GUIDANCE FOR SECURITY EVENT LOGGING IN AN IP ENVIRONMENT
|Publication Date:||21 June 2017|
This report sets forth guidance for IP-based onboard networks and systems residing in the Airline Information Services (AIS) and Passenger Information and Entertainment Services (PIES) Domains by establishing a common set of security related data elements and format(s) that are produced by aircraft systems, suitable for use by airline IT and/or avionic supplier analytical ground tools.
There are many IT industry organizations working in this field which this report references and uses as a baseline. This report is meant to be a companion to NIST 800-92: Guide to Computer Security Log Management and RFC 5424: The Syslog Protocol. NIST 800-92 specifies the basics of computer security logs, log management infrastructure, log management planning, and log management operational processes. RFC 5424 specifies the syslog protocol, used to convey event notification messages, allows multiple transport protocols and provides a message format that allows supplier-specific extensions to be provided in a structured way.
This report leverages the above industry best practices to provide guidance for aircraft manufacturers, equipment suppliers, and operators. The scope of this guidance excludes:
- Non-security related logging
- Aircraft Control Domain (ACD)
- Specific implementation details
It is recommended that this guidance be referenced for security log best practices where Aircraft Control Domain systems have implied or explicit security logging requirements
Purpose and Objectives
Aircraft designers have adopted Internet Protocol (IP)-based technologies into their onboard network architectures to leverage new capabilities, increase interoperability, and realize commercial benefits. Given the potential for increased security vulnerabilities that these technologies bring, security logs are an important tool for identifying abnormal behaviors that might indicate the presence of a security threat, and for supporting security investigations.
Avionics components and systems have generated fault and activity logs for decades. These logs have typically been defined and used by the Original Equipment Manufacturer (OEM) for performance and maintenance functions. With the introduction of onboard networks and systems with external connectivity and the many applications being developed for these systems, logs are also being used to capture security content, and are now being directly reviewed by airlines to monitor the integrity of the systems. The analysis of these security logs is a holistic process, which assesses data from all of the networked systems, and therefore, benefits from standard formats and approaches across suppliers.
For airlines to successfully utilize these logs, the logs need to be offloaded from aircraft on a regular and routine basis for ingestion into ground analytical tools. This process must be automated and fit into existing ground based network and system security logging, analysis, reporting, and event and incident forensic analysis processes. In addition, standardization of aircraft log contents is needed to ensure that the logs contain appropriate data to support analysis and to reduce the impacts of ingesting these files into current industry tools and processes.
In addition, business and regulatory requirements call for logging and monitoring of onboard applications. Authorities may demand a required level of security for IPbased aircraft communication systems that must be maintained. These security requirements, and related best-practices, may be independent of safety driven certification requirements and therefore may require a different set of operational procedures. For example, systems performing credit card payment processing must also meet related Payment Card Industry (PCI) requirements. Security logging and monitoring are important enablers for retaining the required level of security of IPbased aircraft systems.
The methodology employed for the security driven program should align with the methodology employed for the maintenance program.
Normally, the certification specification focuses on requirements concerning safe flight and landing that an aircraft manufacturer must fulfill to achieve a type certificate for an aircraft design. Continued airworthiness is subsequently achieved by an operator through the implementation of a maintenance program. This program must conform to the standards set by both the authorities and the aircraft manufacturer thus maintaining the required level of safety.
The objectives of this document are to:
- Provide avionics system designers with a generic set of security logging and monitoring guidelines
- Provide airlines with a guidance on how to process security log data that the aircraft systems will produce
- Establish a baseline for standard security related data collection types and a standard set of data elements that should be stored, monitored, and analyzed for the presence of security issues
- Identify supporting documents that are to be provided by the equipment suppliers to support the interpretation of security log contents and the ingestion of the logs into ground tools
- Consider forensic analysis of security events and incidents
- Define security and integrity of logs
- Consider current cabin systems (entertainment and satellite connectivity) which generate logs and routine analysis that are part of PCI requirements that airlines must meet
- Consider log file formats that IT ground Security Information and Event Management (SIEM) tools can ingest
- Establish a framework for continuous improvement of security log analysis as the industry gains experience with aircraft information security analysis and mitigation