This content is not included in your SAE MOBILUS subscription, or you are not logged in.
IT Security Management of Aircraft in Operation: A Manufacturer's View
ISSN: 0148-7191, e-ISSN: 2688-3627
Published October 18, 2011 by SAE International in United States
Annotation ability available
Over the last few years, IT systems have quickly found their way onboard aircrafts, driven by the continuous pursuit of improved safety and efficiency in aircraft operation, but also in an attempt to provide the ultimate in-flight experience for passengers. Along with IT systems and communication links came IT security as a new factor in the equation when evaluating and monitoring the operational risk that needs to be managed during the operation of the aircraft. This is mainly due to the fact that security deficiencies can cause services to be unavailable, or even worse, to be exploited by intentional attacks or inadvertent actions.
Aircraft manufacturers needed to develop new processes and had to get organized accordingly in order to efficiently and effectively address these new risks. To achieve this, the operational constraints of the aircraft needed to be taken into consideration since classical incident response and patching principles do not apply to the administration of aircraft systems. The next step was then to identify the factors (i.e. security events) that could impact the accepted security risk level when the aircraft systems are in-service.
Three processes were defined in order to perform a holistic security management: implementation vulnerability management, security audit management and security incident management. These three processes grouped under the term “operational security management” have the sole objective to continuously and timely inform the risk owner of the security level of the aircraft system and hence enable him to formally accept the risk or launch actions to reduce the risk in order to minimize the impact on aircraft in operation. For this purpose, a tool was developed to collect and manage the information related to the three processes in a timely manner while adhering to existing standards. The tool also provides traceability of the decisions taken to address identified risks.
|Technical Paper||Commercial Aircraft Certification for ETOPS Operations|
|Technical Paper||Integrating Aircraft Landing Gear Systems|
|Technical Paper||A Comprehensive Approach to Icing Certification|
CitationLadstaetter, G., Reichert, N., and Obert, T., "IT Security Management of Aircraft in Operation: A Manufacturer's View," SAE Technical Paper 2011-01-2717, 2011, https://doi.org/10.4271/2011-01-2717.
- Annex Part 21 “Certification of aircraft and related products, parts, appliances, and of design and production organizations,” Commission Regulation (EC) No 1702/2003 Sep. 2003
- Landwehr, Carl E. Bull, Alan R. McDermott, John P. Choi, William S. “A Taxonomy of Computer Security Flaws,” ACM Computing Surveys 26 3 September 1994 211 254
- Robinson, Richard Li, Mingyan Lintelman, Scott Sampigethaya, Krishna Poovendran, Radha von Oheimb, David Bußer, Jens-Uwe Cuellar, Jorge “Electronic Distribution of Airplane Software and the Impact of Information Security on Airplane Safety,” SAFECOMP2007 Springer LNCS 2007
- Robinson, Richard V. Li, Mingyan Lintelman, Scott A. Sampigethaya, Krishna Poovendran, Radha von Oheimb, David Bußer, Jens-Uwe “Impact of Public Key Enabled Applications on the Operation and Maintenance of Commercial Airplanes,” AIAA Aviation Technology Integration and Operation (ATIO) Conference Sep. 2007
- Robinson, Richard V. Sampigethaya, Krishna Li, Mingyan Lintelman, Scott Poovendran, Radha von Oheimb, David “Challenges for IT Infrastructure Supporting Secure Network-Enabled Commercial Airplane Operations,” Proceedings of the AIAA Infotech@Aerospace Conference 2007
- Sampigethaya, Krishna Poovendran, Radha Bushnell, Linda “Security of eEnabled Aircraft Ad hoc Networks,” AIAA Aviation Technology Integration and Operation (ATIO) Conference Sep. 2008
- Sampigethaya, Krishna Poovendran, Radha Bushnell, Linda “Secure Operation, Control, and Maintenance of Future E- Enabled Airplanes,” Proceedings of the IEEE 96 12 Dec. 2008 1992 2007
- Howard, John D. Longstaff, thomas A. “A Common Language for Computer Security Incidents,” Sandia National Laboratories Oct. 1998
- Aeronautical Radio Inc. “Guidance for the management of Field Loadable Software,” ARINC 667 2002
- Aeronautical Radio Inc. “Loadable Software Standards,” ARINC 665 2005
- Royalty, C. “Keep the User in Mind: Operational Considerations for Securing Airborne Networks,” SAE Technical Paper 2007-01-3785 2007 10.4271/2007-01-3785
- Avizienis, Algirdas Laprie, Jean-Claude Randell, Brian Landwehr, Carl “Basic Concepts and Taxonomy of Dependable and Secure Computing,” IEEE Transactions on Dependable and Secure Computing 1 1 2004
- Annex Part M “Continuing airworthiness of aircraft and aeronautical products, parts and appliances, and on the approval of organisations and personnel involved in these tasks,” Consolidated version of Commission Regulation (EC) No 2042/2003 Oct. 2010
- Bird, Gary Christensen, Michael Lutz, Daniel Scandura, Philip A. , Jr. “Use of Integrated Vehicle Health Management in the Field of Commercial Aviation,” Proceedings of First International Forum on Integrated System Health Engineering and Management in Aerospace Nov. 2005
- Mell, Peter Scarfone, Karen Romanosky, Sasha “A Complete Guide to the Common Vulnerability Scoring System Version 2.0,” http://www.first.org/cvss/cvss-guide.html Jun. 2007
- Klingmüller, Thomas “SIRIOS - A Framework for CERTs,” Proceedings of the 17 th Annual FIRST Conference Singapore Jun. 26 Jul. 1 2005
- NIST agency “The Economic Impacts of Inadequate Infrastructures for Software Testing,” May 2002
- Olive, Michael L. Oishi, Roy T. Arentz, Stephen “Commercial Aircraft Information Security - An Overview of ARINC Report 811,” Proceedings IEEE/AIAA 25 th Digital Avionics Systems Conference Oct. 2006
- Dobson, John “New Security Paradigms: What Other Concepts Do We Need as Well?,” Proceedings of the 1992-1993 Workshop on New Security Paradigms 1993
- Brostoff, Sacha Sasse, M. Angela “Safe and Sound: A Safety-Critical approach to Security,” Proceedings of the 2001 Workshop on New Security Paradigms 2001
- Stavridou, Victoria Dutertre, Bruno “From Security to Safety and Back,” Proceedings of the Conference on Computer Security, Dependability, and Assurance 1998
- National Institute of Standards and Technology “National Vulnerability Database Version 2.2,” http://nvd.nist.gov