New Generation Aircraft Information Security Web Seminar. Gatelink. Presented by the Air Transport Association Digital Security Working Group

Similar documents
Paperless Aircraft Operations - IATA s Vision and Actions - Chris MARKOU IATA Operational Costs Management

ARINC Project Initiation/Modification (APIM)

Progressive Technology Facilitates Ground-To-Flight-Deck Connectivity

Gogo Connected Aircraft Services

Avionics CyberThreat. Airplanes Are Hard!

FACILITATION PANEL (FALP)

ARINC Project Initiation/Modification (APIM)

9/16/ CHG 213 VOLUME 3 GENERAL TECHNICAL ADMINISTRATION CHAPTER 61 AIRCRAFT NETWORK SECURITY PROGRAM

IATA Paperless Operations; Update

SUMMARY REPORT ON THE SAFETY OVERSIGHT AUDIT FOLLOW-UP OF THE DIRECTORATE GENERAL OF CIVIL AVIATION OF KUWAIT

Documentation Issues and Initiatives

TWELFTH AIR NAVIGATION CONFERENCE

The In-Flight Monetisation & Services Platform PRODUCT BROCHURE

CONNECT UP! Your Flight Path to the Connected Aircraft. In-Flight Internet Onboard Entertainment Flight Operations

Thales on the Civil Aerospace market

Mijloace acceptabile de conformitate. Electronic Flight Bag (EFB)

Terms of Reference for a rulemaking task

Aeronautical Communications: Changes Ahead - FCI

Aer Lingus Case Study - AeroDocs deployment to Aer Lingus. Aer Lingus cuts CASK with AeroDocs

TERMS OF REFERENCE. Drone Advisory Committee (DAC) Role Name or Title Organization. Director, UAS Integration Office. Director, UAS Integration Office

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION. National Policy

Atennea Air. The most comprehensive ERP software for operating & financial management of your airline

The Importance of AIM and the Operational Concept

FLIGHT PATH FOR THE FUTURE OF MOBILITY

The Transforming Airport

TWELFTH AIR NAVIGATION CONFERENCE

Portable electronic devices

Centralised Service 6-6 Security Certificate Service

EUROCONTROL. Centralised Services concept. Joe Sultana Director Network Manager 1 July 2013

INTERNATIONAL CIVIL AVIATION ORGANIZATION AFI REGION AIM IMPLEMENTATION TASK FORCE. (Dakar, Senegal, 20 22nd July 2011)

Form 91 Application for Approval of an EFB System

ICAO GANP Requirements and Evolution

International Civil Aviation Organization SECRETARIAT ADMINISTRATIVE INSTRUCTIONS ON THE IMPLEMENTATION OF THE ICAO CIVIL AVIATION TRAINING POLICY

Introduction & Admin. Online UAS Training Courses. Virtual Meet & Greet

E-RECORDS. Heading towards a Paperless operation SWARAN SIDHU - HEAD OF FLEET TECHNICAL MANAGEMENT

ICAO Young Aviation Professionals Programme

High-speed connectivity solutions for airlines

Combined ASIOACG and INSPIRE Working Group Meeting, 2013 Dubai, UAE, 11 th to 14 th December 2013

Initial 4D Trajectory Management via SwiftBroadband Iris Event Salzberg

User Terminal certification process considerations

FINAL REPORT OF THE USOAP CMA AUDIT OF THE CIVIL AVIATION SYSTEM OF THE KINGDOM OF NORWAY

THE NATIONAL ACADEMIES PRESS

COVER SHEET. Reduced Vertical Separation Minimum (RVSM) Information Sheet Part 91 RVSM Letter of Authorization

Implementation challenges for Flight Procedures

4.2 Regional Air Navigation/Safety Developments and Achievements. Group (NAM/CAR ANI/WG) INTEGRATION OF UNMANNED AIRCRAFT SYSTEMS (UAS)

TWELFTH AIR NAVIGATION CONFERENCE

In-Service Data Program Helps Boeing Design, Build, and Support Airplanes

Boeing s goal is gateto-gate. crew awareness that promotes safety and efficiency.

