing positive shifts within the enterprise • Focus on enterprise-wide solutions • Engage with other agencies and organizations in pursuing common solutions to government problems • Provide leadership in introducing new technologies and ideas throughout the FAA

  9. Potential changes/Issues • Next Generation Air Transportation System (NGATS) prepared by the Joint Planning and Development Office (JPDO) (www.jpdo.aero), year 2025 • DoD Global Information Grid (GIG) • Unmanned Aerial Vehicles (UAVs) • Small Aircraft Transportation Systems (SATS) - More small high end commercial flights • Etc. • Transition FAA point-to-point operational communications (NAS) to Internet Protocol (IP) • FAA Telecommunications Infrastructure (FTI) • Long-term supportability • Verification and Validation (V&V) • Certification • Safety and Security • ‘ilities • More Commercial-Off-The-Shelf (COTS) • Transition Research, Engineering, and Development (RE&D) to operations • New systems and changes bring new vulnerabilities and risk (e.g., wireless networks and air-to-ground digital communications)

  10. ARD –1 Cyber R&D Relationships • External relationships • Air Force Research Laboratory (AFRL) • National Science Foundation (NSF)/National Academy of Sciences (NAS) • Advanced Research and Development Activity (ARDA) • Technical Support Working Group (TSWG) • Universities/Colleges • Colorado State University (CSU) • George Mason University (GMU) • National Defense University/Information Resources Management College (IRMC) • Naval Postgraduate School (NPS) • State University of New York at Buffalo (SUNY) - Unintended Information Revelation (UIR) • University of Southern California (USC) Center for Software Engineering (USC-CSE) – Security addition to COCOMO II (COnstructive COst MOdel II) • Intergovernmental Organizations • Subcommittee on Networking and Information Technology Research and Development (NITRD) • High Confidence Software and Systems Coordinating Group (HCSS) • Software Design and Productivity (SDP) Coordinating Group (SDP) • INFOSEC Research Council (IRC) • Cyber Security and Information Assurance (CSIA) Interagency Working Group (IWG) • Consortiums • Center for Identification Technology Research (CITeR) • MIT Center for Information Systems Research (CISR)

  11. Previous Accomplishments • Adaptive Quarantine • Initiated collaborative R&D project to isolate systems, networks components, and services to prevent them from becoming contaminated, corrupted, compromised, or misappropriated • Completed laboratory evaluation, proof of concept demonstration, and field testing of reactive network-based tools • FAA Protection Profile Library and Acquisition Toolkit • Defined and allocated implementation independent security requirements across the three FAA security enclaves: WAN, LAN, and application systems • Produced 18 Protection Profiles, language to include in a Statement of Work (SOW), Data Item Descriptions (DIDs) for security assurance evidence, and requirements traceability matrix to NAS-SR-1000 • Shared results with our internal customers and external business partners • Integration of Common Criteria and C&A Security Evaluations • Developed methodology to integrate Common Criteria and C&A security evaluations to reduce the time and cost to certify and deploy systems • Identified how Common Criteria artifacts can be used to satisfy 19 of 29 (or 65.5%) of the subtasks required by NIST SP 800-37 C&A standard • Web Services • Conducted a series of training courses to raise awareness about the benefits of web services

  12. Previous Accomplishments • Enterprise Architecture (EA) • Developed EA Project Plan. The EA project Plan details necessary task for success in both the OMB and GAO framework assessments. • Developed EA Security Certification and Authorization Package (SCAP) package and completed SCAP process with approval to operate. • Completed development of FEA EA reference models and data collection tool. • Populated EA Repository with line of business artifacts from FAA staffs and lines of business. • EA Governance is being developed to provide roles, responsibilities and processes. • Cyber Security Research and Development • Air Force Research Laboratory (AFRL) – testing of Information Systems Security (ISS) products in the FAA Computer Security Incident Response Center (CSIRC) • Colorado State University (CSU)/Air Force Research Laboratory (AFRL) - A “Vector” Model of Trust • George Mason University (GMU) - Cyber Security Research and Development Enhanced Topological Vulnerability Analysis (TVA) and Visualization • Naval Postgraduate School (NPS) – Wireless lessons learned • Education • Sponsor FAA employees at the National Defense University, Information Resources Management College (IRMC) • More than 30 Information Systems Security (ISS) certifications in the past two years • Two Advanced Management Program (AMP) certificates • Distinguished Lecturer Series – provide Information Systems Security (ISS) and Information Technology (IT) lecturers and to improve security awareness

  13. Cyber-Security Plan • Objective: Advance Information Assurance Capabilities in step with the new capabilities and evolving threats, risks and vulnerabilities • Importance: • Leading edge technology must be incorporated into the FAA Networks to reduce the number of IT security incidents. • Executable Exit Criteria: • Leverage R&D done by DoD and other Federal Agencies for eventual transition to FAA platforms. • Identify platforms for testing and evaluation of ARD-1 R&D efforts • Terms and conditions: • Identify transition opportunities within the FAA. Provide funding to other parts of the FAA to make operational testing of leading edge technologies possible within the operational community. • Customers: • All of FAA

