Florian Guillermet Executive Director SESARJU

SECURITY BY DESIGN

ICAO Cyber Summit, Dubai, 6 April 2017

THE NEED FOR PERFORMANCE

THE VISION & MISSION

To define, develop and deploy the technology that is needed to increase ATM performance and build Europe’s intelligent air transport system

THE DIGITAL TRANSFORMATION OF AVIATION

ATM TODAY WITH SESAR

Multi-stakeholder system of systems

Public networks Increased use of COTS and

standard protocols Virtual infrastructure High connectivity Increased Automation

= High exposure

High impact

Specific systems and networks Point to point communication Physical infrastructure Low connectivity Poor Automation

= Low exposure Limited impact

DELIVERING SECURABLE SOLUTIONS

THE SECURABILITY OF SESAR SOLUTIONS

6 Security by design

V0 V1 V2 V3 V4 V5

ATM needs Scope Feasibility Pre-industrial

development & integration

Industrialization Deployment

V6

Operations

V7

Decommissioning

Cyber resilient architecture High level requirements for industrialization,

deployment and operations

Aspects of cyber-resilience

Foresight - prediction, anticipation

Robustness - ability to keep operating

Resourcefulness - control damage, mitigate it

Redundancy - substitutable

Rapid recovery

Adaptability - to changing environments

HOW: SESAR’S SECURITY RISK ASSESSMENT

Operational process

Attack impact

Supporting systems and components

Cyber Vulnerabilities

Attack scenario

Motivation

Attack methods

Opportunity

Likelihood

How to counter the attack?

Technical security controls

Attack vector

Operational Resilience

requirements

Part of solution pack

EXAMPLE: AIRPORT OPERATIONS CENTRE

At the heart of the Airport Operations Centre (APOC) is Collaborative Decision Making (CDM) and the Airport Operations Plan (AOP).

Considerations for a security risk assessment Non-availability or violating integrity of data can disrupt

operations

Third-party data sources at times are unauthenticated and transmitted on insecure networks

Services can be outsourced but cyber risk cannot: the end-points of connections need to be trusted.

Objectives of the study Apply the SESAR security risk assessment methodology

Asses attack scenarios

Identify technical controls to counter the attack

Translate into generic security guidance for airports

EXAMPLE: ATTACK SCENARIOS AT THE APOC

Distributed Denial of Service attack on the Airport's internet connection A group of attackers blackmail airport or airline into paying a

ransom by threatening them with a volumetric distributed denial of service attack (DDoS)

Deep and Slow infiltration to steal data A group of highly motivated and skilled cybercriminals wants to

infiltrate an airport network in order to steal economically sensitive data, destroying the systems afterwards to clear their tracks.

Major integrity loss A group disrupts an airport by sending incorrect flight

information using a SITA connection

Blended attack A group of hackers starts a blended attack that consists of

several attacks with one being obvious, intended to divert attention, and a main attack intended to be conducted in such a way as to remain undetected.

Low Level Attack on APOC ICS/SCADA infrastructure Spoofing of firmware for Programmable Logic Controllers,

changing their behavior. Potential impact on heating, power, water, airco, security cameras, doors, voltage relays, etc.

EXAMPLE: SECURITY CONTROLS FOR THE APOC

Intrusion prevention/detection

Logging

Audit capabilities

Device and service authentication

Data validation tools

Data diodes

Network zoning

Network separation

Alternate paths for critical processes

Graceful degradation of critical systems

Link with ATM Architecture

Alternate paths

Independent functional duplication for critical processes

Modular system architecture

Clear separation between system functions

Simple systems architecture

Limited exceptions and adjustments

Foresight

Robustness

Resourcefulness

Redundancy

Rapid recovery

Adaptability

Work in progress in SESAR 2020

CONCLUSIONS

The SESAR programme develops, validates and delivers securable solutions, by applying a security risk assessment methodology

Research is ongoing within SESAR to strengthen the translation of operational cyber resilience requirements into tangible security controls for ATM

Cybersecurity is an aviation wide topic not just an ATM one: the cybersecurity approach developed in SESAR must fit in a wider roadmap towards fully secured aviation

And…

…TOUGH NUTS STILL TO CRACK

What is more secure: old and obscure technologies or modern and open technologies?

Should CNS be encrypted and how to secure existing non-encrypted CNS ?

Technology is evolving faster & faster – how to ensure that our design is “future proof”?

Avoiding tailor made approaches for aviation and opening up to new ideas from other critical infrastructures such as banking (e.g. blockchain …)

Is security so different than safety and can we aim at a Safety and Security Management System?

How to establish trust in a global environment?

Do we need a global watch for security in aviation?

Further information

http://www.sesarju.eu/newsroom/all-news/study-calls-eu-wide-response-atm-cyber-security

http://www.sesarju.eu/newsroom/all-news/new-study-reports-cyber-security-sesar%E2%80%99s-airport-operations-centre

SESAR Joint Undertaking Avenue de Cortenbergh 100 B-1000 Bruxelles Belgium more info on: www.sesarju.eu

Thank you very much for your attention!

Security by design