Federal Aviation Administration (FAA) is responsible for overseeing the US National Airspace System, which comprises ATC systems, procedures, facilities, and aircraft, and the people who operate them. FAA is implementing Next Generation Air Transportation System (NextGen) to move the current radar-based air-traffic control (ATC) system to one that is based on satellite navigation and automation. It is essential that FAA ensures effective information-security controls are incorporated in the design of NextGen programs to protect them from threats. This talk discusses the threats FAA faces and the cyber security controls adopted by FAA in implementation of these NextGen Air Transportation System.
Servicio de Información de Vuelo y Alerta: aplicación; alcance; medios de transmisión; aeronotificaciones especiales AIRMET / SIGMET; transmisión de información volcánica
Servicio de Información de Vuelo y Alerta: aplicación; alcance; medios de transmisión; aeronotificaciones especiales AIRMET / SIGMET; transmisión de información volcánica
As the aviation community continues to implement Next Generation Air Transportation System (NextGen) initiatives, operators want to know what the initiatives are and how they affect individual operators. The question always comes down to value: If I upgrade my aircraft, what will I get for the often substantial investment?
Datalink services are available in most of the world’s oceanic routes and in some domestic airspace, as well. The services provide invaluable support at transfer points where aircraft enter or exit domestic airspace and enter oceanic. The enhanced communication abilities aid the ATC on both sides of tracks and particularly when a controller at one center hands off an aircraft to another ATC center because with a FANS-equipped aircraft, the handoff occurs seamlessly behind the scenes.
Along the routes that have not yet been mandated for FANS, the flight crew has to call an ATC and give verbal updates as to their whereabouts with no support from ground surveillance. This lack of accurate position data is a problem because if an ATC doesn’t know exactly where an aircraft is, the ATC has to maintain greater distance between aircraft. With FANS, an ATC can track aircraft along the entire route and safely and efficiently track and accommodate more aircraft in the airspace. The majority of these enhanced services are available to FANS 1/A-equipped aircraft. Ground facilities around the world are upgrading to FANS work stations.
Which datalink service a particular operator selects depends entirely on what equipment is available for the type of aircraft.
FLY SAFE!!!!
A simple Presentation on Basic Avionics. It will help students to learn and understand Avionics faster.
Doubtlessly, It will make Avionics Easier.
Presented By.
KADER MOHAMMAD ABDUL,
B.E., Aeronautical Engineer ( Aircraft Manufacturing)
https://www.linkedin.com/in/akaderneon/
This presentation is about the Fly-By-Wire technology adopted in aircraft systems for greater maneuverability. The mechanical and electronics aspects of this technology is briefed in this presentation.
In 1994, the University of Texas Human Research Project and Delta Airline developed the Line Operations Safety Audit (LOSA) program. With time, the LOSA program evolved into what is now known as Threat and Error Management (TEM).
The TEM framework is an applied concept which emerged from the observations and surveys of actual flight operations. It considers the various issues that a flight crew may encounter as a result of internal and external factors.
This model explores the contributing factors of the threat to aviation safety and, in turn, allows for the unearthing of ways to mitigate them and maintain proper safety margins. Now recognized and adopted across continents, the TEM framework aims to educate flight personnel on managing threats and errors before they degenerate into serious incidents or accidents. It is important to note that TEM is also applicable to maintenance operations, cabin crew, and air traffic control.
Term Paper Submitted in partial fulfillment of the requirements for the award of the degree of Bachelor of Technology In Aerospace Engineering.
AMITY UNIVERSITY DUBAI
Welcome to the SMS Fundamentals presentation.
The core processes, elements and components that comprise a functional and robust Safety Management System will be explained.
These lessons will provide you a general understanding of the principles of a Safety Management System (SMS). Also it will provide you an understanding of the components, elements, and core processes that comprise a functional SMS.
Each organization must determine their safety needs and scale their SMS to meet those needs.
Cybersecurity - Dominic Nessi, Former CIO, Los Angeles World AirportsSITA
In the digital age of air transport – with its ever-more connected industry operations, passengers and aircraft – air transport faces a constant threat of cyber attacks, both on the critical infrastructure that keeps the wheels of air travel in motion, and on passenger data. The spotlight on threat intelligence, identity protection, data privacy and security in air transport has never been more intense. As we navigate deepening ‘lakes’ of data to become smarter at every step, how do we protect our operations and passengers, ensuring the utmost security and resilience across the air transport community?
