Home' RTCA Documents for Review : DO-356A Contents 83
© RTCA, 2018
individually) will assess all risk as being acceptable. The risk assessment is the material
for decision making.
This document defines architecture principles at aircraft, (multi-) system and item level
addressing aircraft information security needs. The assumption is that aircraft level
principles propagate down to system and item, and system level principles propagate
down to item. This section examines security architecture principles at the Aircraft Level.
Principle 1 – Defense-in-Depth
Architecture Principle 1:
The Aircraft Security Architecture should be based upon layered protection capabilities
Defense-in-depth, i.e . layered defense, addresses more than one threat scenario and
ties them all together. A layered security approach provides robustness against threats.
The defense-in-depth architecture should provide the analysis that multiple consecutive
security measures cannot be defeated by a single attack.
Adding on to the defense-in-depth best practices mentioned in section 5.5:
Assume at least one device on a network is compromised and mitigate its impact to
It makes sense to employ diversity, that is, use different technological concepts for the
two Security Barriers to ensure that attackers need to apply different attack techniques.
In other words, the attacker should not be able to defeat two barriers with one attack.
To be counted as separate, independent security measures or layers of defense, the
security measures should be from a diverse or heterogeneous set of technologies. The
rationale is that if two security measures comprise the same technology and the attacker
defeats one, then the attacker can easily defeat the other. For example, when
implementing firewalls, they should be from different vendors. Otherwise, with two
firewalls of the same vendor, if you defeat one, you can defeat the other. It should not
count as two layers of defense, only one.
Diversity in security measures can also be achieved by having some layers managed
by a COTS security measure and some with a dedicated proprietary security measure
specially developed for the aircraft protection (at least with threat scenarios to
Security Barriers rely on technical Security Measures and might need to be
complimented by operational Security Measures.
Based on different impacts and likelihood of Threat Scenarios, the risk assessment
concludes the risk to be high, medium or low. Based on that, Security Barriers / Security
Measures will be proposed to reduce the risk to an acceptable level.
This should be anticipated by defining architecture so that Security Barriers can be
established in front of the asset (where possible).
Principle 2 – Integrity of Data Loadable Equipment
Architecture Principle 2:
The supplier and/or airplane manufacturer should have some way to check the integrity
of the Loadable Software Airplane Part (LSAP) or data loadable equipment prior to
Ensure basic trust assumptions.
The integrity check should be better than the standard CRC. Use of / checking digital
signatures is one way to do this, though not required.
If digital signature is implemented, the supplier of data loadable equipment shall
conform to certificate policy and particularly shall ensure that the digital signature private
key for data loading is not compromised.
Links Archive Navigation Previous Page Next Page