Up, up and away

Forget wings - if God had really meant us to fly, we'd have been given redeemable air miles
Forget wings - if God had really meant us to fly, we'd have been given redeemable air miles

Forget wings - if God had really meant us to fly, we'd have been given redeemable air miles, and the Garden of Eden would have had an executive waiting lounge. But, thanks to our ingenuity, we're doing it anyway.

Aviation security is fraught with challenges, but they are markedly different from the security problems facing the aerospace sector. Before the Transportation Security Administration worries about getting passengers safely to their destinations, the aircraft have to first be built - bringing a whole new set of hurdles. Because aerospace companies tend to engage in public sector defense projects alongside civilian ones, they quickly become embroiled in an arcane set of regulatory frameworks that must be navigated with care. Their security systems must satisfy these regulations, or they will find themselves open to fines and perhaps exclusion from key projects.

Governments impose strict controls on the information that is passed over national boundaries, and are also strict in their regulation of the security systems used. The Defense Federal Acquisition Regulation Supplement (DFARS), for example, governs purchasing regulations for the defense sector, while other regulations also apply to the transnational flow of information.


The International Traffic in Arms Regulations (ITAR) control the import and export of defense-related information found on the US munitions list. Such regulations can cause problems for smaller suppliers that want to work with larger contractors, warns Allen Dillon, director of business development and government relations for the defense, security and aerospace business unit of Canadian systems integrator xWave, and vice president of the Aerospace and Defense Industries Association of Nova Scotia (ADIANS).

"They are a very difficult burden for the average company to deal with. We all understand the process, and the level of commitment that’s required," he warns. Companies will often have to employ between one and three people to administer the paperwork. Another problem is that if a system is sold to a US aerospace player and becomes part of a framework used by the US Government, it becomes prohibited from international sale unless the US Government approves it. "There are many technologies where we have rewritten our core engines to get around the problem," says Dillon. That's another barrier that makes it harder for smaller companies to get involved in lucrative US aerospace contracts.

You are not alone


"You couldn’t even begin to draw boundaries around where all this data is gong to be."
Jeff Nigriny, Certipath

Such regulatory challenges feed directly into commercial ones. The complexity of most aerospace projects means that a single contractor, or even a moderate group of contractors, cannot complete a project alone. Instead, a wide variety of subcontractors must be involved. And the public sector nature of many aerospace projects means that governments like to have a say in who gets contracted. Take the Joint Strike Fighter (JSF) project, the next-generation fighter plane contracted by the US with extensive international participation.

Lockheed Martin was the prime contractor on the project, and subcontracted Northrup Grumman, and BEA. The DoD ordered them to use Pratt and Whitney for the engines, but to give Rolls Royce a look-in because the UK MoD was also spending money on the project, recalls Jeff Nigriny, president of Certipath, a certificate authority specializing in aerospace. Each of the top contractors then chose their own tier-one vendors, and so on down the line, until there were subcontractors from every continent bar Antarctica working on the craft.

"You couldn’t even begin to draw boundaries around where all this data is gong to be. So their ultimate security model ended up being a huge one-off with a bunch of leased lines with six monthly audits," recalls Nigriny. "So they set up an entire division of Lockheed that just worries about the security of the supply chain."

Nigriny explains that the problems faced by the participants in the JSF were instrumental in the creation of the Transglobal Secure Collaboration Program (TSCP). This is a consortium of aerospace stakeholders including Lockheed, Northrup Grumman, BEA, EADS and governmental players such as the DoD and MoD. The TSCP was formed to try and reconcile the need for large, diffuse supply chains and tight security controls, and is developing standards for secure operations in between aerospace firms. A standard mechanism for sending secure email was the first project that the TSCP tackled.

Certipath manages the organization of the TSCP, along with the development of new processes to be used by the consortium. It acts as a root certification authority designed to enable cross-certification of companies operating in the aerospace sector. It was set up by Exostar, a supply chain management software company targeting the aerospace sector, along with Arinc, and SITA. It licenses those companies as service provider CAs, who can in turn, certify aerospace firms. It also operate PKI certification to the US Federal Bridge Certification Authority, which is a government mechanism for interoperability between different PKIs.

Certipath operates a verification process for companies wanting to be cross-certified with the Federal Bridge. Those that pass become part of a trust path, and can be trusted by others through transitive relationships. Northrop Grumman may not have a direct trust relationship with a small aerospace subcontractor in France, for example, but if that company is cross-certified through Certipath, then it can trust it indirectly.

Stamp of approval


"Information protection should be data independent."
Vijay Takanti, Exostar


The advantage of running a service like this is that companies do not need to operate their own public key infrastructures, says Nigriny. PKIs can be complex to maintain, and they are only as good as the certification process. Certipath looks at a variety of internal company processes including human resources as part of its certification process. It is also working to set up regional certificate authorities, and is 12-14 months away from rolling out that initiative in the Asia-Pacific region.

Sending secure email between participating aerospace companies was the first deliverable security project for Certipath and the TSCP, but it's little more than a testing ground for the processes that support these trust relationships. The challenge becomes more difficult as the interactions between companies get more sophisticated. The TSCP is planning several further initiatives, including a focus on data-centric security to stop sensitive information being leaked from participating companies.

"Information protection should be data independent," explains Vijay Takanti, VP of security and collaboration services at Exostar, describing the TSCP's information asset protection program. That initiative, to be developed throughout 2009 and 2010, will focus on tagging data within companies, reflecting a broader drive in the private sector to use metadata as the basis for data-centric security initiatives.

However, getting aerospace companies to tag their data is going to be a big challenge. If they are to tag legacy data, then systems will need upgrading, and data structures will need to be analyzed. All of this has to happen during an unprecedented economic downturn which has taken a particular toll on the civil aviation business. Will aerospace companies be willing to support it? Wayne Grundy, director of the TSCP, hopes that a mixture of government enforcement, and an understanding that standardization can cut costs, will help drive them in the right direction. "What we need to do is break into their insular approach and tell them that this is a standard approach that could save them money," he says. "We also hope that government will mandate this, because it's in their best interests."

Least privilege
Another challenge linked to data-centric security involves enforcing the principle of least privilege, not only within aerospace companies, but among their partners. Employees shouldn't be able to access any resources in their own companies - or anyone else's - that they don't need to see. Rather than getting tangled up trying to solve the problem for each participant, Nigirin instead explains that the organization opted to create generic roles and data markings, and have companies map their own roles onto them as best they can.


"There is legal concern that if Lockheed finds its data was mishandled, and that the mappings haven’t been perfect, that’s a problem. So you have to get companies to buy in," Nigirin warns. The organization will focus on specific programs such as the F22 fighter jet to help make the roles more appropriate to the task at hand. It also hopes to at least partly solve the problem around inertia in meta tagging large amounts of information, by focusing on new projects, rather than retrospective tagging of older data.

The TSCP and Certipath have a long way to go in pulling together these vastly complex supply chains and imposing a single, cohesive security structure across them all. But if they succeed, they will enable an unprecedented level of co-operation across the aerospace sector, and could help participants to focus on what's important: driving more innovation into the aerospace sector at supersonic speeds.

What’s Hot on Infosecurity Magazine?