Have a look at this (http://www.wired.com/politics/security/news/2008/01/dreamliner_security)

In short, it appears that the FAA are concerned about a linkage between the pax computer network (presumably the entertainment stuff) and the a/c systems computers.

Why would Boeing mix the two ?? :confused:

The link (http://cryptome.org/faa010208.htm) that appears towards the end of the Wired article is a much better source of information, assuming it is an accurate copy of the Federal Register.

Why would Boeing mix the two ?

That is explained in the link above.

assuming it is an accurate copy of the Federal Register.


This link seems to verify the accuracy...

http://regulations.justia.com/view/98960/

Doesn't the A380 have the same setup - all aircraft data goes around on an ethernet bus, with ops and pax data separated by a firewall?

Technology exists which allows sharing of resources without allowing unauthorized access and inappropriate actions to systems and data

Whoever wrote that is having a laugh, right? Pretty much every technology which exists for this purpose is quickly broken or compromised in a way that was not foreseen; thus creating a new degraded security scenario that was not in the original design reveiwer's scope. I am not impressed with the FAA's response in this report; they could have easily done more.

For example, why not state things such as: "Events from the pax systems domain must not be observable by any of the components in the aircraft control system domain"? Hardly rocket science, yet the sort of rule that will stand the test of time.

To just leave it up to the manufacturer is absurd. I hope there is much more to this story; background info that would make that report seem much less naîve. Perhaps the responsible person was out of his depth in this subject but senior in his poistion in the FAA?

Consider:

The applicant is responsible for the design of the airplane network and systems architecture and for ensuring that potential security vulnerabilities of providing passenger access to airplane networks and systems are mitigated to an appropriate level of assurance, depending on the potential risk to the airplane and occupant safety

So, the design authority is also the reviewer and certification authority of this architecture design? If it wasn't serious this would be comical. They haven't even made any reference to documents that might specify the scope of the threats that should be considered, nor have they given a ballpark indication of what "appropriate level of assurance" might mean. If the subject area was stress tests we would be swamped with details. Does this mean the FAA are not up to date enough to regulate this technology effectively?

There has to be more to this, that puts this report in context and gives it more credibility. Stand-alone, this report reads as absurd.

Although this particular combination does not appear explicitely in the Federal Register, the possibility of "wired connection" between "passenger Internet services" and flight systems is really scary! No sane person would implement this.

This link seems to verify the accuracy...
http://regulations.justia.com/view/98960/

Very interesting reading.

Airbus appear to want the FAA to promote physical isolation...
"The only possible solution to such a requirement would be to physically segregate the Passenger Information and Entertainment Domain from the other domains."

Whereas the FAA appear to want to allow design flexibility and put the responsibility on the manufacturers...

"We agree that Airbus's interpretation of zero allowance for any ``inadvertent or malicious changes to, and all adverse impacts'' to airplane systems, networks, hardware, software, and data is correct. However, this does not prevent allowing appropriate access if the design incorporates robust security protection means and procedures to prevent inadvertent and intentional actions that could adversely impact airplane systems, functionality, and airworthiness."

and

"The applicant is responsible for developing a design compliant with these special conditions and other applicable regulations. The design may include specific technology and architecture features, as well as operator requirements, operational procedures and security measures, and maintenance procedures and requirements, to ensure an appropriate implementation that can be properly used and maintained to ensure safe operations and continued operational safety."

From reading that, the only reason for linking pax and avionics domains is to share satcomms (I exclude unidirectional stuff like nav feeds to skymaps, etc, which already exist and can be made arbitrarily secure). Have I got that right? If so, then it's not as nasty as it sounds.

R

I'm sure it isn't as easy to hack as this makes it sound...

http://www.aviationtoday.com/av/categories/commercial/932.html

Data Loading

Data loading and configuration management are separate functions provided by the maintenance system. The data loader supports the insertion of data loads (operational software) into the appropriate avionics systems. "If you wanted to load a new piece of flight management software, it would come through this function," Morrow explains.

