This page contains a Flash digital edition of a book.
TECH TALK


or higher, degree of safety and assurance, avionics vendors should be performing complete line-by-line code review and risk assessment of their software (which all do, but perhaps not enough from a security perspective). According to various industry sources, the software development industry average rule of thumb is that every 1,000 lines of code will have 10 to 50 bugs (possible vulnerabilities). For example, a stripped-down specialized version of Linux can eliminate all unnecessary services such as printing, USB drivers, keyboard/video, etc., dramatically reducing the number of lines of code and the security risk while increasing speed and performance. Microsoft’s average is 10 to 20 bugs per 1,000 so a Windows operating system containing 90 million lines of code can have up to 1,800,000 bugs when introduced into the market. The FAA and the industry standards bodies need to identify more comprehensive guidance and policies for identifying and mitigating potential cyber security issues with all on-board and support systems.


WHAT NEEDS TO BE DONE TO REMEDY THIS SITUATION


Thankfully, it is not very feasible for anyone to easily access critical aircraft systems via the IFE, since in-flight entertainment systems are either physically or virtually walled off from such devices. Some aircraft use virtual private networks (VPNs) to separate various networks in an aircraft, which are generally safe from cyber issues (but, in full disclosure, not completely). Another typical approach is the use of network extension


device (NED) which is a networking solution that enables data transfers between avionics systems and IP-based equipment (such as IFE systems). These NEDs enforce network security via firewalls and manage communication systems and high-speed datalinks to provide connectivity between an aircraft and ground/satellite networks. Aircraft are generally safe from cyber-attacks emanating


from IFE systems. Wireless access to an IFE system has some degree of built-in security by the IFE vendor, in addition to the security provided via VPNs/NEDs/aircraft networking equipment. USB ports on some seatbacks are becoming an issue since researchers have uncovered vulnerabilities with all such ports. (This is a specialized emerging topic for another day.) In general, it can be said that modern aircraft, avionics and their ground systems have not kept up with the cyber security risks that have emerged in recent years. IFE systems are merely part of the equation here, with other systems being a higher risk. Part of this is a legacy issue where aircraft used to have completely separated data communications (no longer true in some newer-build aircraft), where avionics systems had minimal computer interfaces (not anymore, especially with Ethernet-inspired data busses such as AFDX /ARINC 664), and where it was tolerable for industry best-practices and FAA guidance to


10 2014 50


lag behind technology to some degree. This is no longer acceptable. It is time for a change. While it is not feasible for the world’s aviation regulatory


authorities to be able to provide guidance regarding new technologies and how safety issues are mitigated prior to the launch of modern software-based avionics and aircraft, such guidance must evolve to encompass cyber issues much more swiftly than it does today. Regulatory authorities need to ensure that security requirements are addressed in the initial stages of a product design, and that qualification and certification testing includes cyber security assessments/checks/tests/etc. In fact, if an avionics or aircraft manufacturer does not have such capabilities, perhaps they should be required to use third-party testing services. Industry groups such as ARINC/SAE and others also need to provide more timely guidelines to the manufacturers as well. There are various efforts happening in the U.S. and EU to address such concerns, but we are obviously not quite there yet. These efforts needs to be sped up due to the looming deadlines of not only NextGen and SESAR (among other air traffic management systems in other parts of the world) coming online, but also due to the forthcoming entry in the airspace of drones in 2015. Many of the larger drones will depend upon similar communications gear as what manned aircraft will utilize, not to mention their reliance on ground and satellite communications systems. As readers of this aviation maintenance magazine, what


can you do to mitigate such risks as identified here? Plenty. Here is my list:


1. Review any components contained on the aircraft you are responsible for, and those with software/ firmware, ensure that they are up to date (just like you do with your home PCs, where Microsoft Updates are performed automatically, and your antivirus software is also constantly updated ... right?).


2. I would highly recommend that you contact the manufacturers of critical systems you have to express concerns outlined in the white paper from the cyber security researcher earlier in the article, and read Santamarta’s entire white paper. You might not care about everything identified, but you need to be aware of how a hacker might operate. This is invaluable information, especially since the lab environment used is not far off from a maintenance environment where you would have physical access to some of the systems mentioned in the report.


3. Consider bringing in cyber security experts to perform more in-depth testing of critical systems under your purview. This includes any on-board systems you might have concerns with, but, just as importantly, your ground-based support and IT


DOMmagazine


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84