Connectivity crossover and the case for cockpit security

Airport security is a hot topic today, following a failed Christmas Day 2009 terrorist attack, but security for cockpit and flight-critical communications is an increasingly important issue as new-design commercial aircraft become more software-focused, and as airlines bolster the pipes to their aircraft to support passenger connectivity.

The FAA’s recent decision to issue special conditions to prevent wrongdoers from hacking into flight-critical domains on the new Boeing 747-8 jumbo jet (which resembled the conditions previously issued for the 787 twinjet) simply highlight what we already know – that there is a lot we don’t know about the vulnerability to hackers of e-enabled airliners.
 
And so, it makes sense for the FAA and airframers to be extra cautious.
 
The FAA’s special conditions for the 747-8 and 787 come as no surprise to Boeing, which told Flight International in 2007 that protection against hacking has been built into the 787 because the airframer plans for the twinjet to be in almost continuous contact with the ground via satellite for performance monitoring. (The aircraft is, for example, broadcasting summary engine telemetry via the ACARS link to Rolls-Royce in the UK.)

Boeing said it would use “hard wall” in the software and would ensureno system settings can be changed in-flight to stop an external inputcausing havoc.

The idea is to prevent what Flight then described as “the nightmare scenario is of terrorists remotely hijacking an airliner”. But, as mentioned in my blog post last week, such an attack would not necessarily have to occur off-aircraft if the cabin is equipped with in-flight connectivity for passengers.

At the same time, connectivity crossover points between cabin and cockpit are also an all too real concern, a point expressed to me by Exostar vice-president security and collaboration Vijay Takanti, and later highlighted by Gizmodo.

Separate to the FAA’s specific concerns, we may be starting to see instances where bandwidth priority is unintentionally being given to passenger services with the result of degrading system performance. In 2008 an Airbus A340 operator (believed to be AeroMobile customer Emirates) flying in the Pacific region detected a satcom FANS performance degradation. When the performance deteriorated further (and resulted in the carrier’s inability to use reduced distance-based separations on its A340s) a FANS problem report was raised in 2009.

Air navigation services provider Airways New Zealand was advised that the performance deterioration “may be related to the implementation of cabin services offering passenger applications like voice calls and texting using Data-3 connectivity over [Inmarsat] Classic Aero”, says the Informal South Pacific ATS Coordinating Group (ISPACG), an entity established by multilateral agreement between Australia, Fiji, Tahiti, New Zealand, Papua New Guinea and the USA.

Furthermore, says ISPACG:

Airline BBB satcom report.JPG“The A345 fleet under examination was the first to offer this service in our region but we are aware of a number of other airlines in the region that are looking at providing a similar service to their customers…

“The possibility that this performance deterioration has been caused by the implementation of a new data link service not even related to the provision of an Air Traffic Control service further highlights the necessity of post implementation monitoring by ANSP’s.”

Read the entire document here: Satcom report.pdf

Boeing and Airbus recently co-chaired a conference call with the satcom industry to assess this issue. The group concluded that a ground station upgrade – the so-called Release 15 mentioned in the ISPACG document – was needed to solve the problem, and those corrections were slated to be implemented by Arinc in mid-January and SITA in mid-February.

Okay, so we have a real-world example of degradation of FANS/ACARS performance potentially due to STC-installed connectivity systems utilizing Classic satcom, albeit an event that was not perpetrated on purpose, and one which required a ground station software upgrade to be remedied.

In addition to the two considerations above, Exostar’s Takanti stresses that it is essential for airlines and manufacturers to ensure that only the right people have access to information coming on and off aircraft so that no eavesdropping can take place. In this particular regard, he says, the security concerns remain the same “whether we’re talking about Classic satcom or a larger connectivity pipe”.

Says Takanti:

“The new [design] aircraft have thousands of software parts. The information is going to the plane and coming from the plane, and just like hacking happens in the Internet, somebody could potentially hack into a plane (not saying they can do it today) and you want to make sure they can’t corrupt the software and replace the software with something else. That’s the problem.”

To detect a potential virus, the technique the industry uses today is to take a thumb print of the software. SITA, Verisign and Exostar are among the firms providing public key infrastructure (PKI) service to limit access to an organization’s resources to those with legitimate access.

So, in the case of the 787 or 747-8, for example, maintenance crew would have to enter anauthentication code before uploading software or making settingchanges.

Owned in part by Boeing, Exostar’s so-called federated identity service (FIS) issued over 7,000 PKI certificates in 2009.
 
