Your 787 controlled from seat 34G?
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Likes: 0
Received 0 Likes
on
0 Posts
Just a few facts on all this, addressing some points which have been raised.
This is a new rule stating a certification requirement. The NPR was published in the Federal Register 72(71) on Friday April 13, 2007, and was issued April 5. Comments period ran until May 29, 2007. The FAA received and addressed comments from ALPA and Airbus. The rule was implemented as proposed in the NPR.
The certification requirement reads "The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain." You cannot get more stringent that this. That is what Boeing is going to have to demonstrate. I imagine they will do whatever is necessary.
Nobody is telling anybody what to do, or expressing doubts concerning the architecture, or anything like that. The FAA is creating a supplemental certification requirement in an area in which they believe there is a gap in the requirements. Note that the FAA believe that ACD/AID interference is addressed partly by existing regulation and partly by new proposals. I am trying to find out where the NPR for these new proposals is in the Federal Register. Does anyone know?
Certain people who are expert in safety-critical systems and networks do believe that the only way one can satisfy the requirement is through physically separate networks. Others do not necessarily agree. There is a debate.
I regard Martyn Thomas, who wrote the Risks note referred to, as a close colleague. He is the first person to have been awarded a CBE by the Queen for services to software engineering. He founded the UK dependable systems house Praxis High Integrity Systems.
There should be just as much concern about ACD/AID interference, and indeed there is.
Since it seems that the AID wireless connections (for example, to download QAR, or perform other maintenance query tasks), physical separation of networks is impossible.
People may think that means that one should only go wired. They should probably tell that to at least one major airline which downloads QAR data after each flight by GSM link through the local cell phone service, wherever they are.
I have read a high-level description of how the protections work in the various Domains, written by someone who was the architect of one of the major safety-related networks on a large airliner in common use, and who now does not work in aviation. He has a colleague who used to work on the B787 data networks who explained the high-level design of the architecture and its safeguards to him, and he wrote it up for a restricted mailing list. It looks like it has been very carefully thought through, as one would expect from highly experienced safety- and security-critical network designers. We will see if it satisfies the certification criterion or not.
The FAA does much of its certification through the designation system, whereby the FAA designates a manufacturer's engineer as the certification examiner for a specific system or subsystem. It works very well.
I am likely to write a guest blog on this issue soon, on the IEEE Riskfactor blog hosted by Robert Charette, who has already noted the Wired article.
http://blogs.spectrum.ieee.org/riskfactor/
(The IEEE is the organisation that inter alia produces most of the networking standards people know about, such as Ethernet and WLAN.)
PBL
This is a new rule stating a certification requirement. The NPR was published in the Federal Register 72(71) on Friday April 13, 2007, and was issued April 5. Comments period ran until May 29, 2007. The FAA received and addressed comments from ALPA and Airbus. The rule was implemented as proposed in the NPR.
The certification requirement reads "The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain." You cannot get more stringent that this. That is what Boeing is going to have to demonstrate. I imagine they will do whatever is necessary.
Nobody is telling anybody what to do, or expressing doubts concerning the architecture, or anything like that. The FAA is creating a supplemental certification requirement in an area in which they believe there is a gap in the requirements. Note that the FAA believe that ACD/AID interference is addressed partly by existing regulation and partly by new proposals. I am trying to find out where the NPR for these new proposals is in the Federal Register. Does anyone know?
Certain people who are expert in safety-critical systems and networks do believe that the only way one can satisfy the requirement is through physically separate networks. Others do not necessarily agree. There is a debate.
I regard Martyn Thomas, who wrote the Risks note referred to, as a close colleague. He is the first person to have been awarded a CBE by the Queen for services to software engineering. He founded the UK dependable systems house Praxis High Integrity Systems.
There should be just as much concern about ACD/AID interference, and indeed there is.
Since it seems that the AID wireless connections (for example, to download QAR, or perform other maintenance query tasks), physical separation of networks is impossible.
