Monday, November 13, 2017

Defense in Depth

Defense-in-Depth is a security concept that applies successive barriers to unauthorized access.  Aeronautical communication includes a Commercial-off-the-Shelf (COTS) layer, a Network layer, and an Application layer.

Applications that communicate with an airplane each demand different levels of connectivity.  Priority used for precedence (queue management) is coupled with some form or performance measure (time, bandwidth, interactive, streaming, etc...) to both provision and manage communication resources in real-time.  These methods are broadly abstracted as Quality of Service (QoS).

Aircraft present significant complexity in communicating, both securely and reliably.  Mobility is always a challenge.  Inflight service mandates a wireless radio network, which creates additional burdens.

Operating with a single logical channel is a significant factor with broadband radio networks.. Effectively, all communication is sent in a serial manner.  The size of the radio channel, e.g. 10-500 Mbps, provides for sharing the channel with many terminals, with each application.

Every radio network applies proprietary methods to optimize throughput and to minimize delay or dropped packets. VLAN is a common link-layer means used for managing a combination of multiple routes, where each route has a unique QoS.  Methods other than VLAN may be applied (e.g. PDP context) to distribute traffic flows across a single channel.

Communication Service Providers (CSP) are abstracted in this model.  CSPs may include public networks (e.g. Cellular) or private networks (e.g. Satcom).  Every CSP provides a level of capability that is unique from other CSPs, yet all profess a commitment to authentication (e.g. SIM card), access approval, accounting, data integrity, security from unauthorized access, performance and coverage service level agreements, etc...

Enterprises are abstracted as the host of any connected Application on the ground.  Enterprises may be airlines, data link service providers, content providers, financial transaction processors, air-navigation service providers, etc...

SAE/ITC AEEC ARINC Project Paper 848 (PP848) Media Independent Secure Offboard Network (MISON) specifies a Virtual Private Network (VPN) that is used as a means for assuring strong authentication, data integrity, and data confidentiality; while ensuring Application-based QoS is utilized effectively at each Link Layer.

The COTS layer is abstracted to include all the networking components necessary to provide an Internet gateway to both the MISON Onboard Instance and the MISON Enterprise Instance. The Onboard Instance includes a Network Address Translation (NAT) layer.  The CSP and Enterprise each provide best-practice firewall when interconnecting to the Internet.

The MISON Onboard Instance establishes a gateway to gateway VPN (MISON Channel) with the MISON Enterprise Instance. The MISON Channel provides for connecting subnetworks.

The Onboard and Enterprise Routers work with their connected Applications Host End-Systems to convey data marked with QoS in order to connect to the correct MISON channel.  Unsolicited Application traffic can flow bidirectionally once a MISON Channel is established.

Various methods for securing the COTS layer are applied as capable, but these methods are proprietary and confidential.  Furthermore, these means are distributed, whereby each link may represent unconstrained exposure.

MISON is applied to secure the network layer.   MISON filters out all unauthorized packets. VLAN may be applied to enforce QoS, and also affords benefits within the Onboard and Enterprise LAN.

Securing Application data is the final barrier.  Applications are burdened with a design assurance level that is commensurate with their functional hazards.  As such, Applications must take it upon themselves to ensure any data received originates from an approved source, and that any data has not been corrupted to some degree of confidence.

PP848 presents a concept for Defense-in-Depth that involves a COTS layer, a network layer, and an Application layer.  PP848 specifies only the MISON to secure the network layer.  PP848 embraces open-standards, especially to ensure compatibility with Enterprise IT facilities.

MISON are applied within a single ARINC 664 Ethernet domain. Additional measures are necessary to combine traffic from multiple domains into a single radio channel.

While PP848 architecture and MISON channel specification are useful, cybersecurity involves the full participation of every layer, in both design and in managing each layer in real-time, responding against malicious attacks, and by participating in a community to enhance awareness.

Stay tuned!

Peter Lemme

peter @
Follow me on twitter: @Satcom_Guru
Copyright 2017 All Rights Reserved

Peter Lemme has been a leader in avionics engineering for 35 years. He offers independent consulting services largely focused on avionics and L, Ku, and Ka band satellite communications to aircraft. Peter chairs the SAE-ITC AEEC Ku/Ka-band satcom subcommittee, developing ARINC 791 and 792 characteristics and contributes to the Network Infrastructure and Interfaces (NIS) subcommittee developing Project Paper 848, standard for Media Independent Secure Offboard Network.

Peter was Boeing avionics supervisor for 767 and 747-400 data link recording, data link reporting, and satellite communications. He was an FAA designated engineering representative (DER) for ACARS, satellite communications, DFDAU, DFDR, ACMS and printers. Peter was lead engineer for Thrust Management System (757, 767, 747-400), also supervisor for satellite communications for 777, and was manager of terminal-area projects (GLS, MLS, enhanced vision).

An instrument-rated private pilot, single engine land and sea, Peter has enjoyed perspectives from both operating and designing airplanes. Hundreds of hours of flight test analysis and thousands of hours in simulators have given him an appreciation for the many aspects that drive aviation; whether tandem complexity, policy, human, or technical; and the difficulties and challenges to achieving success.

No comments:

Post a Comment