SYSSEC: January 2008 Archives


January 5, 2008

Check out this Wired article and the FAA Report on which it is based about how the Boeing 787 control network is connected to the in-cabin entertainment network, which is probably not the design your average security guy would have chosen:
These special conditions are issued for the Boeing Model 787-8 airplane. This airplane will have novel or unusual design features when compared to the state of technology envisioned in the airworthiness standards for transport category airplanes. These novel or unusual design features are associated with connectivity of the passenger domain computer systems to the airplane critical systems and data networks. For these design features, the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing standards.

The FAA imposes the following requirement:

The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain.

Obviously, this specifies a goal rather than a design, but it's pretty hard to see how this goal could be met without at minimum an airgap between the ACD/AID, and the PIED. I'm unaware of any networking technologogy which allows you to connect two networking domains together which can also guarantee that computers in the untrusted domains can't negatively impact computers in the trusted domains. The classic solution that falls short of airgaps is of course firewalls, but then you have to worry about vulnerabilities in the firewall, so this certainly doesn't prevent all attacks.

The more interesting question is whether an airgap is enough? An airgap provides good protection against logical attacks from the PIED network, but not against physical ones. Even if the ACD/AID cables are physically separate from the PIED cables, do they run through areas which are potentially accessible from the passenger cabin (especially the lavs!)? Do they use cryptography so that an attacker who accessed them couldn't directly talk to the ACD/AID network? Note that this isn't perfect protection, but it could substantially lower the attack surface.

Two other things worth noting here:

  • The Air Line Pilots Association (ALPA) comments suggest that: "a backup means must also be provided for the flightcrew to disable passengers' ability to connect to these specific systems.". This is enough to protect against some attacks (e.g., traffic flooding) but obviously doesn't help against subversion of the flight control systems, since it's not clear that once they have been subverted any plausible in-flight mechanism will allow you to regain control.
  • Airbus also provided several comments which seem mostly oriented towards covering their own future designs. For instance:
    AIRBUS Comment (b): Airbus stated that in the sentence ``The design shall prevent all inadvertent or malicious changes to, and all adverse impacts * * *'', the wording ``shall prevent ALL'' can be interpreted as a zero allowance. According to the commenter, demonstration of compliance with such a requirement during the entire life cycle of the aircraft is quite impossible because security threats evolve very rapidly. The only possible solution to such a requirement would be to physically segregate the Passenger Information and Entertainment Domain from the other domains. This would mean, for example, no shared resources like SATCOM (satellite communications), and no network connections. Airbus maintained that such a solution is not technically and operationally viable, saying that a minimum of communications is always necessary. Airbus preferred a less categorical requirement which allows more flexibility and does not prevent possible residual vulnerabilities if they are assessed as acceptable from a safety point of view. Airbus said this security assessment could be based on a security risk analysis process during the design, validation, and verification of the systems architecture that assesses risks as either acceptable or requiring mitigations even through operational procedures if necessary. Airbus noted that this process, based on similarities with the SAE ARP 4754 safety process, is already proposed by the European Organization for Civil Aviation Equipment (EUROCAE) Working Group 72 for consideration of safety risks posed by security threats or by the FAA through the document ``National Airspace System Communication System Safety Hazard Analysis and Security Threat Analysis,'' version v1.0, dated Feb. 21, 2006. Airbus said such a security risk analysis process could be used as an acceptable means of compliance addressed by an advisory circular.

I don't know that much about how this kind of in-flight network is usually designed or how much security analysis usually goes into it, but to the extent to which we're concerned about passenger subversion of flight control systems, this seems like an unusually hostile threat environment. In particular, if the plane is completely fly by wire, does that mean that someone who controlled the computers could potentially fly the plane where (or into) anything they wanted? What features are provided for regaining manual control in the case of such subversion?