  14. Cyber-Security Plan • Objective: Continue Adaptive Quarantine Effort and develop additional sponsorship • Importance: • FAA needs the ability to quickly preempt, isolate, and contain adverse security events at all levels of the protocol stack to prevent disruption, compromise, or misappropriation of systems, networks, and/or information • Executable Exit Criteria: • Successful completion of laboratory evaluations, proof of concept demonstrations, and field-testing for all products. Handoff of recommendations to FAA Technical Operations Services (ATO-W) and Computer Security Incident Response Center (CSIRC) for deployment • Terms and Conditions: • An automated response capability is new to FAA. As a result, initial deployment will be to the mission support resources and then the NAS • Customers: • Internal customers: ATO-W and CSIRC • External customers: NSA, Advanced Research and Development Activity (ARDA), DOD, other federal agencies

  15. Cyber-Security Plan • Objective: Generate and staff enterprise information assurance strategy • Importance: • The FAA Enterprise Architecture (EA) and the NAS architecture should define the structure and relationship of components and the principles and guidelines governing their design and evaluation. Security should be defined relative to these definition and guidelines. • Executable Exit Criteria: • Integration of Information System Security (ISS) into the FAA EA and the NAS architectures based on the DoDAF (NAS Architecture) and the FEA Security and Privacy Profile (FAA EA). • Develop common security solutions based on the EA and the NAS architectures. • Identify ISS best practices and standards for application to the architecture • Identify R&D for incorporation into the To-Be architecture • Terms and Conditions: • Include ISS in the FAA EA and NAS architecture governance process. • Customers: FAA IT stakeholders, users and developers

  16. Cyber-Security Plan • Objective: Assure uniform, agency-wide Identity Management infrastructure, scalable to our needs and compliant with HSPD-12 and other Federal regulations. • Importance: • Identity Management process must interoperate across the LOBs and with the Federal PKI Common Framework. • Executable Exit Criteria: • Identity Management Policy identifying • Roles and responsibilities, • Technical Standards, and • Governance. • Identity Management Requirements integrated into the ISS Architecture • Prototypical application of Web Service Security that illustrates interfaces to PKI infrastructure. • Reflect HSPD-12 requirements in the FAA architectures • Terms and conditions: • CIO council activity. Office of Security & Hazardous Materials (ASH) and Office of Information Systems Security (AIS) active participation. • Customers: • FAA and Department of Transportation (DOT)

  17. Improve Acquisition Processes • FAA integrated Capability Maturity Model® (FAA-iCMM®) • Continue infrastructure development and deployment of the across the FAA • Software Development Practices • Integrate safety and security best practices throughout acquisition lifecycle

  18. Information Technology (IT) as a Strategic Enabler • Develop an IT strategy designed to maximize interoperability across all systems. • Interoperability is a pre-condition to eliminating duplication and quickly adapting IT to changes in business processes • Defined interfaces for the PKI infrastructure. • Interaction with Industry/Academia • Develop an IT strategy based on practices designed to maximize return on the FAA IT investment. • Shared IT services justified by a business need will lead to cost savings and efficient operation of systems. • Participate in Industry/University Cooperative Research Centers and other Industry/University Centers that leverage research into IT and ISS strategy. • Participate in government-wide, government-industry-academia forums, and international strategic initiatives focusing on developing and improving IT practices and related standards (e.g., Federal CIO Council, CMMI Steering Group, DHS-DoD Software Assurance Forum, ISO standards development bodies) • R&D Partnerships • Develop and enhance R&D partnerships with other Federal agencies and Organizations • The FAA must leverage IT R&D investments with other Federal Government and academia to effectively develop and field new capabilities • Partner with other Federal agencies and organizations in development and deployment of national and international standards to improve IT practices

  19. Enterprise Architecture • Support IT Investments • Continue to develop Enterprise Architecture to support IT Investments • Develop and maintain EA policy and management process • Develop EA data collection, reporting and analysis tools • IT investments are second largest FAA cost; more IT requirements will be placed on FAA without a corresponding increase in the budget. • Develop EA reporting and analysis tools for solution architects • EA Governance is being developed to provide roles, responsibilities and processes. • Develop EA information systems security strategy • Integrate OMB guidelines and requirements for privacy and security into the strategy.

  20. Areas for Research andDevelopment • Enhanced methods and standards for engineering security into products and allowing continuous external monitoring of a system’s internal “vital signs” • Improved ability to provide continual security risk assessment in a complex networked environment • Improved adaptive “quarantine” through provision of dynamically configured “break points” in networks • Modeling and simulation of heterogeneous networks to quantify tradeoffs between system functionality and security services and to optimize “throughput” in the face of latency and highly variable attacks • Strong identification/authentication mechanisms in bandwidth constrained environments • Improved methods for testing of security requirements • Role-based network objects and allocation rules

More Related