Remote hacking a car
Presentation by Oren Elimelech @ ICT 19th August 2015
Inspired by: Remote Exploitation of an Unaltered Passenger Vehicle, by: Dr. Charlie Miller & Chris Valasek - Black Hat USA Auigust 2015
As the aviation community continues to implement Next Generation Air Transportation System (NextGen) initiatives, operators want to know what the initiatives are and how they affect individual operators. The question always comes down to value: If I upgrade my aircraft, what will I get for the often substantial investment?
Datalink services are available in most of the world’s oceanic routes and in some domestic airspace, as well. The services provide invaluable support at transfer points where aircraft enter or exit domestic airspace and enter oceanic. The enhanced communication abilities aid the ATC on both sides of tracks and particularly when a controller at one center hands off an aircraft to another ATC center because with a FANS-equipped aircraft, the handoff occurs seamlessly behind the scenes.
Along the routes that have not yet been mandated for FANS, the flight crew has to call an ATC and give verbal updates as to their whereabouts with no support from ground surveillance. This lack of accurate position data is a problem because if an ATC doesn’t know exactly where an aircraft is, the ATC has to maintain greater distance between aircraft. With FANS, an ATC can track aircraft along the entire route and safely and efficiently track and accommodate more aircraft in the airspace. The majority of these enhanced services are available to FANS 1/A-equipped aircraft. Ground facilities around the world are upgrading to FANS work stations.
Which datalink service a particular operator selects depends entirely on what equipment is available for the type of aircraft.
FLY SAFE!!!!
A simple Presentation on Basic Avionics. It will help students to learn and understand Avionics faster.
Doubtlessly, It will make Avionics Easier.
Presented By.
KADER MOHAMMAD ABDUL,
B.E., Aeronautical Engineer ( Aircraft Manufacturing)
https://www.linkedin.com/in/akaderneon/
This presentation is about the Fly-By-Wire technology adopted in aircraft systems for greater maneuverability. The mechanical and electronics aspects of this technology is briefed in this presentation.
In 1994, the University of Texas Human Research Project and Delta Airline developed the Line Operations Safety Audit (LOSA) program. With time, the LOSA program evolved into what is now known as Threat and Error Management (TEM).
The TEM framework is an applied concept which emerged from the observations and surveys of actual flight operations. It considers the various issues that a flight crew may encounter as a result of internal and external factors.
This model explores the contributing factors of the threat to aviation safety and, in turn, allows for the unearthing of ways to mitigate them and maintain proper safety margins. Now recognized and adopted across continents, the TEM framework aims to educate flight personnel on managing threats and errors before they degenerate into serious incidents or accidents. It is important to note that TEM is also applicable to maintenance operations, cabin crew, and air traffic control.
Term Paper Submitted in partial fulfillment of the requirements for the award of the degree of Bachelor of Technology In Aerospace Engineering.
AMITY UNIVERSITY DUBAI
Welcome to the SMS Fundamentals presentation.
The core processes, elements and components that comprise a functional and robust Safety Management System will be explained.
These lessons will provide you a general understanding of the principles of a Safety Management System (SMS). Also it will provide you an understanding of the components, elements, and core processes that comprise a functional SMS.
Each organization must determine their safety needs and scale their SMS to meet those needs.
Cybersecurity - Dominic Nessi, Former CIO, Los Angeles World AirportsSITA
In the digital age of air transport – with its ever-more connected industry operations, passengers and aircraft – air transport faces a constant threat of cyber attacks, both on the critical infrastructure that keeps the wheels of air travel in motion, and on passenger data. The spotlight on threat intelligence, identity protection, data privacy and security in air transport has never been more intense. As we navigate deepening ‘lakes’ of data to become smarter at every step, how do we protect our operations and passengers, ensuring the utmost security and resilience across the air transport community?
Remote hacking a car
Presentation by Oren Elimelech @ ICT 19th August 2015
Inspired by: Remote Exploitation of an Unaltered Passenger Vehicle, by: Dr. Charlie Miller & Chris Valasek - Black Hat USA Auigust 2015
Intervento del Presidente Squillace all'evento "Safety e Security negli impianti automatizzati" per la consegna degli AI - Award 2016 (cfr. http://www.automazioneindustriale.com/convegno-safety-e-security-negli-impianti-automatizzati-milano-29-novembre-2016/ )
Ahead of the time, the mandate of a Strategist... Back in 2015 I published this feature to highlight the absolute necessity to develop an industry-wide aviation cyber security strategy to support the airline industry in addressing this ever-evolving threat.
