Is the safe from attack by computer hackers? With the plane still months away from its first commercial flight, the Federal Aviation Administration (FAA) last week issued a document that raises questions about the security of the 787’s computer architecture.
This “special conditions” document focuses on the interconnectedness of the aircraft’s three key data domains: those related to aircraft safety and control, business and administrative functions and passenger entertainment and information systems. “The proposed architecture of the 787 is different from that of existing production and retrofitted airplanes. It allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane. Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane,” the FAA document states.
A Wired News article brought the document to light last week, noting that it was “causing concerns in security circles.” Engineers familiar with the aviation certification process and avionics design practices may be less inclined to worry for a couple of reasons.
First off, “special conditions” documents are not necessarily that big of a deal. According to FAA spokesman Allen Kenitzer, the administration issues them whenever its engineers encounter “novel or unusual design features” not covered in existing commercial airworthiness standards. These special conditions documents can trigger additional testing or validation steps on the part of aircraft makers. In this case, the existing standards didn’t adequately address the issue of unauthorized access of the 787’s onboard data networks, Kenitzer reports.
Boeing’s embrace of so many new technologies on the 787 may make the company all the more likely to have special conditions placed on it. And Kenitzer confirms that FAA will issue additional special conditions for other design features on the 787.
For its part, Boeing seems to be taking the problem in stride. Calling the special conditions “an important formality,” company spokesperson Lori Gunter notes that Boeing has for months been working with the FAA to establish new analysis and testing methodologies tailored to the plane’s new computer architecture. “The special conditions document doesn’t call for a design change,” she points out.
Gunter declined to give any specifics about how the 787’s different network domains interact. “One good way to maintain security is not to talk about it in detail,” she says, adding that Boeing already had a 787 network security solution in place long before the special conditions document was published.
The Dreamliner's security has to do with the robust design practices associated with avionics systems, according to Bruce Schneier, a well-known security technologist and author. “They have really impressive security, far better than what you would find with any consumer software,” he says. And he also points out how unlikely it would be for any maker of commercial aircraft to intentionally give passengers access to avionics systems. “That would be nutty,” he says. (Click here for Schneier’s take on the 787 special conditions document).
For now, Schneier is not getting too worked up about the 787 in particular. “There isn’t enough information to pass judgement,” he says.
Yet he does argue that the issue of network security onboard aircraft will only become more pronounced as more and more types of information systems take to the skies. “Just like everywhere else in life, increased interconnectedness can create all kinds of security badness,” he says.
Schneier isn’t the only one to recognize the new security vulnerabilities and challenges on our networked aircraft. One of the most telling parts of the FAA document, which contains public comments, came from none other than Airbus. Boeing’s rival weighed in with the notion that security compliance through design alone wouldn’t be sustainable throughout the plane’s lifecycle since security threats evolve so rapidly. Airbus also argued against physically segregating the passenger domain from the mission critical control domain, claiming a minimum of communications is necessary.
Rather than complete segregation, Airbus’ comments foretell a security approach that eliminates vulnerabilities through operational procedures or even tolerates some vulnerabilities that have assessed as acceptable from a safety point of view.
Think of it as flying on a wing and a prayer and a broadband connection.