Is *that* why they make you wait till you’re at 10,000 feet to turn computers on?

Boeing just announced another delay for the 787, its second or third so far depending on who you believe, so I wanted to go back to a story Kim Zetter reported a few weeks ago on the Wired Threat Level blog:

Boeing’s new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane’s control systems, according to the U.S. Federal Aviation Administration.

The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.

Wow. This is a really basic mistake — and a great example of the kinds of risks we discuss in the National Academies/CSTB report Software for Dependable Systems: Sufficient Evidence? Of course one of the excellent things about the avionics certification process is that the FAA does an analysis of the “special conditions” for new designs and publishes its findings (in the Federal Register, no less; a good example of the transparency we call for). According to Kim’s article, they’ll deny certification to the 787 until this is fixed – and well they should.

Boeing’s response doesn’t seem to me like they’re acknowledging the problem:

Boeing spokeswoman Lori Gunter said the wording of the FAA document is misleading, and that the plane’s networks don’t completely connect.

Gunter wouldn’t go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as “air gaps,” and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn’t want to discuss in public.

“There are places where the networks are not touching, and there are places where they are,” she said.

Sounds to me like they’re connected. In my opinion (and I’ve heard other security experts say the same), relying on software firewalls or even hardware firewalls for protection in a situation like this is appallingly insufficient. And yes, I do feel strongly about this.

How’d that get through QA?


Comments

7 responses to “Is *that* why they make you wait till you’re at 10,000 feet to turn computers on?”

  1. In Kim’s followup story (which I hadn’t read when I originally posted), an FAA person goes into more detail:

    I had asked him a question about what exactly the FAA meant in its special condition when it wrote that the passenger, navigation and maintenance networks on the 787 were “connected,” since I wanted to make sure that I hadn’t misinterpreted what the FAA was describing. He wrote:

    “In the context of the special conditions, the FAA used the concept of ‘connection’ between the passenger, airline, and airplane domains very broadly. Earlier technology typically had physical and electrical isolation between these systems. These special conditions came about because the new designs do not necessarily provide complete physical and electrical isolation. As a generic example, a ‘connection’ in this context could be something such as time sharing a satellite receiver for data transmission. Not all types of ‘connections’ present the same vulnerabilities. Each must be assessed and addressed by Boeing.”

    Still, the Boeing person-of-spoke did talk about “software firewalls,” which certainly implies a network-level connection … they might just have been using a magic incantation, though. It would be interesting to see just what kinds of “connections” the FAA found.

  2. […] was on a few years ago.  So expect to see more software- and systems-related stories, such as the Boeing 787 network coupling.  It’s also a great chance to catch up with the stories from the static analysis field; […]

  3. […] from Intel. An always entertaining one … is Jon Pincus’ blog. See, for example, his article on a serious computing security problem on the new Boeing […]

  4. In an email discussion, somebody who understands the certification process a lot better than I do clarified (thanks for permission to quote!):

    From a regulatory viewpoint, the FAA cannot dismiss this even if there are two independent and seperated busses all the way to the ground because there are no current regulatory constraints for airborne networks that would continue to assure that this will not be changed. They issued a special condition (not a report that I’m aware of) to provide the hooks to preclude any safety problems that could be associated with merged data and allow a review of the current approaches. A special condition basically has the full force of a regulation but applies only to the aircraft specified in the special condition. Each time a new certification project is presented, the special condition must be asserted for that project. In general special conditions eventually become regulations. As an example within a few years after solid state electronics with small geometries were introduced (and after a public incident with electromagnetic interference (EMI) with an aircraft) the FAA issued a special condition on EMI and lightning that had to be levied on each new certification project for almost 20 years until a harmonized regulation was passed.

    Very useful; and consistent with the FAA’s clarification. This really ties into one of the things we looked at on the committee: how certification processes did not handle updates well at all — a huge problem when software needs to be patched, and also something that leaves systems vulnerable to function creep.

  5. The National Academy of Sciences committee (http://www7.nationalacademies.org/CSTB/project_dependable.html) emphasised the need for explicit dependability (including safety) claims coupled with scientifically sound evidence that these claims are justified. (I was privileged to have been a member of this committee, with Jon).

    Where safety is dependent on the behaviour of software, it is almost never sufficient to rely on the results of testing to show that safety claims are true, because it is impractical to test thoroughly enough or for long enough to get strong evidence for strong safety claims.

    This means that if the Boeing spokesperson’s reference to “software firewalls” is correct, the FAA should be looking for safety evidence that includes strong mathematical/logical analysis of the software.

    One further point. The safety of most avionics can be treated from a purely safety perspective, where failures that have no common cause can be treated as occurring independently, so that the probability of simultaneous failures is (roughly) the product of the probabilities of the separate failures. But the case discussed on this thread is different, because it is possible that a passenger may be trying to bring about a failure deliberately. The safety of the systems therefore also depends on the *security* of the networks,which raises issues that many safety cases do not need to address.

  6. Following on Martyn’s point: While it is true that testing alone cannot establish the level of dependability you need for this application, mathematical analysis is very expensive.

    That’s why decoupling is so effective. In the approach to dependability that our study outlines, the software need not be developed to a uniform level of dependability.

    If the entertainment network can be shown to be fully decoupled from the avionics network, it would itself require only the level of scrutiny commensurate with the dependability requirements of an entertainment system, and the investment in more powerful and expensive analyses could be focused on the avionics network (and on the claim of decoupling).

  7. Excellent points! Especially as systems get larger, decoupling and other techniques for breaking things down into manageable pieces is absolutely crucial for being able to come up with verifiable evidence (or claims) without having the costs overwhelm you.

    Of course, what makes it tricky is knowing where the system ends. Taking the FAA’s example, the avionics and entertainment networks both communicate through the same satellite. Do they actually share some network connectivity there? [This could explain Boeing’s ‘firewalls’ comment.] If so, that’s a much riskier situation than the hypothetical “time-sharing” the FAA is discussing. Unfortunately, this kind of information isn’t made public, and Boeing certainly isn’t being very forthcoming.

Leave a Reply

Your email address will not be published. Required fields are marked *