Open Architecture: The Key to Aviation Security

Open Architecture: The Key to Aviation Security

• 1.
  Mark Laustra Vice President AnalogicCorporation [email protected] Open Architecture For Aviation Security Internet Hub Printer Hub Hub Hub
• 2.
  AVSEC network architecture:“early 1990’s” PC • Proprietary software and hardware • Limited, built-in interoperability • Networking requires custom integration • 21st century IT tools unimplemented • Shared industry protocols or standards • Application Program Interfaces (APIs) • Software development kits • No certification for third-party solutions • No standard approach for cyber security 2
• 3.
  Why is thisa problem? 3 Full Picture Scanners Govt Databas es Behavior TSOs • Hinders basic security mission • Hard to create “full picture” or correlate information • Raises cost of security • Custom software, integration and networking is expensive • Proprietary systems = higher training and service costs • Hard to do remote system monitoring, or other network enabled functions • Slows innovation • Hard to encourage 3rd party HW and software developers to create innovative solutions
• 4.
  Government Goals forAVSEC Open Architecture • Address threats faster by improving data sharing • Improve system performance and reduce costs • Ensure protection from cyber threats 4 Disconnected Security Elements Full Picture Scanners & Threat Detection SW Govt Databases Passenger Behavior TSOs
• 5.
  = AVSEC Open Architecturecomponents “Open Architecture” for aviation security Access Control, Data Protection, Cyber Security • Comparable to other mission critical networks (e.g. DOD, other DHS agencies) Accessible Standards • IT hardware, software and networking system architecture • Designers’ specifications accessible by third parties • Officially approved standards • Privately designed architectures Certification / authorization • 3rd parties need SSI access • Must demonstrate 3rd party solutions will • Improve security • Maintain or improve operational performance Industry-wide Support • Need broad support => rapid adoption ”free for all” or “open source” Accessible requirements =
• 6.
  Examples from otherIndustries Intel/Microsoft vs. Apple Social Media, Healthcare, Uber US Navy • Fast tracked product • Extensive market penetration • Huge industry developed in response to OA BUT • HUGE interoperability problems and challenges • Success was driven by audiences served: “engineers” vs. “regular” people to get jobs done • Price dominates and cheapest always wins • Successfully use OA information • Data from wide variety of sources • Rapid data integration and processing • Minimal delay incorporating new information BUT • Susceptible to cyber threats, data loss • Vendor-independent upgrades extend life • Organized via carefully defined requirements • Collaboration and trust, reuse of proven designs 6 5 Core Principles Modular Design Loose coupling - high cohesion Standards driven Independent acquisition Collaboration/ Trust Reuse proven designs Maximum return Minimum investment Extend Life Software intensive Software upgrades Reduce risk Design transparency Disclosure Peer Review Strategic data rights Level competition Alternative solutions Alternative sources
• 7.
  Manufacturer Challenges forOA • Adds costs, esp. in short term • No apparent business incentives • Giving up “core competency” control • 3rd Party SSI/ Classification 7 • Possible competitive edge: interoperability • Faster access to 3rd-party knowhow, innovation • Expand system features Burden Opportunity
• 8.
  Open Architecture Questions/Issues • Who leads the effort? • What standards do/ don’t make sense • What is the ongoing forum for future improvements/ new threats • How to control access to standards? • How to ensure cybersecurity and data protection 8
• 9.
  Possible Solution: 1)Get Industry Engaged • Business model • Companies sell API’s/ Developer Kits to 3rd party developers • 3rd party developers fund their own Certification • Companies get royalties on adoption • Avoid extreme business cycles • Minimize approval process • Rapid new company vetting • “Software” Certification • Reduce/ speed up SSI Clearance 9 Interested Vendors Apply Gov’t Approval Approved Vendors
• 10.
  No Performance Certification Required PerformanceCertification Required Implementing Open Architecture: Multi-Phase Process • Common GUI/ training/ controls • Intersystem image and data sharing 10 • 3rd party algorithm development • 3rd party hardware, software Integration Requirements • I/O, Image Standards (STIP, DICOS) • Data standards • GUI specifications • Cyber security standards Requirements • Improved SSI access • Streamlined certification process • Investment by government, industry • Clear financial incentives for industry Phase 1 Phase 2
• 11.
  Conclusions • Moving toopen architecture has important benefits • There are models AVSEC can learn from (e.g. US Navy) • Getting there will require significant changes to status quo • Certification and standards-setting infrastructure, governance • Simplified SSI approval processes • Clear business case for vendors, developers • Recommend multi-phase implementation approach • Involve all stakeholders up-front • Start “easy” (non-Certified / classified) • Work on “difficult” (e.g. 3rd party algorithms) later 11
• 12.
  12 Thank You! Mark Laustra VicePresident Analogic Corporation [email protected]