Just a few facts on all this, addressing some points which have been raised.
This is a new rule stating a certification requirement. The NPR was published in the Federal Register 72(71) on Friday April 13, 2007, and was issued April 5. Comments period ran until May 29, 2007. The FAA received and addressed comments from ALPA and Airbus. The rule was implemented as proposed in the NPR.
The certification requirement reads "The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain." You cannot get more stringent that this. That is what Boeing is going to have to demonstrate. I imagine they will do whatever is necessary.
Nobody is telling anybody what to do, or expressing doubts concerning the architecture, or anything like that. The FAA is creating a supplemental certification requirement in an area in which they believe there is a gap in the requirements. Note that the FAA believe that ACD/AID interference is addressed partly by existing regulation and partly by new proposals. I am trying to find out where the NPR for these new proposals is in the Federal Register. Does anyone know?
Certain people who are expert in safety-critical systems and networks do believe that the only way one can satisfy the requirement is through physically separate networks. Others do not necessarily agree. There is a debate.
I regard Martyn Thomas, who wrote the Risks note referred to, as a close colleague. He is the first person to have been awarded a CBE by the Queen for services to software engineering. He founded the UK dependable systems house Praxis High Integrity Systems.
There should be just as much concern about ACD/AID interference, and indeed there is.
Since it seems that the AID wireless connections (for example, to download QAR, or perform other maintenance query tasks), physical separation of networks is impossible.
People may think that means that one should only go wired. They should probably tell that to at least one major airline which downloads QAR data after each flight by GSM link through the local cell phone service, wherever they are.
I have read a high-level description of how the protections work in the various Domains, written by someone who was the architect of one of the major safety-related networks on a large airliner in common use, and who now does not work in aviation. He has a colleague who used to work on the B787 data networks who explained the high-level design of the architecture and its safeguards to him, and he wrote it up for a restricted mailing list. It looks like it has been very carefully thought through, as one would expect from highly experienced safety- and security-critical network designers. We will see if it satisfies the certification criterion or not.
The FAA does much of its certification through the designation system, whereby the FAA designates a manufacturer's engineer as the certification examiner for a specific system or subsystem. It works very well.
I am likely to write a guest blog on this issue soon, on the IEEE Riskfactor blog hosted by Robert Charette, who has already noted the Wired article.
http://blogs.spectrum.ieee.org/riskfactor/
(The IEEE is the organisation that inter alia produces most of the networking standards people know about, such as Ethernet and WLAN.)
PBL