Boeing just announced another delay for the 787, its second or third so far depending on who you believe, so I wanted to go back to a story Kim Zetter reported a few weeks ago on the Wired Threat Level blog:
Boeing’s new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane’s control systems, according to the U.S. Federal Aviation Administration.
The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.
Wow. This is a really basic mistake — and a great example of the kinds of risks we discuss in the National Academies/CSTB report Software for Dependable Systems: Sufficient Evidence? Of course one of the excellent things about the avionics certification process is that the FAA does an analysis of the “special conditions” for new designs and publishes its findings (in the Federal Register, no less; a good example of the transparency we call for). According to Kim’s article, they’ll deny certification to the 787 until this is fixed – and well they should.
Boeing’s response doesn’t seem to me like they’re acknowledging the problem:
Boeing spokeswoman Lori Gunter said the wording of the FAA document is misleading, and that the plane’s networks don’t completely connect.
Gunter wouldn’t go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as “air gaps,” and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn’t want to discuss in public.
“There are places where the networks are not touching, and there are places where they are,” she said.
Sounds to me like they’re connected. In my opinion (and I’ve heard other security experts say the same), relying on software firewalls or even hardware firewalls for protection in a situation like this is appallingly insufficient. And yes, I do feel strongly about this.
How’d that get through QA?
jon | 19-Jan-08 at 6:58 pm | Permalink
In Kim’s followup story (which I hadn’t read when I originally posted), an FAA person goes into more detail:
Still, the Boeing person-of-spoke did talk about “software firewalls,” which certainly implies a network-level connection … they might just have been using a magic incantation, though. It would be interesting to see just what kinds of “connections” the FAA found.
Liminal states » Archive » What’s up with me, mid-January edition | 21-Jan-08 at 11:30 am | Permalink
[…] was on a few years ago. So expect to see more software- and systems-related stories, such as the Boeing 787 network coupling. It’s also a great chance to catch up with the stories from the static analysis field; […]
A “Computing Futures” Blog? | CSDiary | 22-Jan-08 at 11:02 am | Permalink
[…] from Intel. An always entertaining one … is Jon Pincus’ blog. See, for example, his article on a serious computing security problem on the new Boeing […]
jon | 22-Jan-08 at 11:14 am | Permalink
In an email discussion, somebody who understands the certification process a lot better than I do clarified (thanks for permission to quote!):
Very useful; and consistent with the FAA’s clarification. This really ties into one of the things we looked at on the committee: how certification processes did not handle updates well at all — a huge problem when software needs to be patched, and also something that leaves systems vulnerable to function creep.
Martyn Thomas | 23-Jan-08 at 3:52 am | Permalink
The National Academy of Sciences committee (http://www7.nationalacademies.org/CSTB/project_dependable.html) emphasised the need for explicit dependability (including safety) claims coupled with scientifically sound evidence that these claims are justified. (I was privileged to have been a member of this committee, with Jon).
Where safety is dependent on the behaviour of software, it is almost never sufficient to rely on the results of testing to show that safety claims are true, because it is impractical to test thoroughly enough or for long enough to get strong evidence for strong safety claims.
This means that if the Boeing spokesperson’s reference to “software firewalls” is correct, the FAA should be looking for safety evidence that includes strong mathematical/logical analysis of the software.
One further point. The safety of most avionics can be treated from a purely safety perspective, where failures that have no common cause can be treated as occurring independently, so that the probability of simultaneous failures is (roughly) the product of the probabilities of the separate failures. But the case discussed on this thread is different, because it is possible that a passenger may be trying to bring about a failure deliberately. The safety of the systems therefore also depends on the *security* of the networks,which raises issues that many safety cases do not need to address.
Daniel Jackson | 23-Jan-08 at 11:38 am | Permalink
Following on Martyn’s point: While it is true that testing alone cannot establish the level of dependability you need for this application, mathematical analysis is very expensive.
That’s why decoupling is so effective. In the approach to dependability that our study outlines, the software need not be developed to a uniform level of dependability.
If the entertainment network can be shown to be fully decoupled from the avionics network, it would itself require only the level of scrutiny commensurate with the dependability requirements of an entertainment system, and the investment in more powerful and expensive analyses could be focused on the avionics network (and on the claim of decoupling).
jon | 23-Jan-08 at 2:18 pm | Permalink
Excellent points! Especially as systems get larger, decoupling and other techniques for breaking things down into manageable pieces is absolutely crucial for being able to come up with verifiable evidence (or claims) without having the costs overwhelm you.
Of course, what makes it tricky is knowing where the system ends. Taking the FAA’s example, the avionics and entertainment networks both communicate through the same satellite. Do they actually share some network connectivity there? [This could explain Boeing’s ‘firewalls’ comment.] If so, that’s a much riskier situation than the hypothetical “time-sharing” the FAA is discussing. Unfortunately, this kind of information isn’t made public, and Boeing certainly isn’t being very forthcoming.