Home' RTCA Documents for Review : DO-356A Contents 82
© RTCA, 2018
What is the organization of the elements?
What are the interconnections between or among the elements of the
What are the dependencies between the elements of the architecture?
What are the principles guiding its design and operation?
How is the architecture mapped to the implementation system architecture?
How do the “-ilities”, e.g . reliability, maintainability, etc. fit into the architecture?
This is not meant to be a checklist as designing an architecture is a much
more intensive process.
The next section examines threat scenarios for further consideration in the security
architecture of an aircraft.
THREAT SCENARIOS AND DEFENSE-IN-DEPTH
Threat scenarios (described in section 3.4) are an important consideration in a security
architecture, especially once the management and administration interfaces are
Defense-in-depth is important as multiple lines of defense are the preferred means to
defend against multiple threats of varying complexity. Single lines can fail and thus
independent lines are utilized to be prepared for single failures and to reinforce the
robustness when under attack.
As attacks can be of numerous types, and to be prepared for unknown attack
techniques, different technological concepts are to be used in different layers when
defending against threats. Furthermore, bypasses of security measures need to be
actively assessed and further security measures might be utilized to make an effective
Defense-in-depth is an approach in which multiple layers of security measures are
placed throughout a system’s network architecture to provide redundancy in the event
that a security measure fails. Technical security measures in a defense-in-depth
architecture include, but are not limited to: anti-malware, firewalls, functional partitions,
hardened Operating Systems (OS), application jails, encryption, and proprietary
security measures. Beyond the technical network perimeter and host based protections,
physical barriers and procedural security can contribute to the layered defense.
Separate technical and/or procedural controls may be utilized in parallel to provide one
layer of defense.
The key objective is to keep assets secured even in case of a breach of one security
measure, relying on the other consecutive security measures.
A Security Barrier consists of several Security Measures. If a Security Barrier is used to
protect against several Attack Paths, the contained Security Measures need to be
designed such that they protect against all Threat Scenarios of all applicable Attack
Best practices for defense-in-depth include:
Consider all interfaces through which data enters a network or host as a possible
threat vector and provide protection at those interfaces.
Security measures should be independent, diverse, and isolated from one
While physical security is out of scope for this document, the architect should
state his/her assumptions about physical security as it relates to the protection
against IUEI. The physical security protections are typically considered in the
security environment assumptions about trusted zones and access.
SECURITY ARCHITECTURE PRINCIPLES AT AIRCRAFT LEVEL
The Security Architecture Principles are a set of principles to support first architectural
considerations. They aim to support early architecture definitions to prevent risk
assessments from identifying new risks late in the development process. However, the
principles are generic and are based on experience and security best practices. Their
strict application cannot guarantee that the risk assessment (that assesses each case
Links Archive Navigation Previous Page Next Page