Electronics & Connectivity - September 5, 2012 - 18

Securing IT in the sky
The Environmental Metric Group is then used to rate the vulnerability in the aircraft context. It is important to point out that the two preventive measures, implementation vulnerability management and security audits management, complement each other and can never replace one another. An implementation vulnerability management process will not be able to detect configuration or design vulnerabilities. Security audits on the other hand can only provide a snapshot view (in terms of time and scope) of the security level. Even if performed in regular intervals, a holistic assessment of the security level can only be achieved if both activities are performed. The third and last inputs in an operational security management process are security incidents. Security incidents can be grouped into two classes: a class of incidents for which the security event is the fault or cause of an error, and a class of incidents for which the security event is the failure or consequence of an error (not all faults result in failures). An example of the first class is an operating system on which a vulnerability is successfully exploited to cause a system crash (fault: security, failure: nonsecurity). The failure does not always indicate that a security event is the cause (in this case it may also be overheating of the CPU) and requires further analysis. The second class is a security system like a firewall that suffers a failure caused by an accidently disconnected wire (fault: non-security, failure: security). Even though the consequence is a security event, it is not caused by one. Another possible combination exists
SAE electronics+connectivity

While the notion of maintenance is well established in the aviation industry, the necessity of also having to maintain the security level of aircraft IT systems is not. the system. From the software freeze of the first release until the end of the in-service life cycle of the aircraft IT system (which for an aircraft can be several decades), the product will have to be monitored for previously unknown implementation vulnerabilities. For COTS software, vendors usually announce implementation vulnerability alerts, but these may also originate from independent security researchers. A CVE is then assigned to these vulnerabilities. With 4639 CVEs in 2010, the average number of implementation vulnerabilities per day is 12.7. For the A380 aircraft, an average of 3.0 implementation vulnerabilities per day were reported in the same time frame, which means that a process needs to be established to continuously analyze the implementation vulnerabilities in a timely manner. Based on the CVSS (Common Vulnerabilities Scoring System), the CVEs are then associated with an impact metric based on the characteristics of the vulnerability. This score is referred to as the Base Metric Group, which is provided by organizations like the NIST Computer Security Division. Alert Service Providers then collect this information in advisories and provide filtering capabilities for the software and the version concerned. CPE (Common Platform Enumeration) has already established itself as a standard for assigning unique identifiers of software and associated versions, significantly improving the accuracy of software matching and hence reducing the number of false positives. Alert Service Providers may directly add information related to the characteristics of a vulnerability that change over time, like the exploitability, remediation level, and report confidence. This is supported by the CVSS standard and referred to as the Temporal Metric Group.

18

September 5, 2012



Electronics & Connectivity - September 5, 2012

Table of Contents for the Digital Edition of Electronics & Connectivity - September 5, 2012

Electronics & Connectivity - September 5, 2012
Contents
The Ups and Downs of Connectivity
Tech Report
Securing IT in the sky
Data Collection Made Easy
Ad Index
Resource Links
Upcoming from the Editors
Electronics & Connectivity - September 5, 2012 - Cover1
Electronics & Connectivity - September 5, 2012 - Electronics & Connectivity - September 5, 2012
Electronics & Connectivity - September 5, 2012 - Contents
Electronics & Connectivity - September 5, 2012 - The Ups and Downs of Connectivity
Electronics & Connectivity - September 5, 2012 - Tech Report
Electronics & Connectivity - September 5, 2012 - 5
Electronics & Connectivity - September 5, 2012 - 6
Electronics & Connectivity - September 5, 2012 - 7
Electronics & Connectivity - September 5, 2012 - 8
Electronics & Connectivity - September 5, 2012 - 9
Electronics & Connectivity - September 5, 2012 - 10
Electronics & Connectivity - September 5, 2012 - 11
Electronics & Connectivity - September 5, 2012 - 12
Electronics & Connectivity - September 5, 2012 - 13
Electronics & Connectivity - September 5, 2012 - Securing IT in the sky
Electronics & Connectivity - September 5, 2012 - 15
Electronics & Connectivity - September 5, 2012 - 16
Electronics & Connectivity - September 5, 2012 - 17
Electronics & Connectivity - September 5, 2012 - 18
Electronics & Connectivity - September 5, 2012 - 19
Electronics & Connectivity - September 5, 2012 - Data Collection Made Easy
Electronics & Connectivity - September 5, 2012 - 21
Electronics & Connectivity - September 5, 2012 - 22
Electronics & Connectivity - September 5, 2012 - 23
Electronics & Connectivity - September 5, 2012 - 24
Electronics & Connectivity - September 5, 2012 - Upcoming from the Editors
https://www.nxtbook.com/nxtbooks/sae/12DEC1128
https://www.nxtbook.com/nxtbooks/sae/12DEC0905
https://www.nxtbook.com/nxtbooks/sae/12DEC0530
https://www.nxtbook.com/nxtbooks/sae/12DEC0301
https://www.nxtbook.com/nxtbooks/sae/ec_prototype
https://www.nxtbookmedia.com