Publication in Aviation Business Middle East January 2016
(http://edition.pagesuite-professional.co.uk//launch.aspx?eid=8a766d68-5eb0-4f45-9c10-7c9fd9837d96)
SCADA stands for Supervisory Control And Data Acquisition. SCADA software system is a device monitoring and controlling framework. The supervisory control includes, taking action and control through remote locations for various control mechanisms and processes.The front-end UI of Mobile App or Web dashboard along with backend business logic, database and a Gateway (as depicted in the above block diagram) manifests a SCADA solution for control and monitoring of devices in an IoT network.
https://www.embitel.com/blog/embedded-blog/what-is-scada-system-and-software-solution
Cyber Security in the market place: HP CTO DaySymantec
Cyber Security in the market place overview presented at HP CTO Day,covering: the current cyber-security threats to Enterprise Businesses and Government Departments, along with the board-level concerns and priorities for investment in systems and services to protect and secure their information.
globalaviationaerospace.com
Key Business and Technology Trends in Aerospace and Defense
Pricing pressures and government regulations affect R&D
Demand for product innovation and modernization grows
Cybersecurity threats and costs rise
Skills shortage continues
Economics Of Networks - Rod Beckstrom, National Cybersecurity Center, Departm...RodBeckstrom
These slides present a new universal economic model for valuing any network. This newer model is in effect a transactions, value added based model for network valuation.
Please note that Slideshare has distorted the economic green lines so they are no longer tangent to the optimal solutions lines. To be fixed..
Subthemes: Economics of Networks
Risk management for Security
Risk management for Cybersecurity (cyber security)
Metcalfe's Law
Reed's Law
Beckstrom's Law of Networks
This presentation introduces readers to airline industry's two most common networks. It also compares the features of the two and highlights scenarios when one may be more profitable than the other.
CyberSecurity, Mona Al Achkar Jabbour, UNOOSA, ICAO, Civil Aviation, Cyber Defense, Cyber safety, Cyber Peace, Cyber crime, Pan Arab Observatory for Cyber Security, Lebanese Information Technology Association
Will Today’s Cybersecurity Guidelines and Standards Become Mandates for Conne...TJR Global
Asked during the webinar how the avionics industry has thus far embraced airworthiness cybersecurity standards in RTCA DO-326A, 355 and 356, Alex Wilson, the director of aerospace and defense at Wind River, said that cybersecurity standards "have been adopted slowly, but I think we’ll see a more rapid adoption throughout this year and the coming year.”
Database management for Secured operation of Aircraft by Bikram Kumar Sinha, ...Bikram Kumar Sinha
Database Management for Secured operation of Aircraft
- Communication standards
- System model of E-enabled Aircrafts
- Avionics integration with wireless technologies
- System and Trust Speculations
- Aircraft Security Standards
- Threats of Security
- Requirements for Security
- Threats which can be mitigated
- Related System Constraints
- Addressing Vulnerabilities of WSN
- Addressing Vulnerabilities in EDS
- Major Challenges in Wireless-Enabled AHM
- Challenges in E-enabled Airplane Security
Navigating the Skies: Challenges and Opportunities in Air Traffic ManagementILAM INDIA
In the dynamic world of aviation, the efficient management of air traffic is crucial to ensure safety, reduce delays, and optimize the use of airspace. As technology advances and air travel continues to grow, the aviation industry faces both challenges and opportunities in the realm of Air Traffic Management (ATM). In this blog, we will explore the key issues and potential advancements shaping the future of ATM.
AVSS & The Institute for Drone Technology™ joint report government regulation...Paul New
Drones will fail. Drones will crash. Drones will hit humans. Drones will “fly-away”. Birds will interfere
with drones. Drones will be lost. Pilots and software will make errors.
This is the drone reality.
However, regardless of the potential risk factors involved with their operation, drones do provide
citizens, businesses, industries, and governments with tremendous value.
Furthermore, in many cases, drones provide a safer alternative to traditional manned aircraft
applications or civilian labour such as in oil and gas and mining inspection services.
Therefore, AVSS and The Institute for Drone Technology believe the challenge of the emerging drone
technologies is not to detect, exclude, or avoid the use of drones, but to determine how we can
safely utilize this growing and beneficial technology.
Aircraft safety systems are a major concern today and the aviation industry is working hard on technologies that will help improve flight safety. Read this Aranca report to know more.
