Cybersecurity Systems Management in Aviation

Cybersecurity Systems Management in Aviation

1. Information security: overview - 1

 Cybersecurity Systems Management in Aviation

What is information security?

“Security is a process, not a product” - Bruce Schneier

“Security is a form of protection where a separation is created between the assets

and the threat. This includes but is not limited to the elimination of either the
asset or the threat” – OSSTMM (Open Source Security Testing Methodology
Manual)

“Information security (infosec) is the practice of protecting information by mitigating

information risks.

It typically involves preventing or at least reducing the probability of

unauthorized/inappropriate access, use, disclosure, disruption,
deletion/destruction, corruption, modification, inspection, recording or devaluation.

It may also involve reducing the adverse impacts of incidents. Information may take
any form, e.g. electronic or physical, tangible (e.g. paperwork) or intangible (e.g.
knowledge).” - http://en.wikipedia.org/wiki/Information_security

1. Information security: overview - 2

 Cybersecurity Systems Management in Aviation

CIA triad

Information security's primary focus is the balanced protection of the confidentiality,

integrity and availability of data (also known as the CIA triad):

Confidentiality assumes that information is made available only to people and

systems on a “need-to-know” basis. In other words, unauthorized access,
intentional or accidental, must be prevented. Confidentiality can be provisioned
through encryption and the use of access controls.

The concept of integrity requires the detection and elimination of any data that
suffered an unauthorized modification.

The information also needs to be made available at all times, since limited access
to data may have a similar impact to the loss of integrity.

More: http://www.forcepoint.com/cyber-edu/cia-triad

1. Information security: overview - 3

 Cybersecurity Systems Management in Aviation

CIA triad

The opposites of the CIA Triad is DAD

(Disclosure, Alteration and Destruction):

Disclosure – Someone not

authorized gets access to your
information.

Alteration – Your data has been

changed.

Destruction – Your Data or Systems

has been Destroyed or rendered
inaccessible.

1. Information security: overview - 4

 Cybersecurity Systems Management in Aviation

CIA triad vs. OSSTMM Operation Controls

The CIA triad Operation Controls

Confidentiality
Privacy
Confidentiality
Authentication
Resilience
Integrity
Integrity Non-repudiation
Subjugation
Continuity
Availability Indemnification
Alarm

1. Information security: overview - 5

 Cybersecurity Systems Management in Aviation

OSSTMM interactive controls

Authentication involves the validation of credentials through a process of

identification and authorization

Indemnification involves a contract between the asset's owner and its

interacting parties, in form of legal repercussions in case the posted rules are
not followed; these actions may come as a result of public legislative protection
or from third parties

Resilience covers the interactions to maintain the protection of assets in the event
of corruption and failure

Subjugation assures that all interactions with the assets follow a defined
process; this covers the liability of loss from the interacting party and limits their
choice of interactions

Continuity covers all interactions meant to assure the assets' availability

1. Information security: overview - 6

 Cybersecurity Systems Management in Aviation

OSSTMM defensive operations

Non-repudiation prevents all parties from denying their roles in any interactions

Confidentiality insures the assets' availability only to those authorized parties

Privacy assumes that the means to access the assets are known only by the
authorized parties and cannot be shared outside their circle

Integrity assures that the interacting parties can detect any changes to the
assets

Alarm controls the notification of past and present interactions

1. Information security: overview - 7

 Cybersecurity Systems Management in Aviation

Cryptographic systems

Useful for all objectives of information

security: confidentiality, integrity,
and availability

Symmetric-key cryptosystem
– same key is used for encryption
and decryption
– system with 1000 users requires
499,500 keys
– each pair of users requires a
different key

Public-key cryptosystem
– separate keys for encryption and
decryption
– system with 1000 users requires
2000 keys
– each individual user has exactly
two keys

1. Information security: overview - 8

 Cybersecurity Systems Management in Aviation

Digital signatures: confidentiality

Electronic equivalent of handwritten

signatures

Handwritten signatures are hard to forge

Electronic information is easy to

duplicate

Digital signatures using public key

encryption
– Bob uses his private key to “sign”
a message
– Alice verifies signature using
Bob’s public key

Data authentication provided by digital

signatures

1. Information security: overview - 9

 Cybersecurity Systems Management in Aviation

Digital signatures: Authentication

Alice wants to send message M to Bob

– uses Bob’s public key to encrypt
M

Bob uses his private key to decrypt M

– only Bob has key
– no one else can decipher M

Identification provided by public key

encryption

But… anyone can send message to Bob

using his public key
– how are we sure the message
came from Alice?

1. Information security: overview - 10

 Cybersecurity Systems Management in Aviation

Digital signatures: Authentication

Alice wants assurance of real-time communication

Bob tries to provide assurance by digital signature

Alice is assured message originated from Bob

– digital signatures provide data origin authentication
– But … Eve can intercept signature and use it to authenticate herself as Bob at
– any later time

Signed challenge
– Alice sends random number (a challenge) to Bob
– Bob replies with challenge encrypted with signature

User authentication provided by signed challenges

– combination of digital signature and unpredictability of Alice's random
number challenge

1. Information security: overview - 11

 Cybersecurity Systems Management in Aviation

Certification authority: Integrity

A third party trusted by all users that creates, distributes, revokes, & manages
certificates

Certificates bind users to their public keys

For example, if Alice wants to obtain Bob's public key

– she retrieves Bob's certificate from a public directory
– she verifies the CA's signature on the certificate itself
– if signature verifies correctly, she has assurance from the trusted CA this really
is Bob's public key
– she can use Bob's public key to send confidential information to Bob or to
verify Bob's signatures, protected by the assurance of the certificate

Integrity is provided by the certification authority

1. Information security: overview - 12

 Cybersecurity Systems Management in Aviation

Survey of security issues (2004)

Rank Issue Description
1 Top management support
2 User awareness training & education
3 Malware (e.g., viruses, Trojans, worms)
4 Patch management
5 Vulnerability & risk management
...
9 Internal threats
10 Business continuity & disaster preparation
11 Low funding & inadequate budgets
...
14 Security training for IT staff
...
25 Standards issues

1. Information security: overview - 13

 Cybersecurity Systems Management in Aviation

Terminology

1. Information security: overview - 14

 Cybersecurity Systems Management in Aviation

Components of Information Security

1. Information security: overview - 15

 Cybersecurity Systems Management in Aviation

NSTISSC Security Model

1. Information security: overview - 16

 Cybersecurity Systems Management in Aviation

Computer as subject & object of an attack

1. Information security: overview - 17

 Cybersecurity Systems Management in Aviation

Balancing Information Security & Information Access

1. Information security: overview - 18

 Cybersecurity Systems Management in Aviation

Approaches to Information Security Implementation

1. Information security: overview - 19

 Cybersecurity Systems Management in Aviation

SDLC Methodology – applied to Information security systems, too

1. Information security: overview - 20