<snip>

.. this is the first time a maintenance technician with a wireless laptop (equipped with a Wi-Fi card) can walk up to the aircraft and get maintenance info on and off the airplane," Boeing's Sinnett says. "

Before you react to this topic, I would caution anybody whose knowledge of computer networks and the capabilities of 'hackers' is largely derived from the media and entertainment industries that they present the 'facts' with as much care and accuracy as they treat aviation!
For those with a working IT knowledge, feel free to tear the FAA a new one as you see fit :}

I positioned in First class a few months ago. The American lady sitting the other side of the aisle was suprised to see two pilots in uniform sitting in the cabin. She was even more suprised when we convinced her we were flying the aircraft from those seats using the screen and the IFE controller. We managed to keep straight faces all the way down the approach, landing and while 'vacating' the runway - then we had to come clean!

She was blonde too! :rolleyes:

- sigh -

Sometimes I think if atoms had ethernet in them IT people would think they're all smarter than Einstein.

The best explanation on the net so far: a system totally unrelated to anything seriously important can communicate with the passenger network. Not a great idea, but no hacking the altimeter.

Doesn't the A380 have the same setup - all aircraft data goes around on an ethernet bus, with ops and pax data separated by a firewall?

http://www.heise.de/ct/schlagseite/03/01/gross.jpg :p

With all due respect to your collective intelligence and despite my vivid interest to the aviation I still consider 34G to be more important in another sense.

Sorry for the drift but I could not resist.

Rwy in Sight

One physical network for the PAX and one for the A/c. No physical link between means that there is no electronic link between. It really is that simple.

Should any crew member need access to the PAX system, then they cross plug their terminal/PC into it. The PAX never need to go the other way.

After 27+ years in telecommunications, I can say that the only way to prevent any networking accident is to not have a network. If you have vital data, then do not provide network connectivity - irrespective of the firewalls in place. Simple. The FAA just need to state that there is no physical link on pain of death and they have proved that they understand the risk and have protected the pax. Job done.

Using VPN's networks can be isolated on the same media.

Even classified information is transferred this way over the Internet by Governments when the National Networks are unavailable or cannot reach certain areas.

However, the Internet is rarely if ever compromised at a major data pipe and this cannot be said for any LAN.

FADEC failure anyone :(

FADEC failure anyoneEspecially with the FADEC "integrated" in the CCS (or whatever?).

Using VPN's networks can be isolated on the same media.

Even classified information is transferred this way over the Internet by Governments when the National Networks are unavailable or cannot reach certain areas.


VLANs, together with firewalls, can indeed be used to segrate multiple network on the same cabling media, and this is more than enough for most company networks and low level "classified" data.

But note that all but the lowest level "classified" data CANNOT be shared on the same cabling backbone - they must be physically separated. In fact standard ethernet cable is in most cases not good enough due to possibilities of wire taps and signal leakage - fibre optic is therefore the defacto standard. And "classified" data is not transferred over the Internet as a rule. Low level data may be securely transferred if heavily encrypted, but anything more restricted cannot go via the Internet at all.

The simple fact is, if two networks are sharing the same backbone, there is a real risk of comprising the security separating the two. The only accepted way to guarantee proper segregation is physical separation.

The articles don't really elaborate on the extent of the cross connection - I'd certainly hope the fly-by-wire system is independant! - but surely with a blank paper design, building in a real risk that the passenger network may affect any part of the flight system network is unacceptable.

There is also the possibility of "Denial of Service" problems. If the communications channel becomes constantly "busy" through failure of part of a system, or through malicious intent, then legitimate traffic has no way to travel through the channel and has to wait, or -worse- it may be lost completely.

There is also the possibility of "Denial of Service" problems

Exactly. Any time there's a bit of wire between two computing devices, someone, somewhere, has the skill to use one device to access the other, overload the other, corrupt it or otherwise compromise or render it incapable of providing the service it is supposed to provide. You've got to be barking mad to have a wired link between 400 people with their entertainment systems and randomly-hosed PCs, and bits of the aircraft that are trying to do something important. Does make me want to fire up Ethereal and friends the next time I'm on a flight.

Access to PCDL (primary centralised data link) in always available exclusively from row 13 due to avionics compartment location.

There is also the possibility of "Denial of Service" problems

Exactly. Any time there's a bit of wire between two computing devices, someone, somewhere, has the skill to use one device to access the other, overload the other, corrupt it or otherwise compromise or render it incapable of providing the service it is supposed to provide. You've got to be barking mad to have a wired link between 400 people with their entertainment systems and randomly-hosed PCs, and bits of the aircraft that are trying to do something important. Does make me want to fire up Ethereal and friends the next time I'm on a flight.