Similar to Cyber security in_next_gen_air_transportation_system_wo_video (20)
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
Securing dns records from subdomain takeoverOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://www.youtube.com/watch?v=C0LQJTXFosI
The speaker will be speaking upon the following abstract -
Basics of DNS records
Introduction to DNS record takeovers
Different types of DNS takeovers
Its impact
How to protect DNS records from takeover
Demo
Q&A
This talk will be for product security folks/ people on defending side. The speaker will also be covering the concept behind subdomain takeovers and its impact.
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 31st May.
Watch the webinar here - https://www.youtube.com/watch?v=22Hccp-7UDU
A person's assessment/ investigation is only as good as the report that supports it.
A good quality or effective report is a presentation of you as an assessor, analyst, or consultant.
The speaker discusses here the important points to keep in mind while preparing a Cyber Security Report. A must know webinar for all - freshers, professionals, bug bounty hunters and the C- level entities.
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 24th May.
Watch the webinar here - https://www.youtube.com/watch?v=jmzfdw-UYC0
An air gapped environment is described as “computer or network that has
no network interfaces, either wired or wireless, connected to outside network.” In this case, side channels and proximity are leveraged to eavesdrop air gapped systems. A case study showing practical use case of sniffing is also discussed.
Link to the Webinar - https://youtu.be/jmzfdw-UYC0
Combined (NullDelhi + OWASPDelhi) Webinar on UDP Hunter by Savan Gadhiya on 10th May, 2020.
For the full video, please visit - https://www.youtube.com/watch?v=yLEL5XrzFyE
The speaker discussed the docker attack surface. Furthermore, he demonstrated how an attacker can escape the docker container and gain access to the host machine.
Companies and organizations have been following many traditional strategies for deploying WAF (web application firewall) in their infrastructure where most of the work is done. manually. Every ACL, every rule entry, every signature, and every other configuration was created and managed by hand. It could have various flaws: flaw of wrong ACL, flaw of accidental misconfiguration, flaw of bad signature, and other various things. The good news is that thanks to the DevOps Rebel Alliance, we now have a better way to do things: Infrastructure-as-Code (IAC).
Instead of clicking around a web UI or manually executing commands and setting up rules and configuration, the idea behind IAC is to write code to define, provision, and manage your WAF. You can validate each WAF change through code reviews and automated tests and you can create/use a library of reusable, documented, battle-tested code that makes it easier to scale and evolve your WAF. In this talk by Avinash Jain, we will have a quick on the various concept of what, how and why of "Automating AWS WAF using Terraform".
Discussion on traditional threat intelligence model, explore advanced approaches to reduce manual intervention and convert it into actionable threat intelligence.
Slides of the talk delivered by Chandra Ballabh in the August, 2019 Meetup of Combined OWASP Delhi and nullDelhi at Thoughtworks, Delhi
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
Network attacks in wired Lan environments
Protection in wired Lan
Layout of modern networks ( wired + wireless )
Difference between wired and wireless security
Most powerful situation to acquire in any network
Wireless attacks
Why NTP ?
Captive portal attacks
Conclusion and some wild thoughts
For complete data to perform this attack please go to the Github link below:
https://github.com/mohitrajain/Wireless_security_beyond_password_cracking
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
1. Internet Governance (IG) Primer
2. I-* Organizations
3. IANA function -Names, Numbers and Protocol Parameters
4. IANA Transition
5. WHOIS for names and numbers
6. Need for Standardization and Standardization Bodies
7. How IETF Works
8. TLS Protocol
9. Increasing Indian participation in global Internet Governance activities and structures
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
Agenda
Hypervisor : what, how and why?
Hypervisor in linux
Capsule course on hypervisor (Intel VT-x, AMD - V, KVM)
Spawning a bare-bone VM
Injection code in VM
I/O Between Host and Guest
Converting C Code to Shellcode
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
1. Cyber Security in NextGen
Air Transportation System
Dr Vippan Raj Dutt
vrdutt@yahoo.com
+91-9810297809
2. Presentation Flow
Introduction
Shortcomings of Existing Systems
NextGen Air Transportation System
NextGen Security Challenges
ATC Information Systems
Aircraft Avionics Systems
Cyber Security Framework for Aviation
Cyber Security Audit of NextGen
3. Air Transport Industry - Four Partners
Airlines
Ticketing systems
Credit card
information
On-board Wi-Fi
Websites
ERP
Airports
Business systems
Airport operation
systems
Facilities systems
Terminal and off-site
concessions
FAA / DGCA
• Air Traffic control
Aircraft
Manufacturers
Avionics
Communication
systems
5. Cyber Threats
ON 7 AUGUST 2015, it was disclosed that the databases of American
Airlines (AA) and Sabre Corp., one of the largest clearing houses for
travel reservations, were hacked.
