THE IMPACT OF COTS COMPONENTS ON BUILDING TRUSTWORTHY SYSTEMS Arthur Pyster

THE IMPACT OFTHE IMPACT OFCOTS COMPONENTS COTS COMPONENTS

ON BUILDING ON BUILDING TRUSTWORTHY TRUSTWORTHY

SYSTEMSSYSTEMS

Arthur Pyster

Deputy Assistant Administrator for Information Services and

Deputy Chief Information Officer

February 7, 2001

2/7/01 2

The FAA’s JobThe FAA’s Job

Each day at 1000 staffed facilities, the FAA manages 30,000 commercial flights, using 40,000 major pieces of equipment, by 48,000 FAA employees, to safely move 2,000,000 passengers.

2/7/01 3

National Airspace SystemNational Airspace System

• ~ 500 FAA Managed Air Traffic Control Towers

• ~ 180 Terminal Radar Control Centers

• 20 Enroute Centers

• ~ 60 Flight Service Stations

• ~ 40,000 Radars, VORs, Radios, …

2/7/01 4

CIO’s Security MissionCIO’s Security Mission

Establish and lead a comprehensive program to minimize information systems security risks

Ensure critical systems are certified as secure

Ensure all FAA staff and contractors know and do what is required to maintain information systems security

Ensure cyber attacks are detected and repelled and that successful attacks have minimal effect

Maintain effective outreach to industry, government, and academia

Protect the FAA’s information infrastructure and help the aviation industry reduce security risks through leadership in innovative information assurance initiatives

2/7/01 5

COTS Use within FAA (Part 1)COTS Use within FAA (Part 1)

>$2B annually in IT acquisitions

Most recent and planned systems are heavily COTS-based; e.g.

FAA Telecommunications Infrastructure

National Airspace Systems Information Management System

Next generation messaging

Rapid movement towards TCP/IP-based networking and Oracle-based DBMS

2/7/01 6

COTS Use within FAA (Part 2)COTS Use within FAA (Part 2)

Even many “custom” air traffic control systems may be used by air traffic control authorities in many countries CTAS – advise order in which aircraft should

land

COTS is key to rapid and affordable deployment of new capabilities

Almost all heavily proprietary systems are old legacy ARTS – primary system for terminal air traffic

control

2/7/01 7

COTS-related System VulnerabilitiesCOTS-related System Vulnerabilities(Part 1)(Part 1)

Source code known to many outside FAA, but not to those inside FAA

Knowledge of source code not controlled by FAA

Security often an “afterthought” in commercial systems – security not often a commercial success criteria

New releases of software could introduce new vulnerabilities and invalidate old mitigations

Hackers often go after vulnerabilities in COTS components

2/7/01 8

COTS-related System VulnerabilitiesCOTS-related System Vulnerabilities(Part 2)(Part 2)

COTS rely heavily on commercial protocols and standards that are widely known, making it easier to exploit vulnerabilities

Easily available tools and knowledge mean less sophisticated hackers can exploit many vulnerabilities in COTS components

Generality of COTS components makes them more likely to have vulnerabilities and to introduce new vulnerabilities when integrated with other components.

Built-in COTS security features can be widely implemented, reducing vulnerability!