Presentation Outline. Overview. Strategic Alliances in the Airline Industry. Environmental Factors. Environmental Factors

2012 Performance Framework AFI

RNP AR APCH Approvals: An Operator s Perspective

AeroMACS. Why it is important for aviation. AeroMACS Open Day Firenze, 06/07/2018 Nikos Fistas and Víctor Flores EUROCONTROL

4.6 Other Aviation Safety Matters FLAGS OF CONVENIENCE. (Presented by the Secretariat)

AIRPORT OPERATIONS TABLE OF CONTENTS

Asia Pacific Regional Aviation Safety Team

ARINC Project Initiation/Modification (APIM)

E-Enabled Vision & Strategy

GENERAL ADVISORY CIRCULAR

OVERSEAS TERRITORIES AVIATION REQUIREMENTS (OTARs)

The Mass HIway Connection Requirement: Year 1 & Year 2

Department of Defense DIRECTIVE

FACILITATION PANEL (FALP)

SESAR Active ECAC INF07 REG ASP MIL APO USE INT IND NM

AeroMACS. Why it is important for aviation. AeroMACS Open Day Firenze, 06/07/2018 Nikos Fistas and Víctor Flores EUROCONTROL

Applicability / Compatibility of STPA with FAA Regulations & Guidance. First STAMP/STPA Workshop. Federal Aviation Administration

License Requirements and Leased Aircraft

Jeppesen Total Navigation Solution

Global Aviation Safety Workshop Abuja Nigeria. Group A Road 2. Group A Road 2 Inconsistent Regulatory Oversight

AIS Basics - NOTAM, AIP, Amendments, Supplements, Circulars, Charts, and NOTAM Putting the basics in place

FACILITATION (FAL) DIVISION TWELFTH SESSION. Cairo, Egypt, 22 March to 2 April 2004

WORLDWIDE SYMPOSIUM ON ENABLING THE NET-CENTRIC INFORMATION ENVIRONMENT:

ICAO Regional Seminar on CORSIA Session 1: Overview of CORSIA CORSIA Administrative Aspects and Timelines

Content Delivery to Aircraft: The Challenge

Availability and Competence of Technical and Inspection Personnel in Civil Aviation Administrations

GANP 2019/ASBUs. Olga de Frutos. Marrakesh/10 th December Technical Officer Air Navigation

Information security supplier rules. Information security supplier rules

EFB Wireless Connectivity & Security Considerations

RUNWAY SAFETY GO-TEAM METHODOLOGY

Hosted Flight Data Monitoring. Information Sheet

Simplifying the business of flight. ARINCDirectSM FLIGHT SOLUTIONS

COVER SHEET. Reduced Vertical Separation Minimum (RVSM) Information Sheet Part 91 RVSM Letter of Authorization

California State University Long Beach Policy on Unmanned Aircraft Systems

Crew Management & Flight Operations:

PRESENTATION. Opportunities and Challenges for Regional Integration Mechanisms in the field of Digital Economy

CIVIL AVIATION AUTHORITY, PAKISTAN OPERATIONAL CONTROL SYSTEMS CONTENTS

Technical Cooperation Bureau

Operators may need to retrofit their airplanes to ensure existing fleets are properly equipped for RNP operations. aero quarterly qtr_04 11

Participant Presentations (Topics of Interest to the Meeting) GASP SAFETY PERFORMANCE INDICATORS. (Presented by the Secretariat) EXECUTIVE SUMMARY

Inmarsat GADSS Solutions Global Aeronautical Distress and Safety System

Background to the Article 83 bis Task Force

For on-line registration:

ICAO provisions on data link implementation

Subpart H. 2042/2003

e- Check in project at Narita Airport

WELCOME TO THE AGE OF THE CONNECTED AIRCRAFT

From AIS to AIM. COMSOFT AIS to AIM Lima, Peru Context and Overview Isabel Zambrano Rodriguez

PBN Operational Approval Overview

Guidelines for Life Limited Part (LLP) Movement History Sheet

SOUTH AFRICA PBN NEAR TERM IMPLEMENTATION PLAN PROJECT

TWELFTH AIR NAVIGATION CONFERENCE

Transcription:

New Generation Aircraft Information Security Web Seminar Gatelink Presented by the Air Transport Association Digital Security Working Group July 7, 2009

Agenda Brief Introduction to ATA Presented by Paul Conn, Director of Electronic Data Standards, Air Transport Association Public Key Infrastructure (PKI) concepts and terminology Presented by Dave Coombs, Director, PKI Standards and Policy Development, Carillon Information Security What is Gatelink to the Air Transportation Industry (ATI) Presented by Mario Sabourin, Innovation Program Manager, SITA Aircraft PKI Considerations - Retrofit Perspective on Getting a Device Certificate onto an Aircraft for Gatelink Presented by Stephen Arentz, Sr. Enterprise Architect Airline Operations Strategy & Planning Information Technology Division, United Airlines

