Home' RTCA Documents for Review : DO-356A Contents 104
© RTCA, 2018
prior to the final security vulnerability assessment as part of the certification security
assessment baseline. Available public databases may be used, along with vendor
notifications. Open-source attack tools and proprietary attack tools also serve to
document well-known attack techniques and the condition of being vulnerable to one is
considered to be a well-known vulnerability.
The set of classification attributes should be defined to support risk analysis proceeding
at higher levels of the development.
The identification and classification includes a description of the resulting effects on the
system if the vulnerability is exploited by attack along with a classification of the
attributes of the vulnerability related to exposure, exploitability, and scope. Several
industrial standards have been developed that are used by well-known vulnerability
databases. An industrial standard that is compatible with well-known vulnerability
databases may be used as part of the assessment.
Classification standards that may be considered include CVSS, the “Common
Vulnerability Scoring System”, Version 3.0. Databases that use this standard include
the US National Vulnerability Database, the US National Cyber Awareness System, and
Information from these sources is most likely to address software that is
commercially marketed for uses unrelated to airborne systems (e.g.,
COTS). In the absence of databases that specifically accommodate
airborne systems it is important to understand the methods used in any
vulnerability identification and classification system before applying it to
Regardless of how vulnerabilities are identified and classified relative to non-airborne
systems use, vulnerabilities should be evaluated within the aircraft systems architecture
to determine both exposure characteristics and airplane level impact. Exposure and
severity will be unique to each aircraft type. Databases for COTS products will assume
typical IT architectures, exposure and usage, which can make the assessment results
inaccurate for airborne uses.
Vulnerability Reporting and Management
Vulnerabilities should be traced in vulnerability problem reports whatever their impact
and independent from the fact that they will be judged acceptable or not. The process
for creating and managing Vulnerability problem reports should resemble the same
processes used for Complex Electronic Hardware and Software Problem Reports today.
One difference is that in addition to designers and testers creating Problem Reports,
Vulnerability Problem Reports may be created by independent security teams or third-
party assessors. Those parties (suppliers and sub-tier suppliers) responsible for the
tracking and remediation of vulnerabilities will likely stay the same.
The vulnerability dossier contains the vulnerabilities discovered during security
behaviour assurance activities and the resulting system's response. The vulnerability
dossier is part of the supporting evidence for Aircraft or System Security Risk
Assessment. An analysis should be conducted to identify the vulnerabilities. Each
Vulnerability Problem Report created following this analysis should in turn be analyzed
to determine the severity of the effect resulting from triggering this vulnerability. The
analysis will be part of the vulnerability dossier.
Links Archive Navigation Previous Page Next Page