Home' RTCA Documents for Review : DO-356A Contents 57
© RTCA, 2018
any measures that block untrusted threat sources from using all or part of the external
access connections to manipulate assets and their attributes.
Access Connection is the logical set of electronic interactions that allow a user or
attacker to modify asset attributes, manipulate data, and change the condition of
equipment. It may involve multiple intermediaries and multiple network layers.
Access Conditions are
The conditions required for an access connection to be enabled. It may
include access control policies, authorizations, and authentication
The functionality enabled by the connection. It includes the range of assets
and their attributes that can be manipulated or modified through an access
connection, the range of data manipulations, and the degree of control
offered by the access connection to change equipment conditions.
Intended Access are access conditions that are entrusted to authorized classes
Denied Access are access conditions that are actively denied to unauthorized
classes of attackers by the security measures, where otherwise the access
conditions could be exposed to the attackers
Attack Attempt Criteria
An attack is a pairing of attacker capability with a product vulnerability, but the focus in
this section is on the attacker capability. The capability of attackers is determined by the
capability and maturity of their attack tools.
There are three stages of maturity of attacks considered here, all classified according
to the view of the development program itself.
Feasible Attacks are defined as those attacks, tools, and enabling vulnerabilities which
have established credibility as potential attacks in the judgment of experts, with enough
technical specificity to determine that a system or product is vulnerable and how to
protect it. As a result, it can be considered as a specific threat and vulnerability to be
evaluated in the Level Of Threat evaluation as part of the Protection criteria (see below).
Infeasible Attacks are defined as those attacks, tools, and enabling vulnerabilities which
have theoretical justification, but either lack specificity (“it’s a computer, it can be
hacked”) or will require resources or access that are assumed to be beyond the attacker
capability in the defined security scope. An example for infeasible attacks would be an
attack that requires user interaction against a system that has no interactive functions.
There is a third category, the Undiscovered Attacks, which would include most Zero-
Day Vulnerabilities, of attacks that exist in the field, but are yet not known by the
development program to be feasible. However, by definition the development program
will be unable to specifically consider these attacks within the Level Of Threat
evaluation, but can only respond generically as part of the Protection criteria (see
below), or through Vulnerability Management (see section 4.1.1 and B.2.1) seek to
discover such attacks.
While three stages of maturity of attacks are described here, the applicant can
categorize attacks according to their understanding of current and anticipated attacker
skill level and/or availability of attack tools. For example, section E.1.3.3 “Execution
Means” defines four expertise categories (Layman, Proficient, Expert, and Multiple
Expert) and four equipment categories (None/Standard, Special COTS, Special, and
There are two metrics to be considered in Attack Attempt:
Degree of Attempts: The limiting factors on which kind of attacks and attackers
will be considered
Capability of Attempts: The degree of capability that the attacker has to
Attack Attempts may exclude infeasible attacks on assets that have safety effect or
which support security measures.
Links Archive Navigation Previous Page Next Page