If Boeing heeds the FAAs warnings, its likely that well see a software barrier between the passenger data and the flight control systems. Software security practitioners will be quick to tell you that we cant test security into a system. We cant measure its level of security and validate it to be 100%. There will always be unknowns. There will always be human mistakes.
Is any one of us willing to accept that, when we were warned of the problem and should have known better? I didnt think so.
Ive heard it argued that the network design may have come from weight limitations. Well, to that argument, I say that many airlines are currently deploying Wi-Fi networks in their aircraft, and to my knowledge, theyre doing it without any connectivity between the passenger and flight control networks.
From my safe, distant vantage point, I can only say I wouldnt trust anything short of the best firewall in the world, the air gap. That is, complete separation between the flight control and passenger data.
Security and the Politics of Fear
Norton Internet Security 2008: Faster, Stronger
Microsoft's New Patent: The Dark Side of SaaS
Google's Android vs. Apple's iPhone: Which is More Secure?|
And theres the lesson that we can all take away from this issue, even if were not designing ultra-high tech passenger jets. Theres no software firewall product that will ever provide the level of protection of a complete air gap. When we look at our own data centers, we should judiciously (but still carefully) separate our own administrative and management data from our customers production data.
VLANs, firewalls, and all those other shiny little security boxes we all seem to like so much are fine and well. But when we absolutely require data separation, I have yet to meet the data packet that can safely cross the air gap. And Im not talking wireless here.
I just shudder to think of the human tragedy that could come from a software failure in this system. Add to that the dollar amount in the out-of-court settlement that will no doubt happen just as the FAA warning is read during the inevitable lawsuit, and its not a pretty situation.
Lets just hope Boeing makes the right decision. As for me, for once Im not just content, but ecstatically happy that the airline I spend far too much time onand whose 747-400 Im currently strapped to while typing thishasnt even ordered any of these new Dreamliners yet. Thats one firewall for which Ill prefer to wait for version 1.1.