Cyber vulnerabilities can have a significant impact on safety-critical systems.
Today there is an unprecedented level of digital interconnectivity in everything from vehicle sensors to rovers on the surface of Mars. The aerospace industry has a high degree of cyber connectedness where a negative impact could cause harm to not only aircraft but financial systems, company reputations, international relations, or even physical harm to humans and property.
During this informative session, Cary Bryczek, Director of Aerospace & Defense Solutions at Jama Software®, discusses how Jama Software applies a cybersecure-by-design approach to meeting DO-326A/DO-356A for aircraft systems and how this can be extended to the defense domain.
In this webinar, we covered:
- Applying the Airworthiness Security Assurance Process
- Threat (attack) modeling methods
- Tracing security measures to requirements and tests
- The role of requirements in DevSecOps tool ecosystems
DO-326 Airborne Security Assurance, Threat Modeling, and DevSecOps
Cary Bryczek: What we’re seeing today is just an unprecedented level of digital interconnectivity in seemingly every system out there. The aviation industry has a high degree of cyber connectedness where a negative impact could really cause harm to not just humans and property, but company reputations, international relations, or financial systems.
What we’re going to see today is how Jama Connect can provide a cyber secure-by-design approach to meeting the many aspects of DO-326 and DO-356, or ED-202 and ED-203 in Europe, the Middle East, and Africa (EMEA.) What we’re going to see is we’re going to apply the airworthiness security process that’s inside of DO-326, and use Jama Connect’s Live Traceability™ to trace security measures to security requirements, trace security requirements to testing, look and see how a threat analysis can all be incorporated into a single platform.
What is Cybersecurity by Design? So one of the things that we see a lot is in the tool ecosystem is a very disconnected set of processes and tools. So whether you’re tracing and using tools that do requirements identification, tracing those to verifications and hardware and software designs, or whether you’re using tools to do aircraft security analysis and tracing those to security architectures and security V&V, we’re noticing the disconnectedness of the processes in the tool ecosystem is causing product delays, cost overruns, product failures, audit failures, late identification of defects, and lack of visibility because the ecosystem is very disconnected, is taking place. There’s poor requirement coordination. Change management is hard between software and hardware, and you have a high degree of manual effort required to produce the traceability that’s required for certification. And you’re seeing this after the fact and Excel is used everywhere. Desktop tools are prevalent in the engineering of these systems, and it’s difficult to integrate desktop tools and Excel files into and across the ecosystem for product development.
RELATED: Jama Connect® Features in Five: Space Systems Framework
Bryczek: So what is Live Traceability? Live Traceability in Jama Connect gives the ability for any engineer at any time to see the most up-to-date upstream and downstream information for any requirement, no matter the stage of the systems development or however many siloed tools it spans. Now, this Live Traceability is important because it’s required by the industry standards like we’ve seen in aviation development and Live Traceability delivers a huge productivity improvement and it reduces the risk and the delay that happens when you have a disconnected tool environment.
So we’re going to talk about DO-326. DO-326 is really a set of standards jointly developed by RTCA and EUROCAE. It came about in 2006. It includes a few separate standards. DO-326 and ED-202 really is about the airworthiness security process specification. It explains the fundamental concepts behind airworthiness cybersecurity. DO-356 and ED-203, the airworthiness security methods and considerations, this explains how to perform cybersecurity investments, how to evaluate threats, and security measures of the system. How do you apply the mitigation measures? DO-355, we’re not going to really talk about that one today, but it’s applicable to if there are changes in an already certified system. So one of the most relevant documents you’re going to start with even before you start down the path for cybersecurity, is creating your product information and security risk assessment document. You’re going to perform an analysis of this, and this analysis should be conducted according to the standards.
So what exactly is airworthiness? So airworthiness security is the protection of the airworthiness of the aircraft from intentional unauthorized electronic interaction. So existing safety processes don’t consider intentional disruption. They look at the faults and failures of an aircraft or the aircraft system on a whole. But DO-326 is specifically looking at intentional human-initiated actions with the potential to affect the aircraft due to some unauthorized access or disclosure or causing some denial or disruption of the information systems, the networks, and the software that’s running on these aircraft systems. So this also might include things like malware or infected devices or the logical effects of any external systems. So the purpose of the airworthiness security process within DO-326 is to establish that when subjected to this unauthorized interaction, the aircraft is going to remain in a condition for safe operation.
So like I said earlier, DO-326 describes the what and DO-356 is the how. I’m sure that you guys have carefully looked at both of these guidelines and these are images from the guidelines. But I just wanted to point out what we’re going to talk about today. We’re going to talk about how the airworthiness security process and threats are mapped in Jama and how you can have security assurance and the risk assessment process from DO-356, how those can be conducted in Jama Connect itself. As you know, DO-326 live in its own. You’re having supporting processes from the development of the aircraft, the development of the system, DO-178, ARP-4754 are all interacting and being conducted at the same time. So there’s no linear, do this first, do this next, do this later. All of these processes are taking place pretty much simultaneously or iteratively as you design and develop the aircraft system.
So the airworthiness security process from a basic level, it’s again, it’s the protection of the aircraft from intentional unauthorized electronic interaction. There are four steps for the basic process. We’re going to first identify the system assets and its parameters. The second step is to identify the threats for all of those assets, identify those risks for each of the threats, so what might happen, and then create controls and mitigations for those risks. You’re going to be adjudicating the degree of harm and assigning a security assurance level, the strongest being SAL3 or the least would be a SAL zero where there’s this limited or protection needs required. So there’s a way to grade those as well.
RELATED: Traceable Agile – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries
Bryczek: The inside of Jama Connect itself, this image describes essentially the architecture of what you’re going to see that what we have in the product. We have a template that you can use to facilitate this. It sits alongside of our template that’s used for ARP-4754, and DO-178, or DO-254. The orange assets essentially is the data model that we’re using to capture the different types of things in the system. So we have assets, we have vulnerabilities. Those are tied to different threat assessments or a threat assessment is performed on these types of objects. We have security measures, we have the security architecture elements, and those feed into the security requirements. This comes pre-configured out of the box. We also have an area where you going to capture the data for that kind of thing.
Having this sort of a data model enables engineers to really perform the analysis to understand, all right, which assets have I not assessed yet? What’s the workflow? Who has reviewed the threat assessment? Have the security measures been satisfied by security requirements? Have we done security testing of the system? So this sort of data model enables the traceability to be instantiated and allows engineers to really more easily create the kind of a content. So one of the benefits you see of using Jama is that the security process is not disconnected from the design and development of the aircraft system itself. It’s done alongside. So that way you have that earlier touch points between the functional aircraft, design engineers and the security engineers. So you’re building in that secure by design approach.