Mark Laustra, Vice President of Analogic Corporation, discusses why aviation security technology needs to be more like IT networking - encouraging interoperability and cyber security. He provides recommendations for US TSA and others. A version of this presentation was presented at the Defense Daily Modular Open Systems Summit on May 2 2018.
2. AVSEC network architecture: “early 1990’s” PC
• Proprietary software and hardware
• Limited, built-in interoperability
• Networking requires custom integration
• 21st century IT tools unimplemented
• Shared industry protocols or standards
• Application Program Interfaces (APIs)
• Software development kits
• No certification for third-party solutions
• No standard approach for cyber security
2
3. Why is this a problem?
3
Full
Picture
Scanners
Govt
Databas
es
Behavior
TSOs
• Hinders basic security mission
• Hard to create “full picture” or correlate
information
• Raises cost of security
• Custom software, integration and
networking is expensive
• Proprietary systems = higher training and
service costs
• Hard to do remote system monitoring, or
other network enabled functions
• Slows innovation
• Hard to encourage 3rd party HW and
software developers to create innovative
solutions
4. Government Goals for AVSEC Open Architecture
• Address threats faster by improving data sharing
• Improve system performance and reduce costs
• Ensure protection from cyber threats
4
Disconnected
Security Elements
Full
Picture
Scanners &
Threat
Detection
SW
Govt
Databases
Passenger
Behavior
TSOs
5. =
AVSEC Open Architecture components
“Open Architecture”
for aviation security
Access Control, Data
Protection, Cyber Security
• Comparable to other mission critical networks (e.g. DOD, other DHS
agencies)
Accessible Standards • IT hardware, software and networking system architecture
• Designers’ specifications accessible by third parties
• Officially approved standards
• Privately designed architectures
Certification / authorization • 3rd parties need SSI access
• Must demonstrate 3rd party solutions will
• Improve security
• Maintain or improve operational performance
Industry-wide Support • Need broad support => rapid adoption
”free for all” or
“open source”
Accessible
requirements
=
6. Examples from other Industries
Intel/Microsoft vs. Apple Social Media, Healthcare, Uber US Navy
• Fast tracked product
• Extensive market penetration
• Huge industry developed in response to OA
BUT
• HUGE interoperability problems and challenges
• Success was driven by audiences served:
“engineers” vs. “regular” people to get jobs done
• Price dominates and cheapest always wins
• Successfully use OA information
• Data from wide variety of sources
• Rapid data integration and processing
• Minimal delay incorporating new information
BUT
• Susceptible to cyber threats, data loss
• Vendor-independent upgrades extend life
• Organized via carefully defined
requirements
• Collaboration and trust, reuse of proven
designs
6
5 Core
Principles
Modular
Design
Loose coupling - high
cohesion
Standards driven
Independent acquisition
Collaboration/
Trust
Reuse proven designs
Maximum return
Minimum investment
Extend Life
Software intensive
Software upgrades
Reduce risk
Design transparency
Disclosure
Peer Review
Strategic
data rights
Level competition
Alternative solutions
Alternative sources
7. Manufacturer Challenges for OA
• Adds costs, esp. in short term
• No apparent business incentives
• Giving up “core competency” control
• 3rd Party SSI/ Classification
7
• Possible competitive edge: interoperability
• Faster access to 3rd-party knowhow, innovation
• Expand system features
Burden Opportunity
8. Open Architecture Questions/ Issues
• Who leads the effort?
• What standards do/ don’t make sense
• What is the ongoing forum for future improvements/ new threats
• How to control access to standards?
• How to ensure cybersecurity and data protection
8
9. Possible Solution: 1) Get Industry Engaged
• Business model
• Companies sell API’s/ Developer Kits to 3rd party developers
• 3rd party developers fund their own Certification
• Companies get royalties on adoption
• Avoid extreme business cycles
• Minimize approval process
• Rapid new company vetting
• “Software” Certification
• Reduce/ speed up SSI Clearance
9
Interested
Vendors
Apply
Gov’t
Approval
Approved
Vendors
10. No Performance Certification
Required
Performance Certification
Required
Implementing Open Architecture: Multi-Phase Process
• Common GUI/ training/ controls
• Intersystem image and data sharing
10
• 3rd party algorithm development
• 3rd party hardware, software Integration
Requirements
• I/O, Image Standards (STIP, DICOS)
• Data standards
• GUI specifications
• Cyber security standards
Requirements
• Improved SSI access
• Streamlined certification process
• Investment by government, industry
• Clear financial incentives for industry
Phase 1 Phase 2
11. Conclusions
• Moving to open architecture has important benefits
• There are models AVSEC can learn from (e.g. US Navy)
• Getting there will require significant changes to status quo
• Certification and standards-setting infrastructure, governance
• Simplified SSI approval processes
• Clear business case for vendors, developers
• Recommend multi-phase implementation approach
• Involve all stakeholders up-front
• Start “easy” (non-Certified / classified)
• Work on “difficult” (e.g. 3rd party algorithms) later
11