About ATA Not-For-Profit Trade Association (founded 1936) Washington D.C. 76 Employees Membership: 17 U.S. Airlines 3 International Airlines 47 Industry Members >90% Cargo/Passenger Traffic in the U.S. Lobby Organization Administer Industry Programs Develop and Publish Industry Standards

ATA e-business Program Mission Establish a global commercial aviation industry information framework that facilitates: Improved business agility Reduced costs Increased speed of business Maintaining the highest level of safety Membership Over 130 companies / organizations Over 2000 individual company representatives 33 Countries

ATA e-business Program Specifications Spec 42 Aviation Industry Standards for Digital Information Security Spec 2000 E-Business Specification for Materiels Management ispec 2200 Information Standards for Aviation Maintenance Spec 2300 Data Exchange Standard for Flight Operations Common Support Data Dictionary Centralized industry data dictionary describing data elements and attributes, and their properties ATA Aviation Marketplace The industry's primary product and service online catalog resource, enabling e- commerce between the world's major airlines and their suppliers.

ATA e-business Program ATA Digital Security Working Group Provides a forum for exchanging ideas, discussing challenges, and recommending process improvements Develops aviation industry consensus for changes to methods and practices driven by digital security requirements Addresses the application of digital security technologies and standards to ATA e-business specifications Develops industry specifications to facilitate the civil aviation community s implementations of information security practices and technologies

Introduction to PKI......and its use in the Air Transport industry

The Problem We rely on digital/virtual communication more than we used to. Before: face-to-face, telephone, paper, radio comms. Now: email, web-based tools, Word docs, Gatelink. The value of these communications is still very high. Maybe higher. How can we trust the identity of a voice we can't hear? How can we be be sure our communications are private? How can we answer these questions as an industry?

Public Key Infrastructure PKI addresses these problems. Effectively a trust brokering system. Can convey digital identity assurance. Can ensure message integrity. Can ensure message confidentiality. Efforts to do this in an industry-standard way. ATA Spec 42......in cooperation with other groups such as AEEC, responsible for ARINC 822 (Gatelink).

Basic PKI Applications Digital Signatures Provides Identity Assurance Provides Message Integrity Assurance Encryption Provides Confidentiality

Digital Certificates

Trust Flow

Business Impact Technical infrastructure. CA function may be outsourced Policy & practices affecting trust in a PKI. If outsourcing, contractual agreement with CA provider cross-certified with an industry bridge. If not outsourcing, contractual agreement and crosscertification with an industry bridge. Integrating use of PKI into all areas of business. Do this once for your company, and spread the cost over many different projects/programs. It's not just about Gatelink.

Not Just Gatelink One PKI can also be used for: Physical access control Secure ACARS Electronic authorized release certificates (electronic Form 8130-3 or equivalent) Electronic Flight Bag Secure Email with partner companies Secure collaboration / web single-sign-on with partner companies There will be more.

Summary PKI provides identity assurance, message integrity assurance, and message confidentiality. The air transport industry has developed a standardized approach to PKI design and deployment. Gatelink is one of many projects to make use of these standards. A well designed PKI can serve many projects or an entire company, not just one project. Much work from many companies has gone into the industry standards. It is in everyone's interest to work together.

Thank you! Dave Coombs <dcoombs@carillon.ca> Director, PKI Standards and Policy Carillon Information Security Inc. Questions?

What is Gatelink to the ATI?

Agenda Gatelink Value Proposition Gatelink Planned Information Uses The Wi-Fi Gatelink challenges What does the future look like? Securing Connections & Communication Secure Wireless Connectivity Considerations

Gatelink Value Proposition Terminal phases ideal to exchange large volumes of non critical, non time-sensitive data Current use of sneaker-net and mass storage media leading to suboptimal capture rates (60% - 80%) Better and faster aircraft data availability improve flight operations as well as maintenance trending, diagnosing and troubleshooting Gatelink is an ideal alternative to manual retrieval process of non-critical data Large volumes of non-critical data cannot be exchanged cost-efficiently over existing aircraft datalink services like ACARS Gatelink's industry-standard basis increases economies of scope and network effects

