THE IMPACT OF COTS COMPONENTS ON BUILDING TRUSTWORTHY SYSTEMS Arthur Pyster Deputy Assistant Administrator for Information Services and Deputy Chief Information Officer February 7, 2001 The FAA’s Job Each day at 1000 staffed facilities, the FAA manages 30,000 commercial flights, using 40,000 major pieces of equipment, by 48,000 FAA employees, to safely move 2,000,000 passengers. 2/7/01 2 National Airspace System • ~ 500 FAA Managed Air Traffic Control Towers • ~ 180 Terminal Radar Control Centers • 20 Enroute Centers • ~ 60 Flight Service Stations • ~ 40,000 Radars, VORs, Radios, … 2/7/01 3 CIO’s Security Mission Protect the FAA’s information infrastructure and help the aviation industry reduce security risks through leadership in innovative information assurance initiatives Establish and lead a comprehensive program minimize information systems security risks Ensure critical systems are certified as secure Ensure all FAA staff and contractors know and do what is required to maintain information systems security Ensure cyber attacks are detected and repelled and that successful attacks have minimal effect Maintain effective outreach to industry, government, and academia 2/7/01 to 4 COTS Use within FAA (Part 1) >$2B annually in IT acquisitions Most recent and planned systems are heavily COTS-based; e.g. FAA Telecommunications Infrastructure National Airspace Systems Information Management System Next generation messaging Rapid movement towards TCP/IP-based networking and Oracle-based DBMS 2/7/01 5 COTS Use within FAA (Part 2) Even many “custom” air traffic control systems may be used by air traffic control authorities in many countries CTAS – advise order in which aircraft should land COTS is key to rapid and affordable deployment of new capabilities Almost all heavily proprietary systems are old legacy ARTS – primary system for terminal air traffic control 2/7/01 6 COTS-related System Vulnerabilities (Part 1) Source code known to many outside FAA, but not to those inside FAA Knowledge of source code not controlled by FAA Security often an “afterthought” in commercial systems – security not often a commercial success criteria New releases of software could introduce new vulnerabilities and invalidate old mitigations Hackers often go after vulnerabilities in COTS components 2/7/01 7 COTS-related System Vulnerabilities (Part 2) COTS rely heavily on commercial protocols and standards that are widely known, making it easier to exploit vulnerabilities Easily available tools and knowledge mean less sophisticated hackers can exploit many vulnerabilities in COTS components Generality of COTS components makes them more likely to have vulnerabilities and to introduce new vulnerabilities when integrated with other components. Built-in COTS security features can be widely implemented, reducing vulnerability! 2/7/01 8 Exponential Growth in Security Incidents Recent CERT-CC Experiences 25000 21756 20000 15000 9859 10000 1998 1999 2000 3734 5000 262 417 774 0 Vulnerabilities Reported 2/7/01 Incidents Handled 9 FAA’s 5 Layers of System Protection Personnel Security Physical Security Compartmentalization/ Information Systems Security Site Specific Adaptation Redundancy 2/7/01 10 … and A Generic ISS Service Perspective Authentication Access Control Integrity Confidentiality Availability 2/7/01 11 Comprehensive Certification Process Conduct Risk & Vulnerability Assessments Threat Vulnerabilities Likelihood Impact Prepare SCAP System Certification & Authorization Package (SCAP) Package Sys Developer or Owner ISS Certifier C&A Statements • Certification Statement • Authorization Statement CIO Certification Agent • Executive Summary to DAA 2/7/01 Deploy Risk Management Plan VA Report IS Security Plan ISS Test Plan & Summary Results Protection Profile Certification Statement 12 Integrated Facility Security Phone lines Electronic Barrier Authenticated & Authorized Traffic Service B Service A DSR HOST HOST DARC Manual Service C Secure Facility Boundary Personnel and Physical Barrier 2/7/01 Electronic Barrier 13 Airport Traffic Control Tower and Airport Surface Movement Current -2002 2003-2005 TRACON ARTCC ATCT STARS Networ k Screen ing Ser vice TDW (Air Traffic Display ) SMA STARS LAN Legend Legend AMASS/ASDE Tower Display Workstation (STARS Air Traffic Display) INFOS EC Admin & Manag ement Flight Data I/O Core INFOSEC Rqmts including Risk-driven Initial SMA (FFP1) Network Screening Service Weather (Supervisor Workstation) TDWR LTWIP ACARS DL INFOSEC Admin & Management Weather (AWOS/ASOS, ITWS) Airport/Runway Equipment Separate Status and Control Devices Integrated Display System Workstation (SAIDS) Info Exchange • AIRPORT Local Wx AWOS/ ASOS, ITWS) Core INFOSEC Requirements, including Risk-driven NW AC Wx (Supervisor Workstation) TDLS-R WS Network Access Control Voice S E-IDS WS (Airport Status & Control) Voice Switch Strong Auth of NW Users ATCT (Local Info. Services and LAN Control) Encrypted Interface Tower Datalink-R WS AWOS/ASOS • AOC NAS Ops Data Virtual Private Network In Selected Towers Core INFOSE C Require me nts O-D VPN AMASS & ASDE-3 WS ASDE 3 X PlaintextInterface Common Network Security Interface X Extranet Server Removal of Malicious Traffic from NW X O-D VPN NW AC Air Traffic Control Tower Voice S Software Updates Remote Maintenance O-D VPN WAN Voice Switch • RAMP CONTROL 2/7/01 Core INFOSEC Requirements • ASDE •Other FAA Facs • TDWR •AWOS/ASOS • ITWS •ACARS DL O-D VPN O-D VPN Target Data from TRACON/STARS to TDW 14 Selected CTAS Security Measures Enable basic security measures in operating system Shut off unused Internet protocols Audit system use to detect unauthorized access or operation Banners warn users about penalties for misuse Virtual Private Network for secure communication 2/7/01 15 Selected FTI Security Requirements Basic Security Services Confidentiality, Integrity, Availability Optional Enhanced Security Services Strong Authentication, Firewalls, Extranets, VPNs, Enhanced confidentiality and integrity, Closed user groups, Enhanced remote access 2/7/01 16 Oracle8i Security Features User Authentication DB, external, OS, network, global, N-Tier Password Management Account locking, password aging, history and complexity checking Fine Grained Access Control Views, PL/SQL API, Virtual Private Database Advanced Security Option Data Privacy, Data Integrity, Authentication and Single Sign On, Authorization 2/7/01 17 Certifying COTS Components ISO Protection Profiles establish standard security requirements for classes of systems such as firewalls, databases, operating systems, and even for a generic information system COTS components can be “certified” for compliance with Protection Profiles by an official body such as the National Information Assurance Partnership. Custom components can use tailored versions of COTS-oriented Protection Profiles. 2/7/01 18 Closing Thoughts COTS present new security challenges daily, but use of COTS is key to rapidly and affordably delivering new services. The 5-layers of FAA security implemented through a comprehensive certification process to achieve integrated facility security ensure the National Airspace System remains protected. Greatest COTS research challenges: Testing the security characteristics of black-box COTS components Understanding the security properties of composed COTS components Architecting COTS-based systems for security 2/7/01 19