Home' RTCA Documents for Review : DO-356A Contents 52
© RTCA, 2018
scenarios from the parent level are applicable if they affect the assets in scope of the
lower level risk assessment.
Example: Three threat scenarios TS1, TS2 and TS3 have been identified for function
A in the aircraft risk assessment. The risk assessment for the system that
will implement function A needs to include threat scenarios that cover at
least the same threats as TS1, TS2 and TS3.
An attack path for a specific target can cross multiple systems and/or devices. Risk
assessments on a specific level (e.g. system) may identify threat scenarios that cover
only parts of the complete attack path. In such cases a threat scenario for the complete
attack path should be identified in a parent level risk assessment. Together with the
above rules this ensures that the risk is properly considered in all affected systems.
SECURITY MEASURE CHARACTERIZATION
This section describes how security measures are characterized during the security
development activities. Security measures are not limited to designated security
functions. It is possible for any functions and procedures to be taken into account if their
effectiveness in a specific threat scenario can be justified and they follow the guidance
in 4.9 ALLOCATION OF ASSURANCE LEVELS FOR LAYERED PROTECTION (also
see section 3.5.1). Examples of different security measures include security functions,
i.e. execution of a firewall, preventative actions without a function, i.e . removal of all
applications, services, etc. from an OS/kernel that are not required for airplane
operations, implementation rules and coding procedures.
All identified security measures need to be characterized to be applicable in a threat
scenario. This activity needs to identify the security measure characteristics needed for
the risk assessment: type, effectiveness and vulnerabilities.
Security measures may include organizational requirements or operational
instructions to crew (documented in security guidance per ED-202A / DO-
326A) that help prevent attacks. The methods for assessing the
effectiveness of non-technical security measures taking into account
human factors will be discussed in a future version of this document.
The following information is required in order to be able to perform security risk
assessment and elaboration of security requirements:
1. Known vulnerabilities in the system and system users to plan security measures
that will address those vulnerabilities.
2. Required effectiveness of the security measures in order to demonstrate
acceptable security risk of the threat scenarios. Security measures are
characterized by their effectiveness against unauthorized interactions. This is
shown by performing the following steps:
Establishing effectiveness of the security architecture through validation of
the correctness of the security architecture (see section 5.2 “Concepts and
Characteristics of Security Architectures”).
Determining the limitations or vulnerabilities of the security measures and
assessing their impact on effectiveness (See section 4.1.1 “Vulnerability
Establishing effectiveness of the security measures through validation of
the correctness of the security requirements to perform with the security
environment (See sections 4.1.3 ”Security Risk Assessment Objectives” or
4.2.4 “Security Verification Objectives”).
Establishing an appropriate level for effectiveness (See section 4.1.3
”Security Risk Assessment Objectives”).
3. Sufficient interface and functional requirements (or reference/summaries to
design data) about the security measures and the targets to build the attack paths
and threat scenarios, and to allocate design requirements to
systems/subsystem/items to conform with the threat scenarios and not introduce
new unacceptable threat scenarios. Again, the level of detail
(system/subsystem/item) will depend on the current level of development.
Links Archive Navigation Previous Page Next Page