Gatelink Planned Information Uses Applications Description Pre-Flight Information Navigation charts, graphical weather, load sheet, dangerous goods, flight plans, etc. Crew management Crew disposition assignment or composition Administrative Function Passenger information, wheelchair, stands, aircrew support, aircraft logistics Maintenance LSAP delivery, Technical Log Book, Aircraft maintenance document and parts catalogue, technical status of the aircraft EFB Weight and balance calculations, performance charts, flight manuals, electronic documentation

What does the future look like? A fully interconnected aircraft that is part of the airline s IT infrastucture Gatelink is one of the first steps to implement this vision Growth of global adoption Early adopters move to install and use Gatelink at hubs Soon seek access at non-hub locations around the world Timelines for fleet wide adoption will be over the next decade at non-hub locations depending on achieved ROI We see innovation associated with the global adoption of the Gatelink technology New uses for the Terminal Wireless LAN Unit (TWLU) and Crew Wireless LAN Unit (CWLU) solutions Wireless technologies are subject to change & evolution Equipment will migrate and cover more than simply 802.11 b/g Increased testing of emerging technology such as HSPA, WiMax, LTE Validate ROI for Wi-Fi Gatelink solutions prior to any large scale move to a new technology base

The Wi-Fi Gatelink challenges

New generation aircraft communications must be part of Overall Security Framework

Where Gatelink fits in the security layers

Securing Connections & Communication

EAP Authentication Process

Securing Gatelink with PKI generic considerations PKI Integration Requirements: PKI Enabled Application PKI Certificate Format supported (attributes) Staff PKI technology skills Certificate Authority Availability PKI operational requirements Delivery process (on-line & off-line) Organizational requirements Central RA, local RA, subscriber, sponsor Documentation Policy, processes, procedures

Value of PKI to aircraft communications Most secure authentication method identified today Maximizes interoperability between aircraft and groundbased applications Certificates may contain additional fields/attributes to enhance security of global solutions

Conclusion Security concerns increasingly becoming increasingly important in ATI processes and applications New aircraft communications must take security aspects into account to ensure safe and efficient operations PKI has been identified as most suitable security solution for many aircraft-related applications

Thank you Mario Sabourin Innovation Program Manager AeroTrust Product Manager SITA - CSBU mario.sabourin@sita.aero

Aircraft Public Key Infrastructure (PKI) Considerations Retrofit Perspective on Getting a Device Certificate onto an Aircraft for Gatelink

Agenda Why Gatelink PKI Security Considerations Certificate Authority Vendor PKI Standards PKI Airline Trusted Roles PKI Airline Considerations Technical Implementation Inter-Operability Considerations

Why Gatelink? Gatelink provides linkage across the final barrier, securely connecting aircraft end systems to the Airline s network With this connectivity slow and costly manual data transfer can be replaced with a faster and more economical way

PKI Security Considerations Security related actions / tasks: Corporate legal and security policy review of PKI Determine any new security requirements (i.e. manual or paper based that are being replaced electronically) Determine / verify each division s roles and responsibilities (Corporate Security, IT Security, Aircraft Engineering, Aircraft Maintenance, etc.) Review proposed aircraft attaching to airline corporate network from security perspective Make Certificate Authority (CA) build vs. buy decision This analysis is involved and should examine all areas that might potentially require certificates, not just the first project

Certificate Authority Vendor (1of2) General actions / tasks associated with setting up PKI with Certificate Authority (CA) vendor: Per CertiPath CP the Registration Authority (RA) function must be performed by CA personnel (may vary by CA vendor) Airline prepares archive vault per CA requirements CA approves airline implementation of proofing and audit requirements Airline appoints and CA approves Airline Certificate Authority Administrator Airline designates personnel for Device Sponsor and Trusted Agent roles (both roles maybe performed by the same individuals) Airline completes Trusted Agent individual background checks and training Airline / CA determine appropriate / required key encryption algorithm and length

Certificate Authority Vendor (2of2) Specific actions / tasks associated with setting up PKI aircraft device certificates with Certificate Authority (CA) vendor: Determine / agree on aircraft device certificate level of assurance (medium vs. high, hardware vs. software, full vs. CBP) Airline / CA prepares contract (or addendum) for Device Certificates Airline determines device key pair generation process Airline defines device certificate vetting process CA reviews / approves device certificate vetting process Airline defines storage of device certificate on aircraft CA reviews / approves storage of device certificate on aircraft

