Airport security is a hot topic today, following a failed Christmas Day 2009 terrorist attack, but security for cockpit and flight-critical communications is an increasingly important issue as new-design commercial aircraft become more software-focused, and as airlines bolster the pipes to their aircraft to support passenger connectivity.
The FAA’s recent decision to issue special conditions to prevent wrongdoers from hacking into flight-critical domains on the new Boeing 747-8 jumbo jet (which resembled the conditions previously issued for the 787 twinjet) simply highlight what we already know – that there is a lot we don’t know about the vulnerability to hackers of e-enabled airliners.
And so, it makes sense for the FAA and airframers to be extra cautious.
The FAA’s special conditions for the 747-8 and 787 come as no surprise to Boeing, which told Flight International in 2007 that protection against hacking has been built into the 787 because the airframer plans for the twinjet to be in almost continuous contact with the ground via satellite for performance monitoring. (The aircraft is, for example, broadcasting summary engine telemetry via the ACARS link to Rolls-Royce in the UK.)
Boeing said it would use “hard wall” in the software and would ensureno system settings can be changed in-flight to stop an external inputcausing havoc.
The idea is to prevent what Flight then described as “the nightmare scenario is of terrorists remotely hijacking an airliner”. But, as mentioned in my blog post last week, such an attack would not necessarily have to occur off-aircraft if the cabin is equipped with in-flight connectivity for passengers.
At the same time, connectivity crossover points between cabin and cockpit are also an all too real concern, a point expressed to me by Exostar vice-president security and collaboration Vijay Takanti, and later highlighted by Gizmodo.
Separate to the FAA’s specific concerns, we may be starting to see instances where bandwidth priority is unintentionally being given to passenger services with the result of degrading system performance. In 2008 an Airbus A340 operator (believed to be AeroMobile customer Emirates) flying in the Pacific region detected a satcom FANS performance degradation. When the performance deteriorated further (and resulted in the carrier’s inability to use reduced distance-based separations on its A340s) a FANS problem report was raised in 2009.
Air navigation services provider Airways New Zealand was advised that the performance deterioration “may be related to the implementation of cabin services offering passenger applications like voice calls and texting using Data-3 connectivity over [Inmarsat] Classic Aero”, says the Informal South Pacific ATS Coordinating Group (ISPACG), an entity established by multilateral agreement between Australia, Fiji, Tahiti, New Zealand, Papua New Guinea and the USA.
Furthermore, says ISPACG:
“The A345 fleet under examination was the first to offer this service in our region but we are aware of a number of other airlines in the region that are looking at providing a similar service to their customers…
“The possibility that this performance deterioration has been caused by the implementation of a new data link service not even related to the provision of an Air Traffic Control service further highlights the necessity of post implementation monitoring by ANSP’s.”
Read the entire document here: Satcom report.pdf
Boeing and Airbus recently co-chaired a conference call with the satcom industry to assess this issue. The group concluded that a ground station upgrade – the so-called Release 15 mentioned in the ISPACG document – was needed to solve the problem, and those corrections were slated to be implemented by Arinc in mid-January and SITA in mid-February.
Okay, so we have a real-world example of degradation of FANS/ACARS performance potentially due to STC-installed connectivity systems utilizing Classic satcom, albeit an event that was not perpetrated on purpose, and one which required a ground station software upgrade to be remedied.
In addition to the two considerations above, Exostar’s Takanti stresses that it is essential for airlines and manufacturers to ensure that only the right people have access to information coming on and off aircraft so that no eavesdropping can take place. In this particular regard, he says, the security concerns remain the same “whether we’re talking about Classic satcom or a larger connectivity pipe”.
“The new [design] aircraft have thousands of software parts. The information is going to the plane and coming from the plane, and just like hacking happens in the Internet, somebody could potentially hack into a plane (not saying they can do it today) and you want to make sure they can’t corrupt the software and replace the software with something else. That’s the problem.”
To detect a potential virus, the technique the industry uses today is to take a thumb print of the software. SITA, Verisign and Exostar are among the firms providing public key infrastructure (PKI) service to limit access to an organization’s resources to those with legitimate access.
So, in the case of the 787 or 747-8, for example, maintenance crew would have to enter anauthentication code before uploading software or making settingchanges.
Owned in part by Boeing, Exostar’s so-called federated identity service (FIS) issued over 7,000 PKI certificates in 2009.
“One of our largest customers is Boeing so there are a couple of scenarios that we’re working with Boeing,” says Takanti.”We also have some airline customers. The user cases we’re seeing in this industry at this time is how to get information via Gatelink. Some requirements we’re seeing from a security perspective is that airlines want to know the information is coming from a piece of equipment they can trust. They don’t want something giving them false data and wasting a lot of money and time.”
“The reason the ATA role becomes important is because of the need of interoperability. United Airlines, for example, has up to 500 planes and flies to different airports. But not all airport gate equipment is owned by United. Some is owned by American, Continental or Delta. The airline industry needs to work to make sure that whatever security mechanism is in place, it can do work with other equipment that is not owned by them [the individual airline]. Right now we’re working with members of that association because they have to agree on the standards.”
For more information about the ATA’s efforts for securing GateLink with PKI, check out the following report: ATA_InformationSecurityWebinar_Gatelink.pdf But as airlines and airframers explore the operational benefits of having robust in-flight connectivity pipes, the security discussion is no doubt about to get kicked up a notch.