As an IT Director with a lot of sites to protect (at great expense) I'd go along with this.

John

Why not simply have totally independent networks? That way, the only unauthorized data that the computer and electronics whiz in seat 34G could access is the latest pay-per-view movies. To somebody who isn't in the electronics field, it seems like a simple enough thing to do. I'm willing to learn why the most obvious thing is being ignored.

...or maybe if they decide to go with robust network security, we'll have to enter a password every time we change the QNH or try to execute a new route:ugh:

It is my responsibility at work to start and programme the IFE on the 747/777/A330, and to try and fault-find and 'fix' it whenever it doesn't work as advertised.

It is one of the least enjoyable aspects of the job. I am technically minded, so it's not that. I am computer literate so it's not that either.
The problem lies in the fact that IFE systems are notoriously opinionated and unpredictably moody.
The manufacturers swear on everything they hold dear that their system will under NO circumstance ever do X Y or Z, yet all of us know for a fact that X Y and Z are regular occurrences.
And of course the fault can never be replicated on the ground and the dedicated mechs look at you as if you're some sort of total moron.

Similarly, the manufacturers will wax lyrical about the reliability of the system, its stability and back-up.
While in reality, the systems crash for no good reason, behave weirdly when you least expect it, ignore whatever fault fixing procedure you let loose on it and will on principle do the exact opposite of what the manual says they will

The idea that an IFE system could be in any way at all connected to the cockpit systems causes me the deepest of anxieties.

Actually, more of a screaming panic! ;)

A slight change of tack - but does anyone know how the internet backhaul is provided? I'd guess at satellite based, but the dealings I've had with those setups are less than impressive.

Carbon 15, previously such services were supplied by the Connexion by Boeing (CbB) system that was installed on the likes of Lufthansa and Etihad.

Owing to a slightly dodgey business model, the grown ups at Boeing pulled the plug leaving aircraft with some extra ballast and something akin to an upside down bathtub on the roof.

Inmarsat have launch a "high speed" service called Swift Broadband. This is designed to give a "high speed" data service to the aircraft through its I4 satellite constellation.

Hope this helps

Being able to read all your spam at 40,000 feet.
What progress !

Sorry for the alarmist title, but it was written by the BBC (http://news.bbc.co.uk/2/hi/business/7179823.stm), not me:


Boeing has been ordered to ensure passengers on its new 787 Dreamliner jet cannot hack into the flight system and take control of the plane.

The ruling has come from America's Federal Aviation Administration (FAA), which is concerned that the plane's computer system may be vulnerable.
Boeing said it was in constant dialogue with the FAA to resolve the issue.
The US giant will start to deliver the mid-sized planes from November. British Airways has ordered 24 Dreamliners.

Rival UK carrier Virgin Atlantic has orders for 15.

'Appropriate safeguards'

Responding to the security revelation, which was first reported by trade magazine Flight International, Boeing said that "appropriate safeguards were already designed into the 787".

Like most modern planes, the 787 has extensive computer systems.

"We have already reached agreement with the FAA on the documentation, analysis and demonstrations necessary to show compliance with this special condition," it said.

"Completion of these activities will occur during the flight test programme."
It added that information from the test flights would be fully shared with the FAA to ensure a thorough review of the system.

The Dreamliner is Boeing's fastest-selling plane, with 802 orders in total by the start of this year.

Last year it was hit by a six-month delay due to manufacturing problems.
The Dreamliner is Boeing's first all-new jet since 1995.

It is the only big commercial aircraft made mostly of carbon fibre rather than aluminium and is billed as the most environmentally-friendly commercial jet ever built. Boeing says the 787 is much more fuel efficient than its competitors and produces 20% less carbon dioxide.


OK, it does seem a bit like a slow news day story. But, if "Like most modern planes, the 787 has extensive computer systems," what about this type has attracted the attention of the FAA on this issue? Why are they not worried about the A380, for example? Only because no American carriers have ordered one? :confused:

what about this type has attracted the attention of the FAA on this issue?

Wifi access....

Mutt

Wifi access....

Wrong.

The logical Aircraft Control Domain and Passenger Information and Entertainment Domain are not physically separate. So, an enterprising person or a malfunctioning device might be able affect the performance of one domain from the other.

Why don't Boeing ask Microsoft to design the software; that should make it secure. Even better install Vista and use Flight Sim. then we could all have a go.

Bushfiva, how about this.....

Commercial Airplanes employees in late December wirelessly connected a maintenance laptop to the 787's maintenance system for the first time.

This capability will allow airlines to wirelessly run computational tests between flights and determine needed maintenance. Boeing will also use the system during the upcoming 787 flight-test program. The wireless connection enables maintenance personnel to move around the airplane while staying connected to its maintenance functions. "This is the first step to a flexible and efficient way to maintain an airplane without being tied down," said Mike Sinnett, 787 Systems director.

The interesting note is that the Feds are very interested in how Boeing is protecting that wireless access to the airplane.

Rumor has it that MS hackers are being paid to try and crack the system to find holes in advance of delivery.


Mutt

Of course this sort of thing doesn't really happen!!

http://www.mirror.co.uk/news/topstories/2008/01/11/kid-prank-has-trams-in-chaos-89520-20281665/

Hi,

maybe I overlooked the information I'm interested in, but anyway:

I can hardly believe that flight critical systems share the network. In my opinion, most likely the Cabin Management Systems use the same network. But maybe I'm wrong...

Does anybody know which a/c systems share the network with the PAX-systems?

Why not simply have totally independent networks?

A good idea for many reasons already discussed. I would even be tempted to make the aircraft's networks to a different standard from the norm, at least with regard physical connectors. An ethernet RJ-45 could let you plug (and leave) all manner of undesirable devices connected. I don't know enough about the wireless/datalink stuff to comment.

This is one place for (quality) comment and analysis in the IT world on this and other risk s:

http://catless.ncl.ac.uk/Risks/25.1.html#subj2

Regarding interfaces between the Pax entertainment systems and other aircraft systems, the following are typical of the latest generation IFE systems

ARINC 429 (Rx only) for moving map positional data (Alt, long, lat, speed etc)
Pax Service System for reading lights and calls lights/chimes
PA System so announcements can be heard through headphones
SATCOM for voice/data connectivity
Electrical power (obviously)

Hope this helps

And when they've resolved that, they can resolve the issues around harmful pollutants (carcinogens?) being released into the local atmosphere if, God Forbid, a B787 should ever suffer a major fire.

My grapevine tells me that fire services, for one, have raised this issue with EASA who have been working on it for some time.

I appreciate that this is not a new problem, that composite structure has been around for ages, that there are plenty of people who actually know all about this and whether there really is a problem, and that I'm not one of them.

So does anyone know exactly where the matter stands, today?

Ever heard of the Martinair 757 incident ?

On May 28, 1996, at 1421 eastern daylight time, a Boeing 767-31AER, PH-MCH, operated by Martinair Holland, as flight 631 received minor
damage during an unscheduled landing at Logan Airport, Boston.

The flight destined for Orlando, Florida, had departed Schiphol Airport, Amsterdam. Flight crew reported that they had received several false system advisories during the flight. The advisories would appear and then disappear
shortly thereafter, with no corrective action being taken.

There was no evidence that the actual airplane systems were being affected.
These advisories started shortly after the airplane had reached cruise altitude, and continued at an intermittent rate throughout the flight. In addition there were multiple uncommanded auto pilot disconnects.

The transponder code window would suddenly display all zeros, and there were changes to the zero fuel weight information displayed on the EFIS. At one time, the airplane flew for about one hour with no problems noted. At 1355, when the 757 was about 20 nm miles north of the Kennebunk VOR, Maine, the crew declared an emergency due to loss of EFIS cockpit displays and the inertial navigation units.

They requested to land at Boston. The flight crew extended slats, and received a split slat indication. After checking that the available runway length was adequate, for their configuration and weight, they decided not to
extend flaps.

The spoilers were armed; however, after touchdown, the flight crew had to manually extend the spoilers and was unable to engage the reverse thrust.

Let's not forget the Egyptair 767 either, which went into a wild roller coaster dive.

Some years ago loading baggage for Air New Zealand, I remember on duty in the baggage hall how cell phones would keep ringing in baggage ready for loading on flights.

There was the CFIT crash of a Dash 8-100 belonging to Ansett NZ in June 1995. The captain Gary Sotheran claimed that whilst struggling with hung up main gear on an IFR approach the radar altimeter suddenly flipped 1,000 feet. Nobody ever believed him.

Sotheran was put on criminal trial and the day after that trial was abandoned news agencies disclosed that NZ Police had concealed evidence of a cell phone call being made by a passenger during the approach.

Police didn't seem to think it was their duty to share with the aviation world that cell phones endangered the flight because they were so hell bent on their prosecution.

Kiwiguy,
You're obviously talking about EMI.
This thread is about having interconnected IT networks on the plane, so not the same subject at all.

Just a few facts on all this, addressing some points which have been raised.

This is a new rule stating a certification requirement. The NPR was published in the Federal Register 72(71) on Friday April 13, 2007, and was issued April 5. Comments period ran until May 29, 2007. The FAA received and addressed comments from ALPA and Airbus. The rule was implemented as proposed in the NPR.

The certification requirement reads "The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain." You cannot get more stringent that this. That is what Boeing is going to have to demonstrate. I imagine they will do whatever is necessary.

Nobody is telling anybody what to do, or expressing doubts concerning the architecture, or anything like that. The FAA is creating a supplemental certification requirement in an area in which they believe there is a gap in the requirements. Note that the FAA believe that ACD/AID interference is addressed partly by existing regulation and partly by new proposals. I am trying to find out where the NPR for these new proposals is in the Federal Register. Does anyone know?

Certain people who are expert in safety-critical systems and networks do believe that the only way one can satisfy the requirement is through physically separate networks. Others do not necessarily agree. There is a debate.

I regard Martyn Thomas, who wrote the Risks note referred to, as a close colleague. He is the first person to have been awarded a CBE by the Queen for services to software engineering. He founded the UK dependable systems house Praxis High Integrity Systems.

There should be just as much concern about ACD/AID interference, and indeed there is.

Since it seems that the AID wireless connections (for example, to download QAR, or perform other maintenance query tasks), physical separation of networks is impossible.
People may think that means that one should only go wired. They should probably tell that to at least one major airline which downloads QAR data after each flight by GSM link through the local cell phone service, wherever they are.

I have read a high-level description of how the protections work in the various Domains, written by someone who was the architect of one of the major safety-related networks on a large airliner in common use, and who now does not work in aviation. He has a colleague who used to work on the B787 data networks who explained the high-level design of the architecture and its safeguards to him, and he wrote it up for a restricted mailing list. It looks like it has been very carefully thought through, as one would expect from highly experienced safety- and security-critical network designers. We will see if it satisfies the certification criterion or not.

The FAA does much of its certification through the designation system, whereby the FAA designates a manufacturer's engineer as the certification examiner for a specific system or subsystem. It works very well.

I am likely to write a guest blog on this issue soon, on the IEEE Riskfactor blog hosted by Robert Charette, who has already noted the Wired article.
http://blogs.spectrum.ieee.org/riskfactor/
(The IEEE is the organisation that inter alia produces most of the networking standards people know about, such as Ethernet and WLAN.)

PBL

The news was triggered by a new certification requirement for the B787 published in the Federal Register. The NPR was already out in April 2007.


PBL

See also my blog entry in the IEEE Risk Factor blog on Jan 19
at http://blogs.spectrum.ieee.org/riskfactor/

The IEEE is the (U.S.) Institute of Electrical and Electronic Engineers, which inter alia develops all the computer and networking and other standards in the U.S., and whose standards (such as Ethernet and Wireless LAN) are often subsequently adopted internationally.

PBL

I have merged the two 787 threads at PBL's suggestion ... hopefully my edits haven't confused the plot for readers ...

JT

ChristiaanJ wrote

Kiwiguy,
You're obviously talking about EMI.
This thread is about having interconnected IT networks on the plane, so not the same subject at all.


Rubbish Christiaan... The Martinair flight was miles from land so how could a cell phone/tower have caused this externally.

In any case this is not the point...

The point is that aircraft systems do have a vulnerability from whatever source and the cases I cite corroborate it.

