Home' RTCA Documents for Review : DO-356A Contents 45
© RTCA, 2018
Step 1: Identify those threat conditions that are based on failure conditions on the
assets that can be caused by a total or partial loss of security attributes to an asset.
Threat conditions are based on failure conditions when an attack path exists from
outside the security perimeter to the asset in question. If no attack path or related threat
scenario exists to cause the condition, then failure conditions will not have associated
Step 2a: Identify additional threat conditions from a consideration of total or partial loss
of security attributes and vulnerability to an asset by determining the impact of known
or obvious attacks. Examples include attacks on the LRU interfaces, man-in-the-middle
attacks, replay attacks, spoofing and introduction of coherently corrupted messages,
and other tampering attacks. The design features or failures which would allow such
attacks to be applicable and to succeed are also vulnerabilities.
Step 2b: Identify additional threat conditions from a consideration of total or partial loss
of security attributes due to vulnerabilities inherent in the dataflow and interfaces
involving an asset. Consider all functions with data flows or interfaces, physical or
logical, to entities that are in a different security domain with a lower security assurance.
Each such dataflow represents an inherent vulnerability that could be exploited by an
attacker. Note that all network layers should be considered in this analysis- for example,
a TCP/IP stack is exposed to network packets even if there are no applications
accepting connections. Remember that non-critical functions can use OS layers to
manage different functions. These layers are also exposed and are often based on
Operating System modules (especially network stacks, file or memory management and
threads or process management).
Step 3: For all the threat conditions identified, identify the specific effect on aircraft, flight
crew or occupants, and the flight phases in which the effects occur. Note that the effects
can be different between aircraft, flight crew, or occupants, which affects the severity
impact of the threat condition. For example a threat condition that can affect passengers
but not flight crew may have a lower severity impact than a threat condition that has an
effect on flight crew.
Step 4: Determine the severity of each threat condition. This determination must be
consistent with the different levels (e.g. aircraft, system, item) of the security risk
The steps above imply an ordering whereby the threat conditions on all potentially
affected assets are identified first, then effects determined, and only subsequently
severities are determined. However, this is just an example that breaks down the
elements of the analysis activity into steps. In reality, there is no specific ordering and
the conduct of the activity is typically more flexible than that. The analysis may cycle
several times on threat condition identification, the severity may be determined as each
threat condition is identified, the analysis may consider all assets affected by one threat
condition or may consider all threat conditions affecting a single asset at a time, and a
final review can revise the severity of one or more threat conditions after a more
complete understanding emerges. Moreover, some of the steps may be omitted entirely,
and only performed after a more complete understanding of the security environment is
achieved. Figure 3-3 depicts one possible way that the analysis can be performed when
working one asset at a time.
Links Archive Navigation Previous Page Next Page