PKI Standards Starts with: X.509 Certificates IETF RFC 3647 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework Based on: ATA-DSWG Spec 42 - Aviation Industry Standards for Digital Information Security Details PKI requirements and specifications for the civil aviation industry For Gatelink: ARINC AEEC 822 - Aircraft / Ground IP Communication Based on IEEE 802.11 services and must be compliant with ITU-T X.509 v3, as specified in IETF RFC-3280 IETF RFC 3280 - Internet X.509 Public Key Infrastructure Certificate and Certification Revocation List (CRL) Profile

PKI Airline Trusted Roles Certificate Authority Administrator Administrative role that approves all access to CA, revokes user s digital certificates and prepares employment authorization letters for users Device Sponsor Fills the role of a Subscriber for non-human system components (could be same as Trusted Agent) Trusted Agent Verifies identity and securely communicates subscriber information to RA (performs identity proofing and submits / forwards CSR to RA) Audit Agent Reviews, maintains and archives audit logs, performs / oversees internal compliance audits

PKI Airline Considerations For CA vendor implementations, what type of certificate? (see previous slide) For CA vendor implementations, what are the initial certificate costs? Renewal costs? Requires airline IT, Aircraft Engineering and Maintenance, and Security groups to work together Determine certificate validation length (3 years) Determine how long before certificate expiration a new CSR should be generated (4 weeks) Asses each country s regulations planned for implementation Establishing a working PKI with a CA vendor takes time (at United its been over 1 year and we re still working on it)

Technical Implementation (1of2) Determine encryption algorithm hashing and length Determine distinguished name fields in the Certificate Signing Request (CSR) and the Digital Certificate issued by the CA Determine where the digital key pair will be generated, on aircraft avionics or on ground system both have pros and cons Key pair generation software needs to be CA approved. CertiPath CP requires FIPS 140-2 level 1 certification for medium level certificates (very limited number of certified object modules)

Technical Implementation (2of2) Determine the aircraft ID to be used (nose number, tail number, ICAO number, etc.), and how this is known by the avionics component or mechanic Determine how mutual authentication will be performed (proxy to airline server, use root CA certificate, etc.) Determine how the aircraft will receive a Certificate Revocation List (CRL) or implement Online Certificate Status Protocol (OCSP) communication Determine what certificate extensions are used and whether they are marked as critical since this can cause certificates to be rejected Be careful, pay attention to details and test for compatibility across your implementation

Inter-Operability Considerations All Gatelink related components must support PKI certificate based authentication Careful planning and implementation is needed where airlines do not own the end-to-end infrastructure Such as multiple airport network infrastructures or multiple wireless service providers Authentication requires that certificates be shared and updated by airline servers, airport servers and aircraft before an aircraft attempts to connect at an airport CA certificates must be pre-load onto each aircraft for any airport it will connect to The complexity and workload will vary depending on implementation specifics, using airport proxy servers can reduce complexity

Summary Don t be discouraged, much of the trail blazing is already done There are standards committees that have already addressed many areas, and continue to work the remaining ones Much knowledge can be obtained by participating in the standards committees Use the standards committees for support Stick to the standards!!!

Thank You Questions? Presented by: Steve Arentz Sr. Enterprise Architect Airline Operations Strategy & Planning Information Technology Division United Airlines stephen.arentz@united.com

Help Shape the Future Join the DSWG Bring airline requirements to the table Work hand in hand with suppliers and manufacturers Consensus-based process Unlimited FREE downloads of all ATA e-business specifications, including Spec 42 Current Airline Members American Airlines British Airways Northwest Airlines Qantas Airways Turkish Airlines United Airlines No additional cost for current ATA e-business members Visit www.ataebiz.org for more information

Future Webinar Topics The connected aircraft and securing the environment Forming your information security strategy (i.e., conducting risk assessment, regulatory considerations, etc.) Securing data coming off the plane Electronic part certification (i.e., electronic Authorized Release Certificates) Software part signing (e.g. Electronic Flight Bag applications)

Questions and Discussion More Information ATA e-business Program Web: www.ataebiz.org Email: admin@ataebiz.org Paul Conn, ATA pconn@airlines.org Mario Sabourin, SITA Mario.Sabourin@sita.aero Steve Arentz, United Airlines Stephen.Arentz@united.com David Coombs, Carillon Information Security dcoombs@carillonis.com

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback