Click here to load reader

2nd Cybersecurity Workshop Test and Evaluation to Meet the ...itea.org/.../022615_1100_Francy_AISAC_ITEA_FINAL.pdf · PDF file Faye Francy, Executive Director. [email protected]

  • View
    0

  • Download
    0

Embed Size (px)

Text of 2nd Cybersecurity Workshop Test and Evaluation to Meet the...

  • 2nd Cybersecurity Workshop Test and Evaluation to Meet the

    Advanced Persistent Threat

    Faye Francy Aviation ISAC February 2015

    Aviation ISAC Proprietary. All rights reserved.

  • Company Organization

    Engineering, Operations & Technology

    Boeing Capital Corporation

    Shared Services Group

    Commercial Airplanes

    Defense, Space & Security

    Corporate

    Founded in 1916 in Seattle Became a leading producer of military and commercial airplanes

    R&D, BTE & IT

    Presenter Presentation Notes Boeing is organized into two business units: Boeing Commercial Airplanes and Boeing Defense, Space & Security. Supporting these units are Boeing Capital Corporation, a global provider of financing solutions; Boeing Engineering, Operations & Technology, which helps develop, acquire, apply and protect innovative technologies and processes and the Shared Services Group, which provides a broad range of services to Boeing worldwide.

  •  Testing  Early interaction with design teams (validate requirements, test objectives, testability)

     Simulate cyber properties before prototypes/hardware available

     Corporate Test Capabilities (dedicated networks, labs for LRUs, virtual cyber range)

     Tailored to Domain and End Users  Internal IT: protect Intellectual Property (static/dynamic code analysis, pen testing+)

     Military: “Contract requirements”, need clear RFP guidance, especially DT&E

     Commercial Air: Safety driven (DO178-C); need security certification guidance

     Threat-Based Test Planning and Beyond  Understand the threat (specific to the environment)

     Determine what to test, how to test

     Share Threat Data with Industry–more on this….

     Tactically Important  Operational test and evaluation (OT&E), Pen/Red

     Expensive (Time, $$$: need more trained personnel)

     Hard Sell to Management (need requirements from customers) 3

    T&E Approach

  • 4

    Airplane Technology is Evolving Global Mobility is a Requirement

     Hardware functions transitioning to

    software- hosted features

     Advanced features added to airplane

     Connectivity demands increasing

     Resilient systems a requirement  Software assurance, systems engineering, supply chain risk

    Ku

    L Band

    Air/Gnd

    None

    Connectivity 2010 Ku

    Ka

    L Band

    Air/Gnd

    None

    Connectivity 2014 777 787 Data Transmitted

    (MB / Flight)

    ~ 28MB

    Aviation ISAC Proprietary. All rights reserved.

  • 5

    Guiding Principles Build it Right, Continuously Monitor

     Airplanes are Safe  Design guidelines / Test protocols  Cyber Issue Papers  FAA regulatory compliance

     Special Conditions

    Layered protection  FAR 25.1309 – Equipment, Systems, & Installations

     Critical, Essential, Non-Essential

     Failure modes

     Domain separation  Configuration control

    Actively manage  Fault reporting  Log analysis  Information sharing

    Aviation ISAC Proprietary. All rights reserved.

  • An Adversary that –  Possesses significant levels of

    expertise / resources  Creates opportunities to achieve its

    objectives by using multiple attack vectors (e.g. cyber, physical)

     Establishes footholds within networked architecture systems  To exfiltrate information  Impede critical mission or program

    objectives  Position itself to carry out objectives later

    6

    Advanced Persistent Threat

    Critical to Protect Aircraft Design and IP

    http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.itbusinessedge.com/slideshows/the-most-famous-advanced-persistent-threats-in-history.html&ei=eibtVLOxPNfaoATdiID4CQ&bvm=bv.86956481,d.cGU&psig=AFQjCNEMVOfLKHl7YZ1SEFVPJ7nJmyiybA&ust=1424914416909243

  • The Threat A National Security Issue

     Rapidly escalating cyber threats

     Executive action

     Comprehensive Global approach

     Resiliency for our Critical Infrastructures

    Cybersecurity is a National Security Issue

    “Now our enemies are also seeking the ability to sabotage our power grid, our financial

    institutions, and our air traffic control systems.”

    Feb, 2013

    Executive Order 13636: Improving Critical Infrastructure

    Cybersecurity

    Presidential Policy Directive 21: Critical Infrastructure Security and

    Resilience

    Aviation ISAC Proprietary. All rights reserved.

    Presenter Presentation Notes We all rely on critical infrastructure to travel and communicate, work and play. The assets and systems we depend on are essential to our way of life. Networks are embedded in our economies and our political and social lives. While this interconnectedness creates immense economic value, we now realize is a major source of risk to commerce and our nation. Our Nation's critical infrastructure is complex and interconnected, and we must understand not only its strengths, but also its vulnerabilities to these emerging threats. In October of 2012, Defense Secretary Leon E. Panetta warned that the United States was facing the possibility of a “cyber-Pearl Harbor” .

    Cyber incidents can have devastating consequences on both physical and virtual infrastructure. We must all take responsibility to fortify against cyber risks - improving infrastructure security, and enhancing cyber information sharing between government and the private sector. Physical threats put our Nation's most important assets at risk. Imagine the impact of both a physical and cyber attack? What would 9-11 have looked like with the added cyber attack? Not a good thought. We must fortify the partnerships between the USG and businesses in our private sector. We must continue to modernize our critical infrastructure and bolster our ability to overcome whatever challenges we may face. Cyber is not only a national security issue but a team sport. Or to coin an old phrase from Hilary Clinton “It takes a Village”. All Americans have a part to play in protecting our critical infrastructure and making it more resilient.

    President Obama announced two policies in February, 2013: Executive Order 13636: Improving Critical Infrastructure Cybersecurity Presidential Policy Directive 21: Critical Infrastructure Security and Resilience

    Together, they create an opportunity to effect a comprehensive national approach Implementation efforts will drive action toward system and network security and resiliency

  •  Encourages the formation of communities to share information broadly across regions, sectors and industries, and to rapidly respond to emerging threats.

     Voluntary establishment of Information Sharing and Analysis Organizations (ISAOs), includes Information Sharing & Analysis Centers (ISACs)  Open and collaborative approach

     Omni-directional communication

     Bridges gap between the public/private sector

     Voluntary standards for sharing.

     Efficient means for granting clearances

    8

    Promoting Private Sector Cybersecurity Information Sharing Executive Order (EO) 2/13/15

    Aviation ISAC Proprietary. All rights reserved.

    Working Together is Critical

    Presenter Presentation Notes Encourages the formation and widening of communities to share information broadly across regions, sectors and industries, and to rapidly respond to emerging threats. Voluntary establishment of Information Sharing and Analysis Organizations (ISAOs), which includes Information Sharing and Analysis Centers (ISACs), such as the Aviation ISAC. Provides the platform for an open and collaborative approach that facilitates omni-directional communication for effective action, and can leverage the strong partnerships and information sharing already underway to help further bridge the gap between the public and private sectors. Calls for the development of voluntary standards for interoperable information sharing between and among the government and private sector. A-ISAC applauds the Administration’s proactive steps to further strengthen information sharing and providing actionable intelligence between public and private sectors.  The EO provides a heightened awareness and a call for increased and improved engagement.  Although much attention has been given to the issues, action-oriented solutions and effective results are desperately needed. The Administration’s support of a multi-layered approach, focused on effective collaboration between the public and private sectors, is critical. 

  • 9

    Newly-formed Aviation ISAC Working Together across the Aviation Sector

     Incorporated September 2014  Building membership  International engagement

     Leveraging other ISACs  Services Available

     Focused Intelligence Information/Briefings

     Cyber-Physical Integration

     Member to Member Sharing

     Distribute Information Gathering Costs across the

    Sector and with other Sectors

     Non-attribution and Anonymity of Submissions

     Information source for

Search related