“One of our largest customers is Boeing so there are a couple of scenarios that we’re working with Boeing,” says Takanti.”We also have some airline customers. The user cases we’re seeing in this industry at this time is how to get information via Gatelink. Some requirements we’re seeing from a security perspective is that airlines want to know the information is coming from a piece of equipment they can trust. They don’t want something giving them false data and wasting a lot of money and time.”

Gatelink chart.JPGAirline members of the Air Transport Association (ATA) of America are working to make sure the end points of Gatelink are trustworthy.

Says Takanti:

“The reason the ATA role becomes important is because of the need of interoperability. United Airlines, for example, has up to 500 planes and flies to different airports. But not all airport gate equipment is owned by United. Some is owned by American, Continental or Delta. The airline industry needs to work to make sure that whatever security mechanism is in place, it can do work with other equipment that is not owned by them [the individual airline]. Right now we’re working with members of that association because they have to agree on the standards.”

For more information about the ATA’s efforts for securing GateLink with PKI, check out the following report: ATA_InformationSecurityWebinar_Gatelink.pdf But as airlines and airframers explore the operational benefits of having robust in-flight connectivity pipes, the security discussion is no doubt about to get kicked up a notch.

, , , , , , , , , , , , , , , , , , , , , ,

14 Responses to Connectivity crossover and the case for cockpit security

  1. Michael H January 24, 2010 at 6:45 pm #

    There’s a simple solution for this, keep the systems separate. While there might be initial considerations such as weight of having duplicates of whatever is used for connectivity purposes, there is untold advantage and common sense in structural separation between what’s used up front and in the cabin.

    Case in point, the World Bank. Their website doesn’t even touch their internal technology infrastructure. Totally outside, totally separate, and not even the computers used to look after it use the same connectivity as their internal network. Why? Because despite all the things technical experts can do to reduce the surface area of attack, the risks even with this are too great to take any chances.

    The same applies for use of IFC up front – the risks of sharing that system with those in the rear are far too great to have any physical or electronic link between the two. No one should be able to get near the systems up front.

  2. Speedbird_NCL January 24, 2010 at 7:59 pm #

    Agree with Michael …. FAA make recomendations airlines need to consider during operation of 787 and hold airlines responsible for end to end security, as Michael has pointed out TCP/IP network domains can only be totally secure if their is no connection.
    The LSAP process and the introduction of PKI into the delivery of software parts involves a level of technology that will require very robust processes and proceedures.

  3. Symonty January 24, 2010 at 8:02 pm #

    Degredation in fans performance is due to the implemtations of data 2/data 3 on Inmarsat and the use of the proritization of data. This has nothing to do with security or hacking, it is just poor implentation. This has nothing at all to do with security or hacking.
    Any of the many sources of data3 traffic from passenger services, if poorly configured can effect FANS, and this is totally unbeknown or seen by passengers.

  4. Mary Kirby January 24, 2010 at 9:56 pm #

    I rather explicitly mention the FANS issue did not involve hacking in the par – “Okay, so we have a real-world example of degradation of FANS/ACARS performance potentially due to STC-installed connectivity systems utilizing Classic satcom, albeit an event that was not perpetrated on purpose…”

    Meanwhile, a shoddy implementation isn’t reason for concern?!?

  5. symonty Gresham January 24, 2010 at 10:42 pm #

    All I am saying is this FANS example, actually has nothing to do with “CROSSOVER” nor hacking nor wrongdoing…
    this is to do with limited bandwidth of the data3 pipe, which is 300bits/second, yes that is right 300 bits/sec.

    While i agree that the introduction of a service to a passenger uses bandwidth that could be used for FANS, this seems to have little to do with crossover and more to do with B/W.

    The aircraft in question will have classic 64Kbits/s service at best, and if the airline wants to generate revenue by allowing passengers services on any aircraft that has always been upto the airline, and this is not in any way covered by the FAA mandate.

    I think that an article about laptop connectivity effecting aircraft systems , which focuses on the separation of LANs , hacking and wrongdoers really cant use a lack of ground based bandwidth to supply data to a system designed over 30 years ago due to a poor implentation ( they are probably tagging data as data2 not data3 to get priority ) has anything to do with passengers.