People may think that means that one should only go wired. They should probably tell that to at least one major airline which downloads QAR data after each flight by GSM link through the local cell phone service, wherever they are.
I have read a high-level description of how the protections work in the various Domains, written by someone who was the architect of one of the major safety-related networks on a large airliner in common use, and who now does not work in aviation. He has a colleague who used to work on the B787 data networks who explained the high-level design of the architecture and its safeguards to him, and he wrote it up for a restricted mailing list. It looks like it has been very carefully thought through, as one would expect from highly experienced safety- and security-critical network designers. We will see if it satisfies the certification criterion or not.
The FAA does much of its certification through the designation system, whereby the FAA designates a manufacturer's engineer as the certification examiner for a specific system or subsystem. It works very well.
I am likely to write a guest blog on this issue soon, on the IEEE Riskfactor blog hosted by Robert Charette, who has already noted the Wired article.
http://blogs.spectrum.ieee.org/riskfactor/
(The IEEE is the organisation that inter alia produces most of the networking standards people know about, such as Ethernet and WLAN.)
PBL
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Likes: 0
Received 0 Likes
on
0 Posts
See also my blog entry in the IEEE Risk Factor blog on Jan 19
at http://blogs.spectrum.ieee.org/riskfactor/
The IEEE is the (U.S.) Institute of Electrical and Electronic Engineers, which inter alia develops all the computer and networking and other standards in the U.S., and whose standards (such as Ethernet and Wireless LAN) are often subsequently adopted internationally.
PBL
at http://blogs.spectrum.ieee.org/riskfactor/
The IEEE is the (U.S.) Institute of Electrical and Electronic Engineers, which inter alia develops all the computer and networking and other standards in the U.S., and whose standards (such as Ethernet and Wireless LAN) are often subsequently adopted internationally.
PBL
Join Date: Sep 2005
Location: NZWN New Zealand
Posts: 298
Likes: 0
Received 0 Likes
on
0 Posts
ChristiaanJ wrote
Kiwiguy,
You're obviously talking about EMI.
This thread is about having interconnected IT networks on the plane, so not the same subject at all.
You're obviously talking about EMI.
This thread is about having interconnected IT networks on the plane, so not the same subject at all.
In any case this is not the point...
The point is that aircraft systems do have a vulnerability from whatever source and the cases I cite corroborate it.
Anything on aircraft which is vulnerable to interference is also vulnerable to external hacking through wi-fi or whatever. There does not need to be an actual link between IFE or a laptop. A frayed wire or an unshielded electrical terminal can allow the aircraft to pick up digital signals within the cabin.
This debate began before BA038 lost power on approach.
How fascinating that nobody wants to address the possibility in relation to that incident ?
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by Kiwiguy
Anything on aircraft which is vulnerable to interference is also vulnerable to external hacking through wi-fi or whatever. There does not need to be an actual link between IFE or a laptop. A frayed wire or an unshielded electrical terminal can allow the aircraft to pick up digital signals within the cabin.
aircraft systems, and hacking a network. Compare: turning your vacuum cleaner on next to the TV can cause the picture or sound to go wobbly. That doesn't mean you can program your TV by using your vacuum cleaner.
Originally Posted by Kiwiguy
This debate began before BA038 lost power on approach.
How fascinating that nobody wants to address the possibility in relation to that incident ?
How fascinating that nobody wants to address the possibility in relation to that incident ?
Ask yourself the following questions. Where are the FADECs? (Answer: a long way away from passengers). How well are they shielded from ambient RF? (Answer: very, very well). Why would two heavily-shielded devices in physically independent systems at different long distances away from a puny transmitter react at all, let alone in the same way, to RF from that puny transmitter? (Think inverse-square law.)
In contrast, you can be sure that RF interference from ground-based transmitters is being seriously considered. But we are talking high-intensity, probably focussed, powerful sources.
