Home' RTCA Documents for Review : DO-230H FRAC Contents 279
©2017 RTCA, Inc.
Physical security of network assets, including cable pathways in public areas and terminations installed in
telecommunications rooms, should be addressed during system design using the ConOps as a baseline, and
should include facility vulnerability to external explosives, required level of security, access means, the
granting and control of access privileges, etc.
LAN segmentation is used by many organizations to break the network down into smaller, more
manageable compartments. Using different LAN segments or virtual LAN (VLAN) segments has a number
of advantages. It can enable an organization to expand their network, reduce network congestion,
compartmentalize problems for more efficient troubleshooting, and improve security by protecting different
VLAN’s from each other.
A firewall, or router ACL (access control lists), can be used to restrict communications between the WLAN
and the rest of the network. Additional levels of security are possible by connecting the WLAN to the
internal network via a web proxy or VPN, by isolating the LAN using a so-called Demilitarized Zone
(DMZ, by restricting access by wireless devices so that they can only access approved websites, folders or
The impact of a security breach on an IASS or ICS can be major. Below are some typical impacts that could
result from an attack:
Blocked or reduced communications- a variety of simple network attack techniques can impede
communications on the security system network between the server and the remote devices. In the
case of IASS, this means that an access control panel may not be able to communicate with the
IASS server, and as a result alarms from doors are not reported to the control center. Similarly,
access data from the server may not be able to reach the panel, so that changes to personnel access,
including termination of access rights, may not be able to be implemented. Camera video feeds
may be of lesser quality or not available.
Unauthorized configuration changes- a more sophisticated attacker may be able to make changes
to the configuration of IASS devices such as access control panels, so that it goes offline, cannot
communicate, or conflicts with other devices on the network.
Reboot of workstations, servers, cameras, ACS panels- a reboot means that the device is offline for
several minutes, or in the case of a server much longer.
Database tampering- if an attacker can access the IASS server over the network he can change
access control privileges, cover tracks of a physical tamper, delete past data or fully incapacitate
the server and therefore the system.
Erased archived video- if an attacker can access the VMS server over the network he can erase
recorded alarm or archived video, or fully incapacitate the server and therefore the system.
Insert video- through “man in the middle” attacks, an attacker can insert prerecorded video, for
example displaying earlier recorded video of a door with no one present, in place of live video of
someone physically compromising a door.
System takeover- with network access an attacker can completely disable most or all of the function
of an IASS.
Airport communication systems incorporate information technology based on commodity hardware and
software as well as architectures that mirror traditional IT network behavior, mechanisms, and protocols.
Links Archive Navigation Previous Page Next Page