  6. Mary Kirby January 24, 2010 at 11:46 pm #

    Symonty, I take your point, but in this instance the word ‘crossover’ is simply being used to describe an instance where priority is (unintentionally) being given to passenger services with the result of degrading satcom FANS performance. In any case, the FANS issue is not related to the FAA mandate and I will underscore that for the sake of clarity (and because you have provided us with a quite a bit more info than contained in the satcom report).

  7. Auduboner January 25, 2010 at 12:57 am #

    Personally, and as a semi-frequent flier and brother of an airline pilot, anything that might cause the flight crew to turn off the automated systems and actually fly the damn plane – is a Good Thing! So I’ll let the system vendors worry about this one…

  8. Uwe January 25, 2010 at 10:05 am #

    I haven’t read all the info given (yet) ..

    What is described as crossover looks to
    me more like DoS ( Denial of Service )
    by choking a chanel with nonprioritized
    data denying bandwidth to prioritized
    data.
    This is an implementation fault in the
    infrastructure.

    You may gain nothing by keeping networks
    on the plane physicaly separate when data
    passes through the same SATCOM infrastructure
    on its way out.

    Firewalling will be neccesary anyway,
    there is not much difference from a
    short loop attack pax->networked_avionics
    to a long loop one that leaves the plane
    and attacks sensitive connections elsewhere.

    physically separate networking as only
    savety measure is regularly subverted
    or bypassed. Remember the East Coast Black
    from a couple of years back.

  9. David Parker Brown January 25, 2010 at 4:08 pm #

    I still think this could make a pretty awesome movie. I hope Hollywood is reading this.

  10. Dr. Dave January 26, 2010 at 11:00 am #

    My opinion – have two seperate satcom systems. A wideband system for the passenger cabin – Inmarsat broadband maybe and a narrow band for the cockpit – 2 voice channels and a skinny data channel as the cockpit does not neet broadband. Sure this means two systems; two sets of avionics; two antennas – but it would also seperate the two parts of the aircraft and I guess it would make the certification of the passenger cabin system easier (not sure about that)

  11. MoJoh January 26, 2010 at 12:18 pm #

    Dr Dave,

    Some IFE/Connectivity vendors have been proposing a dual SATCOM system for some time and it looks as though Boeing will be going down this route on the 787 (possibly the 748 and 777 too), strangely Boeing have been keen on a single cockpit/cabin SATCOM solution on the 737NI

    MoJoh

  12. Larry Hagler January 26, 2010 at 12:58 pm #

    Good thread.

    Dr Dave, would an airline realistically install two separate satcom based systems when airframers offer a single solution – could you even have two antenna fitted? Even if you could what about the extra install costs, weight/drag penalities etc?

    Isn’t this getting blown out of alll proportion? The answer is surely to rely on the manufacturers (or IFE&C vendors) to put in place an on board system that mitigates the risks (as Airbus are doing with ALNA)?. This needs to include security as well as bandwidth prioritisation management software to ensure essential services such as FANS are not choked.

    And no, I don;t work for Airbus and I’m sure those guys at Boeing are looking at an equivalent to ALNA for the 787…

  13. Speedbird_NCL January 26, 2010 at 5:02 pm #

    Larry your points are valid and actually highlight the difficult position that operators of new generation aircraft now have to face.
    Operators are responsible for end to end operation of IT security, not the airframers, who will suport FAA/CAA requirements, supplying recomendations for successful EIS of new aircraft types. 
    Because these recomendations can be different, it makes the implementation more difficult, especially for operators with orders for both the A380 & B787.  
    For the first time in aviation history operators are responsible for the secure delivery of software parts from their back office IT systems (IFE pax lists,  airport maps, eDocs etc) onto aircraft via TCP/IP IT network(s) in a secure manner with auditable processes. 
    One of these processes is used for the updating of aviation software systems, known as the LSAP process and is mandatory, requires a level of IT security called PKI. If this end to end process is not robust (open to subversion) it could impact the airworthiness of not just one aircraft, but potentially any fleet that uses it.      
    Previous points above are pointing out the inherent risks of IT networks which we now find on board aircraft ( see ARINC A811). 
    Forgive the long reply, I’m trying to highlight out some other valid IT issues that could eventually lead to regulatory bodies to mandate exactly what Dr Dave has suggested!!
    No IT network is secure including the CIA’s, the only diffrence is their network does not move around the world at 35,000 ft!!

  14. Rosario K. Luna February 4, 2010 at 9:10 am #

    Wow! Thank you! I always wanted to write down in my site something like that. Can I take portion of your post to my blog?