On June 21, 2015, LOT Polish Airlines had its flight operations system
hacked, resulting in disruption or cancellation of 22 flights. (DDoS
attack)
In April, 2015, American security researcher Chris Roberts claims to
have accessed flight-critical controls through the in-flight entertainment
system
U.S. airport computer and communications systems were among the
targets announced by the Tunisian Hackers Team in April 2014.
Miami International Airport (MIA) has experienced almost 20,000 hack
attempts per day before investing in training, education, and new
hardware to protect itself from cyberattacks.
Istanbul’s Atatürk International Airport had password control systems
shut down by what is believed to have been a malware attack resulting
in departure delays and extended waiting time for passengers.
7. The Sky is Falling !
Next time you are about to board a flight, please consider this
On any given day
More than 85,000 flights are in the skies in the United States
Only 1/3 of those are Commercial Carriers
2/3 are general aviation, private planes
5000 : Average number of aircraft in the skies at any given moment of
peak travel time
15,000 : Average number of air traffic controllers required in airport traffic
control facilities to guide pilots
Controllers provide Air Navigation Services to aircraft in ALL domestic
airspace and to 24.6 million square miles of international oceanic airspace
The flight you’re about to board is 1 of 1,000s of blinking green dots on a
radar screen display for busy Air Traffic Controllers, who rely on pilot
communication and slips of paper printed from computer terminals to
safely coordinate your flight.
1950s : The decade the current Air Traffic Control system was
implemented
9. Shortcomings of the existing ATC system
System handles over 85,000 flights a day on average… all
with the best technology the 1950s had to offer.
Technologically, it is outdated and limited in its capabilities.
It relies on ground-based radar for surveillance and
navigation, and voice communications to relay instructions
between controllers and pilots.
ATC system is slow and cumbersome.
These limitations force operational procedures such as
separation standards and indirect point-to-point routings that
are inefficient because they appropriately put safety first.
As civil aviation has grown and become more complex the
ATC system has become strained and, in some geographic
areas, overwhelmed.
11. NextGen Addresses Critical Needs
Capacity. NextGen will enable more precise spacing of aircraft and
flight paths, which will allow FAA to handle safely and efficiently the
traffic growth that it forecasts.
Efficiency and Productivity. NextGen will enable more efficient
flying by taking full advantage of available and emerging technology.
NextGen will enable: optimized, direct routings between airports;
reduced aircraft spacing; continuous descent arrivals, precise arrival
and departure routings, and closely spaced approaches on parallel
runways in instrument flight rule conditions.
Environmental Benefits, Operational Integrity and Customer
Satisfaction, Safety, Scalability
The downside of NextGen technology is the magnitude of air service
disruption should the system fail. For example, a computer glitch at
an air traffic centre in Virginia caused more than 440 flights to be
cancelled along the East Coast of the United States in August 2015.
While not a cyberattack, this incident showed the vulnerability of
NextGen technology in civil aviation.
13. Potential NextGen Vulnerabilities
NextGen rely on satellite-based aircraft navigation and tracking and digital voice
and data communications between controllers and pilots, tied together using an
integrated information management network called SWIM. This high degree of
interconnectivity and access by both FAA employees and airspace users is
expected to increase the capacity of the air traffic control system and improve
safety, but it raises significant cybersecurity concerns.
The backbone of NextGen is a technology called Automated Dependent
Surveillance-Broadcast, or ADS-B, which is slated to replace radar as the
primary means of tracking and monitoring aircraft. ADS-B is inherently
vulnerable to hacking, jamming, signal flooding, and spoofing because of its
open architecture and unencrypted signals.
Government Accountability Office (GAO) cautioned that FAA's current approach
to cybersecurity does not adequately address the interdependencies between
aircraft and air traffic systems, and consequently may hinder efforts to develop a
comprehensive and coordinated strategy.
GAO recommended that FAA develop a comprehensive cybersecurity threat
model, better clarify cybersecurity roles and responsibilities, improve
management security controls and contractor oversight, and fully incorporate
National Institute of Standards and Technology (NIST) information security
guidance throughout the system life cycle.