2/7/01 9

Exponential Growth in Security IncidentsExponential Growth in Security Incidents

262 417 774

3734

9859

21756

0

5000

10000

15000

20000

25000

VulnerabilitiesReported

Incidents Handled

199819992000

Recent CERT-CC Experiences

2/7/01 10

FAA’s 5 Layers of System ProtectionFAA’s 5 Layers of System Protection

Personnel

Security

Physical

Security

Compartmentalization/

Information Systems Security

Site Specific Adaptation

Redundancy

Archi

tectu

re an

d Eng

inee

ring A

wareness and Execution

2/7/01 11

… … and A Generic ISS Service Perspectiveand A Generic ISS Service Perspective

Access

Control

Confidentiality

Availability

Archi

tectu

re an

d Eng

inee

ring A

wareness and Execution

Authentication

Integrity

2/7/01 12

ISSCertifier

Sys Developer or Owner

CIO Certification

Agent

ThreatVulnerabilitiesLikelihoodImpact

Risk Management Plan

VA Report IS Security Plan ISS Test Plan &

Summary Results Protection Profile Certification

Statement

PrepareSCAP

Conduct Risk & VulnerabilityAssessments

System Certification &

Authorization Package

(SCAP)Package

• Certification Statement

• Authorization Statement

• Executive Summary

C&AStatements

to

DAADeploy

Comprehensive Certification ProcessComprehensive Certification Process

2/7/01 13

Integrated Facility SecurityIntegrated Facility Security

SecureFacilityBoundary

Personneland Physical

Barrier

Shared Networks

Service A

HOST

ManualDARC

HOST

Service B

Service C

ElectronicBarrier

Private Netw

orksPhone lines

ElectronicBarrier

DSR

Authenticated& Authorized

Traffic

2/7/01 14

Airport Traffic Control Tower andAirport Traffic Control Tower and Airport Surface Movement Airport Surface Movement

ASDE 3

• AOC

• AIRPORT

• RAMP CONTROL

Info Exchange

Air Traffic Control Tower

VoiceVoiceSwitch

Weather(AWOS/ASOS,

ITWS)

TDWR LTWIP

ACARS DL

AWOS/ASOS

Airport/Runway Equipment

SeparateStatus and

Control Devices

Tower Datalink-R WS

ARTCC

AMASS &ASDE-3 WS

ST

AR

SLA

N

TRACONSTARSLegend

Core INFOSECRequirements

INFOSECAdmin &

Management

NetworkScreeningService

CoreINFOSEC

Rqmtsincluding

Risk-driven

Tower Display Workstation(STARS Air

Traffic Display)

Flight DataI/O

Initial SMA(FFP1)

Weather(SupervisorWorkstation)

Integrated DisplaySystem Workstation(SAIDS)

In S

elec

ted

To

wer

s

E-IDS WS(Airport Status& Control)

SMA

TDLS-R WSWx (SupervisorWorkstation)

TDW(Air Traffic Display )

Voice VoiceSwitch

ATCT (Local Info. Servicesand LAN Control)

X

Target Data fromTRACON/STARS to

TDW

WANO-DVPN

O-DVPN

O-DVPN

• ASDE •Other FAA Facs• TDWR •AWOS/ASOS• ITWS •ACARS DL

Local Wx AWOS/ASOS, ITWS)

Software Updates

Remote Maintenance

AMASS/ASDE

ATCT

Legend

Core INFOSECRequirements Core INFOSEC

Requirements,including Risk-driven

INFOSECAdmin &

Management

Encrypted Interface

Plaintext Interface

ExtranetServer

XRemoval ofMalicious

Traffic from NW

O-DVPN

NAS Ops DataVirtual

Private NetworkNetwork Access

Control

NWAC

NetworkScreeningService

SStrongAuth of

NW Users

Common Network Security Interface

SNWAC

O-DVPNX

Current -2002 2003-2005

2/7/01 15

Selected CTAS Security MeasuresSelected CTAS Security Measures

Enable basic security measures in operating system

Shut off unused Internet protocols

Audit system use to detect unauthorized access or operation

Banners warn users about penalties for misuse

Virtual Private Network for secure communication

2/7/01 16

Selected FTI Security RequirementsSelected FTI Security Requirements

Basic Security Services Confidentiality, Integrity, Availability

Optional Enhanced Security Services Strong Authentication, Firewalls, Extranets,

VPNs, Enhanced confidentiality and integrity, Closed user groups, Enhanced remote access

2/7/01 17

Oracle8Oracle8ii Security Features Security Features

User Authentication DB, external, OS, network, global, N-Tier

Password Management Account locking, password aging, history and

complexity checking

Fine Grained Access Control Views, PL/SQL API, Virtual Private Database

Advanced Security Option Data Privacy, Data Integrity, Authentication and

Single Sign On, Authorization

2/7/01 18

Certifying COTS ComponentsCertifying COTS Components

ISO Protection Profiles establish standard security requirements for classes of systems such as firewalls, databases, operating systems, and even for a generic information system

COTS components can be “certified” for compliance with Protection Profiles by an official body such as the National Information Assurance Partnership.

Custom components can use tailored versions of COTS-oriented Protection Profiles.

2/7/01 19

Closing ThoughtsClosing Thoughts COTS present new security challenges daily, but use

of COTS is key to rapidly and affordably delivering new services.

The 5-layers of FAA security implemented through a comprehensive certification process to achieve integrated facility security ensure the National Airspace System remains protected.

Greatest COTS research challenges:

Testing the security characteristics of black-box COTS components Understanding the security properties of composed COTS

components Architecting COTS-based systems for security