Anything on aircraft which is vulnerable to interference is also vulnerable to external hacking through wi-fi or whatever. There does not need to be an actual link between IFE or a laptop. A frayed wire or an unshielded electrical terminal can allow the aircraft to pick up digital signals within the cabin.

This debate began before BA038 lost power on approach.

How fascinating that nobody wants to address the possibility in relation to that incident ?

Anything on aircraft which is vulnerable to interference is also vulnerable to external hacking through wi-fi or whatever. There does not need to be an actual link between IFE or a laptop. A frayed wire or an unshielded electrical terminal can allow the aircraft to pick up digital signals within the cabin.

That is very far-fetched line of reasoning. There is an enormous gap between emitting RF that can be sensed by
aircraft systems, and hacking a network. Compare: turning your vacuum cleaner on next to the TV can cause the picture or sound to go wobbly. That doesn't mean you can program your TV by using your vacuum cleaner.

This debate began before BA038 lost power on approach.

How fascinating that nobody wants to address the possibility in relation to that incident ?

I imagine the reason no one is considering it is that no one close to the investigation wants to seem like an idiot.

Ask yourself the following questions. Where are the FADECs? (Answer: a long way away from passengers). How well are they shielded from ambient RF? (Answer: very, very well). Why would two heavily-shielded devices in physically independent systems at different long distances away from a puny transmitter react at all, let alone in the same way, to RF from that puny transmitter? (Think inverse-square law.)

In contrast, you can be sure that RF interference from ground-based transmitters is being seriously considered. But we are talking high-intensity, probably focussed, powerful sources.

PBL

Why would two heavily-shielded devices in physically independent systems at different long distances away from a puny transmitter react at all, let alone in the same way, to RF from that puny transmitter?


Cell phones are not puny transmitters and their signals are well strong enough inside an aircraft.

FADEC systems still have input from the cockpit because FADEC has top accommodate commands from the pilots.

The biggest idiots are those who don't dare to ask what if for fear of looking stupid.


That doesn't mean you can program your TV by using your vacuum cleaner.


Analog interference from a vacumn cleaner is not a danger to a digital system, but a string of digital signals inside a cabin from a digital cell phone to some component of the aircraft's digital network is an entirely different matter.

OK, kiwiguy, let's compare credentials.

I have been writing and publishing sporadically on the topic of HIRF and its potential influence on avionics for a decade. I have also aided the Canadian TSB in the assessment of HIRF in the investigation into the accident to SW111.

Do you have any education in the physics and engineering of electromagnetic radiation?

Have you read and understood the NASA report on EM fields inside aircraft cabins that is in the TW800 docket? It's a couple of hundred pages long and requires some understanding of 3-dimensional numerical modelling of the Maxwell equations.

Have you read and understood the work that the UK CAA has published on the measured field strengths of cell phone transmissions inside aircraft fuselages?

If so, then we can start to talk seriously about this. If not, then I suggest you do so, so that you will be able to judge what is plausible in the reasoning you propose and what is not.

PBL

I have been working with software development for more than 35 years. I have been working as programmer, system designer and in different management positions within software development.

In addition to the obvious problems connected with the common network in the 787 I am also concerned about the CCS or Common Core System in the CCR Common Computing Resource. In it there will be an operating system ( Vx Works 653) managing the different applications running. Those applications will as I understand it be everything from passengers running games or surfing the internet to critical flight systems. It has happened in the past and it will happen again that some bug for instance in an application will crash the operating system. That might very well make the whole thing go down.

Based on my experience I would say that there is no such thing as a complex software system without bugs in it. There are always bugs and it may take years before one suddenly surfaces and brings the system down.

I don’t want the pilots of my flight to a sunny beach sitting in the cockpit trying to restart the CCS. :uhoh:

Pehr

Before you react to this topic, I would caution anybody whose knowledge of computer networks and the capabilities of 'hackers' is largely derived from the media and entertainment industries that they present the 'facts' with as much care and accuracy as they treat aviation!
For those with a working IT knowledge, feel free to tear the FAA a new one as you see fit


There are 2 kinds of networks. One that has been hacked and the other that is going to be hacked.

I work in IT (Network Administration) and hold a CPL.