Technology exists which allows sharing of resources without allowing unauthorized access and inappropriate actions to systems and data
Whoever wrote that is having a laugh, right? Pretty much every technology which exists for this purpose is quickly broken or compromised in a way that was not foreseen; thus creating a new degraded security scenario that was not in the original design reveiwer's scope. I am not impressed with the FAA's response in this report; they could have easily done more.
For example, why not state things such as: "Events from the pax systems domain must not be observable by any of the components in the aircraft control system domain"? Hardly rocket science, yet the sort of rule that will stand the test of time.
To just leave it up to the manufacturer is absurd. I hope there is much more to this story; background info that would make that report seem much less naîve. Perhaps the responsible person was out of his depth in this subject but senior in his poistion in the FAA?
Consider:
The applicant is responsible for the design of the airplane network and systems architecture and for ensuring that potential security vulnerabilities of providing passenger access to airplane networks and systems are mitigated to an appropriate level of assurance, depending on the potential risk to the airplane and occupant safety
So, the design authority is also the reviewer and certification authority of this architecture design? If it wasn't serious this would be comical. They haven't even made any reference to documents that might specify the scope of the threats that should be considered, nor have they given a ballpark indication of what "appropriate level of assurance" might mean. If the subject area was stress tests we would be swamped with details. Does this mean the FAA are not up to date enough to regulate this technology effectively?
There has to be more to this, that puts this report in context and gives it more credibility. Stand-alone, this report reads as absurd.