PBL
Join Date: Sep 2005
Location: NZWN New Zealand
Posts: 298
Likes: 0
Received 0 Likes
on
0 Posts
Why would two heavily-shielded devices in physically independent systems at different long distances away from a puny transmitter react at all, let alone in the same way, to RF from that puny transmitter?
FADEC systems still have input from the cockpit because FADEC has top accommodate commands from the pilots.
The biggest idiots are those who don't dare to ask what if for fear of looking stupid.
That doesn't mean you can program your TV by using your vacuum cleaner.
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Likes: 0
Received 0 Likes
on
0 Posts
OK, kiwiguy, let's compare credentials.
I have been writing and publishing sporadically on the topic of HIRF and its potential influence on avionics for a decade. I have also aided the Canadian TSB in the assessment of HIRF in the investigation into the accident to SW111.
Do you have any education in the physics and engineering of electromagnetic radiation?
Have you read and understood the NASA report on EM fields inside aircraft cabins that is in the TW800 docket? It's a couple of hundred pages long and requires some understanding of 3-dimensional numerical modelling of the Maxwell equations.
Have you read and understood the work that the UK CAA has published on the measured field strengths of cell phone transmissions inside aircraft fuselages?
If so, then we can start to talk seriously about this. If not, then I suggest you do so, so that you will be able to judge what is plausible in the reasoning you propose and what is not.
PBL
I have been writing and publishing sporadically on the topic of HIRF and its potential influence on avionics for a decade. I have also aided the Canadian TSB in the assessment of HIRF in the investigation into the accident to SW111.
Do you have any education in the physics and engineering of electromagnetic radiation?
Have you read and understood the NASA report on EM fields inside aircraft cabins that is in the TW800 docket? It's a couple of hundred pages long and requires some understanding of 3-dimensional numerical modelling of the Maxwell equations.
Have you read and understood the work that the UK CAA has published on the measured field strengths of cell phone transmissions inside aircraft fuselages?
If so, then we can start to talk seriously about this. If not, then I suggest you do so, so that you will be able to judge what is plausible in the reasoning you propose and what is not.
PBL
Join Date: Aug 2007
Location: Nynäshamn
Age: 79
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
Common Core System
I have been working with software development for more than 35 years. I have been working as programmer, system designer and in different management positions within software development.
In addition to the obvious problems connected with the common network in the 787 I am also concerned about the CCS or Common Core System in the CCR Common Computing Resource. In it there will be an operating system ( Vx Works 653) managing the different applications running. Those applications will as I understand it be everything from passengers running games or surfing the internet to critical flight systems. It has happened in the past and it will happen again that some bug for instance in an application will crash the operating system. That might very well make the whole thing go down.
Based on my experience I would say that there is no such thing as a complex software system without bugs in it. There are always bugs and it may take years before one suddenly surfaces and brings the system down.
I don’t want the pilots of my flight to a sunny beach sitting in the cockpit trying to restart the CCS.
Pehr
In addition to the obvious problems connected with the common network in the 787 I am also concerned about the CCS or Common Core System in the CCR Common Computing Resource. In it there will be an operating system ( Vx Works 653) managing the different applications running. Those applications will as I understand it be everything from passengers running games or surfing the internet to critical flight systems. It has happened in the past and it will happen again that some bug for instance in an application will crash the operating system. That might very well make the whole thing go down.
Based on my experience I would say that there is no such thing as a complex software system without bugs in it. There are always bugs and it may take years before one suddenly surfaces and brings the system down.
I don’t want the pilots of my flight to a sunny beach sitting in the cockpit trying to restart the CCS.
Pehr
Join Date: Apr 2009
Location: `
Posts: 309
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by cormacshaw
Before you react to this topic, I would caution anybody whose knowledge of computer networks and the capabilities of 'hackers' is largely derived from the media and entertainment industries that they present the 'facts' with as much care and accuracy as they treat aviation!
For those with a working IT knowledge, feel free to tear the FAA a new one as you see fit
For those with a working IT knowledge, feel free to tear the FAA a new one as you see fit
I work in IT (Network Administration) and hold a CPL.
