end-to-end federal aviation cryptographic link security ... · 10/26/2015 · end-to-end...
TRANSCRIPT
Presented to: By:
Date:
Federal Aviation Administration
End-to-End Cryptographic Link Security Overview for UAS Operations in the NAS
MILCOM 2015
Stephen Van Trees, FAA Aircraft Certification
Service
08/26/2014
2
Federal Aviation Administration
MILCOM 2015
October 26, 2015 2
Outline
• RTCA committee developing standards for UAS
• Security aspects of draft Terrestrial Control and Non-
Payload (CNPC) Technical Standard Order (TSO)
within that work
3
Federal Aviation Administration
MILCOM 2015
October 26, 2015 3
RTCA SC-228 Mission and Approach
• Develop Minimum Operational Performance Standards (MOPS)
• Detect and Avoid (DAA)
• Command and Control (C2)
• Two-Phase Approach
Phase One
• DAA – Operations to/from Class A airspace traversing others classes of airspace
• C2 – Terrestrial* only for L & C Bands
Phase Two
• DAA – Extended operations in all airspace classes
• C2 - SATCOM (multiple bands) * (Potentially 1) direct Line of Sight UA to control station, 2) terrestrial based cellular network, 3) both)
4
Federal Aviation Administration
DAA Final MOPS Step 3
• Phase One MOPS
– Specify and validate UAS DAA Equipment performance requirements for civil UAS operating IFR in Class A airspace and transitioning through Class D, E, and perhaps G airspace.
– Assumes rulemaking will be in place that supports DAA operations.
– DAA WG may offer a safety case for UAS operation.
• Phase Two MOPS
– Will consider extended UAS operation in Class D, G, and E airspace.
– Ground taxiing by UAS will not be addressed.
4
Class D AirspaceOperating Environment
5 nautical miles from AirportSurface to 2500 Above Ground Level
ATC Provides Separation from IFR Traffic and Obstacle Clearance.
DAA provides separation from VFR Traffic and collision avoidance from all aircraft. Transit Time: 2 minutes
Class E/G AirspaceDeparting Class D to FL180
ATC Provides Separation from IFR Traffic. DAA provides
separation from VFR Traffic and collision avoidance from all
aircraft. Transit Time: 20 min
Class A AirspaceATC Provides Separation from
all Traffic. DAA provides collision avoidance from all
aircraft.
MILCOM 2015
October 26, 2015
5
Federal Aviation Administration
Terrestrial CNPC MOPS Step 3
• Determine and document
– Frequency allocation scheme that is adequate to support anticipated system capacity and performance
– Physical layer waveform requirements
– Network waveform requirements
– Upper level services that need to be co-located in the C2 LRU
– External interfaces
• Write performance verification
5 MILCOM 2015
October 26, 2015
6
Federal Aviation Administration
6
Security Requirements
• End-to-End Security Goals
• Use of Government Standards
• Goals of FIPS standards
• SC-228 Challenges for Mandating Security – TSO
Solution
• Overview and Applicability of Security TSO
Requirements
• FAA Action
MILCOM 2015
October 26, 2015
7
Federal Aviation Administration
End-to-End Security Goals
• Based on government determination of threats to
civil UAS Command and Control
– Threats not isolated to ‘C2 Link’ and SC-228
– SC-228 has a role in threat countermeasures, however
• End-to-End security needs to be part of an overall
Defense in Depth strategy
• Longevity of Security Controls – Overall Risk
Management
• End-to-End These controls are implemented
onboard the UAS and at the ‘Control Source’
(nowhere in the middle)
7 MILCOM 2015
October 26, 2015
8
Federal Aviation Administration
‘End-to-End’ Illustrated
8 MILCOM 2015
October 26, 2015
9
Federal Aviation Administration
Why Use Government Standards?
• NIST/FIPS security standards and risk management
are an excellent starting point for UAS C2 link
security
– Leverage lessons learned from industry
• 5 Pillars of Information Assurance (IA)
– Confidentiality, Integrity, Availability, Authentication and
Non-Repudiation
– All apply to civil UAS Command and Control
9 MILCOM 2015
October 26, 2015
10
Federal Aviation Administration
Government FIPS Crypto – High
Level Goals/Controls • Cryptographic modules vs. algorithms
• Secure generation, establishment, distribution, protection
and destruction of key material
• Protection of Critical Security Parameters
• Physical security – enclosures, tampering, etc.
• Operational environment - OS
• Operator/host authentication
• Integrity, Confidentiality, Non-repudiation and
Authentication primitives
• Self Tests
• Overall Assurance
10 MILCOM 2015
October 26, 2015
11
Federal Aviation Administration
SC-228 Challenge/Solution to Crypto
Integration
• A one-size-fits-all equipment strategy not recommended
– End-to-end crypto not necessarily confined to the C2 Radio. May be in back-end applications, network encryptors, etc. SC-228 MOPS can not be the source of end-to-end security requirements
– No opportunity for equipment vendors to differentiate for different themselves based on aircraft types, use cases, environments, etc.
• Instead, equipment vendors (radio or otherwise) will reference and/or derive the requirements from a Security Technical Standard Order (TSO)
• SC-228 MOPS: – The draft Terrestrial CNPC TSO invokes the MOPS including the end-to-end and
control plane security requirements. The FIPS 140-2 validated cryptographic module algorithms are the acceptable means of compliance to meet those requirements.
11 MILCOM 2015
October 26, 2015
12
Federal Aviation Administration
Topics Addressed in UAS Link
Security TSO
• Allowed cryptographic algorithms & strengths – Key sizes
– Algorithm modes
– Sunset dates
• Confidentiality, integrity and entity authentication
controls for end-to-end link security
• Data origin authentication (per message/frame) &
strength
• Implementation flexibility for developers
12 MILCOM 2015
October 26, 2015
13
Federal Aviation Administration
Topics Addressed in UAS Link
Security TSO
• Mandates use of FIPS 140-2 validated cryptographic modules (uplink and downlink end-to-end security) with specific profile and secure UAS system integration
• Integration of crypto devices into radio or system host, airframe
• FIPS 140-2 overall security level identified – Level 1 Overall, with Level 2 physical security augmentation
– Level 2 physical security (tamper evidence controls) mandated
• Management of cryptographic keys – Best Practices – Lifetimes, generation, distribution and source
• Software/Firmware updates (Field-loadable protections)
• Vendor Evidence, documentation, policy integration (i.e., inputs to aircraft cert.)
13 MILCOM 2015
October 26, 2015
14
Federal Aviation Administration
Assurance Level Based Requirements?
• Layered security levels (based on UAS type/size or
airspace participation) are possible
– Potentially tailor all proposed security requirements for
class of service and/or size of UAS (or its operations in
types of controlled airspace)
• This is under work by UAS Integration Office
– Means to protect ephemeral UAS data
14 MILCOM 2015
October 26, 2015
15
Federal Aviation Administration
SC-228 Review of Security Requirements
• FAA has jurisdiction to regulate civil aircraft security
controls
• Comments, suggestions welcome, however full
rationale for the requirements is sensitive; no public
discussion
• MOPS to be published in July 2016
• TSO with security requirements to be published in
October 2016
15 MILCOM 2015
October 26, 2015
16
Federal Aviation Administration
MILCOM 2015
October 26, 2015 16
Questions?
• Stephen Van Trees
• FAA/AIR-132
• (202) 267-8546