14. NextGen Cybersecurity Challenges
Protecting air-traffic control (ATC) information systems
July 2012: ADS-B hack: a security researcher
demonstrated how easily an air traffic control tower could
be manipulated.
Ruben Santamarta – 2014
Backdoors and remote control of SatCom Military & Civil
Aviation radios http://bit.ly/SatComHack (Paper)
Protecting aircraft avionics used to operate and guide aircraft
Chris Roberts – 2015
Manipulation of Flight Controls via under-seat
entertainment unit http://bit.ly/EICASHack (Reuters)
Hugo Teso – 2013
Remote manipulation of Flight Management System
through ACARS http://bit.ly/FMSHack (Forbes)
16. Cybersecurity Challenges to Protect ATC
Information Systems
• ATC-related information systems are currently a mixture
of old, legacy systems and new, IP-networked systems.
• New information systems for NextGen programs are
designed to interoperate with other systems and use IP
networking to communicate
• New Networking Technologies Expose ATC Systems to
New Cybersecurity Risks
• If one system connected to an IP network is
compromised, damage can potentially spread to other
systems on the network, continually expanding the parts
of the system at risk.
• FAA Is Designing and Deploying an Enterprise Approach
Intended to Strengthen the Cybersecurity of Its
Information Systems
18. Cyber Security Risks to Aircraft Avionics
IP networking may allow an attacker to gain remote access to
avionics systems and compromise them
If the cabin systems connect to the cockpit avionics systems
(e.g., share the same physical wiring harness or router) and use
the same networking platform, in this case IP, a user could
subvert the firewall and access the cockpit avionics system from
the cabin
The presence of personal smartphones and tablets in the cockpit
increases the risk of a system’s being compromised by trusted
insiders, both malicious and non-malicious, if these devices have
the capability to transmit information to aircraft avionics systems
The second source of the problem can come from the internet, since
the aircrafts use IP protocols like anyone, meaning that can make
the aircraft vulnerable for instance for a hacker to be able to install
malware
FAA yet to develop new regulations to certify cybersecurity
assurance for avionics systems
19. Cybersecurity framework for Aviation
Establish common cyber standards for aviation systems
Establish a cybersecurity culture
Understand the threat
Understand the risk
Communicate the threats and assure situational
awareness
Provide incident response
Strengthen the defensive system
Define design principles
Define operational principles
Conduct necessary research and development
Ensure that government and industry work together
22. Cyber Security Audit of NextGen
Performance Audit conducted by GAO from Sept 2013 to March 2015
Two key NextGen components, SBSS and Data Comm audited
While FAA has integrated six activities into the AMS lifecycle, audit
revealed instances in which some of these activities were not
completed properly or were completed in an untimely manner
SBSS was deployed in 2008 with weaknesses in the program’s
intrusion detection system, a shortcoming that was still unresolved as of
early 2015.
Of 26 SBSS Problem Tickets that were completed during 2014, 25 were
at least 6 months late, and 12 of these were more than 1 year late.
As Data Comm is still under development, its security requirements and
selected controls continue to evolve. As of October 2014, Data Comm
had included approximately 60 percent of the more than 250 controls
listed in the third version of the NIST 800-53 guidelines
Delays in adopting the latest standards extend the amount of time that
system security requirements may not adequately mitigate system
exposure to the newest threats
24. Cyber Security Standards used by Aviation
ISO/IEC 27000 to 27006— Information security management systems
NIST Special Publication 800-53 — Recommended Security Controls for
Federal Information Systems and Organizations
DO-236 Security Assurance and Assessment Processes for Safety-related
Aircraft Systems
ICAO Annex 17- Security
ICAO Document 9985- Air Traffic Management Security Manual
NIST SP800-30 — Risk Management Guide for Information Technology
Systems
NIST SP800-53 — Information Security
NIST SP800-82 — Guide to Industrial Control Systems (ICS) Security
RTCA DO160 – Environmental Conditions and Test Procedures for Airborne
Equipment
RTCA DO178 – Software Considerations in Airborne Systems and
Equipment Certification
RTCA DO-254 – Design Assurance Guidance for Airborne Electronic
Hardware
RTCA DO-233 – Portable Electronic Devices Carried on Board Aircraft
25. Glossary
ACARS : Aircraft Communications Addressing
and Reporting System
ADS-B : Automatic Dependent Surveillance--
‐Broadcast
ATC : Air Traffic Control
FAA : Federal Aviation Administration
NIST : National Institute of Standards and
Technology