Home' RTCA Documents for Review : DO-356A Contents 272
© RTCA, 2018
for an attack on personal computers, e.g. common internet, open source, and malware
tools. Having said that, there are further constraints on the attacker such as physical
accessibility and procedures.
Non-Trivial definition was also borrowed from traditional ground based IT systems. It
means the tools and/or skills required to carry out such an attack are similar to those
required for an attack on a well-defended corporate network. Having said that, there
are further constraints on the attacker such as physical accessibility and procedures.
“W ell-defended corporate network” means the network of a company with name brand
recognition that has the capital to invest in a security infrastructure, so more
sophisticated tools and/or skills would be needed to defeat that.
Challenging means proof of concept demonstrated in a lab or simulation, but has not
yet been seen in the wild and does not seem possible in a real life airplane environment.
For example, someone could demonstrate an attack in a computer lab or at a hacker
conference, but the reality is that it has not been (or currently cannot be) demonstrated
on an airplane due to physical accessibility to the system, procedures, security
measures, the differences between airplane systems and simulations, etc.
Implausible means no apparent weakness or vulnerability. While there is a path, there
are the appropriate technical and procedural security measures in place where it would
be implausible even for an attacker with special tools and/or skills.
No Path means there is literally no physical connection that an attacker can use in a
threat scenario. It can also mean the use of a physical control, i.e. data diode, which
results in no path for the threat scenario in question. The Level of Threat is Extremely
Low as there is no such thing as zero risk.
The advantage of using Ease-of-execution as a measurement is that it is specific to
security whereas many other measurements are borrowed or derived from safety. This
aligns with Execution Means from the Security Effectiveness Method in Appendix E
which assigns points based on the attacker’s knowledge mapped to equipment needed
to carry out an attack.
The disadvantage is that ease-of-execution can potentially change over time with the
availability of tools. For this reason, ease-of-execution is one of several considerations
in this risk assessment methodology with the others being security requirements,
security measures, security based fault hazard assessment, and operator guidance.
Further, even though ease-of-execution can potentially change over time, regulators
require the DAH to monitor their designs for changes to the effectiveness of security
Each threat scenario has several execution steps which must be scored and AND’ed or
OR’ed to arrive at the final score for the threat scenario. In general, sequential steps in
a threat scenario are AND’ed, and when there is a choice of systems to compromise to
get to the next step, those are OR’ed as you only need to compromise one of them to
proceed. The first step in a threat scenario is almost always obtain design knowledge,
whether it is generic/publicly available or custom/proprietary. This aligns with the
reconnaissance phase of penetration testing. The following steps may include the
following: create injectable code, compromise system, create exploit, and execute
Security Based Fault Hazard Assessment
This determines the Severity of Threat Condition Effect (Impact) for the asset. Further
analysis should be done as there can be a difference between safety based and security
based fault hazard assessment. Each hazard effect enumerated in the safety based
hazard assessment should be reviewed and analysed from the perspective of malicious
intent and cyber security. Systems should be analysed for additional or changed hazard
effects as a result of malicious intent and cyber security attacks. For example, safety
designs often employ redundancy to mitigate the impact of a system failure. Many
times, these redundant systems are identical hardware and software. When viewed
from the perspective of a cyber attack, the redundant system does not provide
independent security measures. Should an attacker successfully exploit one system,
then you must consider that the redundant system is also exploited thereby nullifying
any reduction of hazard impact due to redundancy. Severity of threat condition is
defined in section 3.3 in Table 3-1.
Links Archive Navigation Previous Page Next Page