A bit of background… A couple weeks ago, a particular FAA warning notice surfaced on the Internet. The warning was sent to Boeing to put them on notice to ensure—and I’m not making this up—that they build a software protection mechanism so that passenger data won’t make its way onto the aircraft’s flight control networks.
You read that correctly: the in-flight passenger data network is connected to the network that carries flight control data. It seems that the interconnection was found during a design review by the FAA and others, including Boeing’s archrival, Airbus. (Good of Airbus, don’t you think?)
Of course, I applaud the FAA for doing an architectural risk analysis of the system; I’ve done hundreds of these and firmly believe they’re time well spent. But what could possibly have lead Boeing’s engineers to think it would be a good idea to have an interconnection between the passengers and the flight controls? Without a doubt, none of us need to be reminded of the risks involved.
Oh, and it gets worse. The FAA warning didn’t instruct Boeing how to ensure separation between passenger and flight control data. Instead, they’re leaving it up to the same people who came up with the flawed design in the first place to come up with a fix. Great.
Now, let’s consider this a little deeper. If the design review findings are correct and there really is a potentially dangerous connection between the two worlds that absolutely must be kept apart, then it is likely to have been a conscious decision. I can’t imagine an information security professional who wouldn’t have counseled against such a thing.
As I said, the only rationale I’ve been able to come up with are that they were either ignorant or, even worse, guilty of unparalleled hubris.
If they were ignorant, shame on them. Shame on them for putting passenger lives at risk in this way. Shame on them for not adequately doing a domain analysis to explore things like the threats, attack surfaces, and potential technological weak points. Shame on them for designing a data system without any understanding of how data systems can be attacked. With luck, though, the FAA warning will have jolted them into an acceptable level of awareness.
If they did understand all of these things and they did it anyway, then things are far worse. There is then an implicit assumption that they could build some form of software firewall that would do the job perfectly—because the public will no doubt expect and accept nothing short of perfection.
Will it be built on existing building blocks? Open source? Proprietary firewall technologies? How will the system adapt to new attacks as they are discovered? Will each 787 do a Windows Update (or equivalent) just before it takes to the skies? Heaven forbid.
If Boeing heeds the FAA’s warnings, it’s likely that we’ll see a software barrier between the passenger data and the flight control systems. Software security practitioners will be quick to tell you that we can’t test security into a system. We can’t measure its level of security and validate it to be 100%. There will always be unknowns. There will always be human mistakes.
Is any one of us willing to accept that, when we were warned of the problem and should have known better? I didn’t think so.
I’ve heard it argued that the network design may have come from weight limitations. Well, to that argument, I say that many airlines are currently deploying Wi-Fi networks in their aircraft, and to my knowledge, they’re doing it without any connectivity between the passenger and flight control networks.
From my safe, distant vantage point, I can only say I wouldn’t trust anything short of the best firewall in the world, the “air gap.” That is, complete separation between the flight control and passenger data.
And there’s the lesson that we can all take away from this issue, even if we’re not designing ultra-high tech passenger jets. There’s no software firewall product that will ever provide the level of protection of a complete air gap. When we look at our own data centers, we should judiciously (but still carefully) separate our own administrative and management data from our customers’ production data.
VLANs, firewalls, and all those other shiny little security boxes we all seem to like so much are fine and well. But when we absolutely require data separation, I have yet to meet the data packet that can safely cross the air gap. And I’m not talking wireless here.
I just shudder to think of the human tragedy that could come from a software failure in this system. Add to that the dollar amount in the out-of-court settlement that will no doubt happen just as the FAA warning is read during the inevitable lawsuit, and it’s not a pretty situation.
Let’s just hope Boeing makes the right decision. As for me, for once I’m not just content, but ecstatically happy that the airline I spend far too much time on—and whose 747-400 I’m currently strapped to while typing this—hasn’t even ordered any of these new Dreamliners yet. That’s one firewall for which I’ll prefer to wait for version 1.1.