Presented to: By:

Date:

Federal Aviation Administration

End-to-End Cryptographic Link Security Overview for UAS Operations in the NAS

MILCOM 2015

Stephen Van Trees, FAA Aircraft Certification

Service

08/26/2014

2

Federal Aviation Administration

MILCOM 2015

October 26, 2015 2

Outline

• RTCA committee developing standards for UAS

• Security aspects of draft Terrestrial Control and Non-

Payload (CNPC) Technical Standard Order (TSO)

within that work

3

Federal Aviation Administration

MILCOM 2015

October 26, 2015 3

RTCA SC-228 Mission and Approach

• Develop Minimum Operational Performance Standards (MOPS)

• Detect and Avoid (DAA)

• Command and Control (C2)

• Two-Phase Approach

Phase One

• DAA – Operations to/from Class A airspace traversing others classes of airspace

• C2 – Terrestrial* only for L & C Bands

Phase Two

• DAA – Extended operations in all airspace classes

• C2 - SATCOM (multiple bands) * (Potentially 1) direct Line of Sight UA to control station, 2) terrestrial based cellular network, 3) both)

4

Federal Aviation Administration

DAA Final MOPS Step 3

• Phase One MOPS

– Specify and validate UAS DAA Equipment performance requirements for civil UAS operating IFR in Class A airspace and transitioning through Class D, E, and perhaps G airspace.

– Assumes rulemaking will be in place that supports DAA operations.

– DAA WG may offer a safety case for UAS operation.

• Phase Two MOPS

– Will consider extended UAS operation in Class D, G, and E airspace.

– Ground taxiing by UAS will not be addressed.

4

Class D AirspaceOperating Environment

5 nautical miles from AirportSurface to 2500 Above Ground Level

ATC Provides Separation from IFR Traffic and Obstacle Clearance.

DAA provides separation from VFR Traffic and collision avoidance from all aircraft. Transit Time: 2 minutes

Class E/G AirspaceDeparting Class D to FL180

ATC Provides Separation from IFR Traffic. DAA provides

separation from VFR Traffic and collision avoidance from all

aircraft. Transit Time: 20 min

Class A AirspaceATC Provides Separation from

all Traffic. DAA provides collision avoidance from all

aircraft.

MILCOM 2015

October 26, 2015

5

Federal Aviation Administration

Terrestrial CNPC MOPS Step 3

• Determine and document

– Frequency allocation scheme that is adequate to support anticipated system capacity and performance

– Physical layer waveform requirements

– Network waveform requirements

– Upper level services that need to be co-located in the C2 LRU

– External interfaces

• Write performance verification

5 MILCOM 2015

October 26, 2015

6

Federal Aviation Administration

6

Security Requirements

• End-to-End Security Goals

• Use of Government Standards

• Goals of FIPS standards

• SC-228 Challenges for Mandating Security – TSO

Solution

• Overview and Applicability of Security TSO

Requirements

• FAA Action

MILCOM 2015

October 26, 2015

7

Federal Aviation Administration

End-to-End Security Goals

• Based on government determination of threats to

civil UAS Command and Control

– Threats not isolated to ‘C2 Link’ and SC-228

– SC-228 has a role in threat countermeasures, however

• End-to-End security needs to be part of an overall

Defense in Depth strategy

• Longevity of Security Controls – Overall Risk

Management

• End-to-End These controls are implemented

onboard the UAS and at the ‘Control Source’

(nowhere in the middle)

7 MILCOM 2015

October 26, 2015

8

Federal Aviation Administration

‘End-to-End’ Illustrated

8 MILCOM 2015

October 26, 2015

9

Federal Aviation Administration

Why Use Government Standards?

• NIST/FIPS security standards and risk management

are an excellent starting point for UAS C2 link

security

– Leverage lessons learned from industry

• 5 Pillars of Information Assurance (IA)

– Confidentiality, Integrity, Availability, Authentication and

Non-Repudiation

– All apply to civil UAS Command and Control

9 MILCOM 2015

October 26, 2015

10

Federal Aviation Administration

Government FIPS Crypto – High

Level Goals/Controls • Cryptographic modules vs. algorithms

• Secure generation, establishment, distribution, protection

and destruction of key material

• Protection of Critical Security Parameters

• Physical security – enclosures, tampering, etc.

• Operational environment - OS

• Operator/host authentication

• Integrity, Confidentiality, Non-repudiation and

Authentication primitives

• Self Tests

• Overall Assurance

10 MILCOM 2015

October 26, 2015

11

Federal Aviation Administration

SC-228 Challenge/Solution to Crypto

Integration

• A one-size-fits-all equipment strategy not recommended

– End-to-end crypto not necessarily confined to the C2 Radio. May be in back-end applications, network encryptors, etc. SC-228 MOPS can not be the source of end-to-end security requirements

– No opportunity for equipment vendors to differentiate for different themselves based on aircraft types, use cases, environments, etc.

• Instead, equipment vendors (radio or otherwise) will reference and/or derive the requirements from a Security Technical Standard Order (TSO)

• SC-228 MOPS: – The draft Terrestrial CNPC TSO invokes the MOPS including the end-to-end and

control plane security requirements. The FIPS 140-2 validated cryptographic module algorithms are the acceptable means of compliance to meet those requirements.

11 MILCOM 2015

October 26, 2015

12

Federal Aviation Administration

Topics Addressed in UAS Link

Security TSO

• Allowed cryptographic algorithms & strengths – Key sizes

– Algorithm modes

– Sunset dates

• Confidentiality, integrity and entity authentication

controls for end-to-end link security

• Data origin authentication (per message/frame) &

strength

• Implementation flexibility for developers

12 MILCOM 2015

October 26, 2015

13

Federal Aviation Administration

Topics Addressed in UAS Link

Security TSO

• Mandates use of FIPS 140-2 validated cryptographic modules (uplink and downlink end-to-end security) with specific profile and secure UAS system integration

• Integration of crypto devices into radio or system host, airframe

• FIPS 140-2 overall security level identified – Level 1 Overall, with Level 2 physical security augmentation

– Level 2 physical security (tamper evidence controls) mandated

• Management of cryptographic keys – Best Practices – Lifetimes, generation, distribution and source

• Software/Firmware updates (Field-loadable protections)

• Vendor Evidence, documentation, policy integration (i.e., inputs to aircraft cert.)

13 MILCOM 2015

October 26, 2015

14

Federal Aviation Administration

Assurance Level Based Requirements?

• Layered security levels (based on UAS type/size or

airspace participation) are possible

– Potentially tailor all proposed security requirements for

class of service and/or size of UAS (or its operations in

types of controlled airspace)

• This is under work by UAS Integration Office

– Means to protect ephemeral UAS data

14 MILCOM 2015

October 26, 2015

15

Federal Aviation Administration

SC-228 Review of Security Requirements

• FAA has jurisdiction to regulate civil aircraft security

controls

• Comments, suggestions welcome, however full

rationale for the requirements is sensitive; no public

discussion

• MOPS to be published in July 2016

• TSO with security requirements to be published in

October 2016

15 MILCOM 2015

October 26, 2015

16

Federal Aviation Administration

MILCOM 2015

October 26, 2015 16

Questions?

• Stephen Van Trees

• FAA/AIR-132

• (202) 267-8546

• Stephen.vantrees@faa.gov