The FAA Is Arguing for Security by Obscurity
In a proposed rule by the FAA, it argues that software in an Embraer S.A. Model ERJ 190-300 airplane is secure because it’s proprietary:
In addition, the operating systems for current airplane systems are usually and historically proprietary. Therefore, they are not as susceptible to corruption from worms, viruses, and other malicious actions as are more-widely used commercial operating systems, such as Microsoft Windows, because access to the design details of these proprietary operating systems is limited to the system developer and airplane integrator. Some systems installed on the Embraer Model ERJ 190-300 airplane will use operating systems that are widely used and commercially available from third-party software suppliers. The security vulnerabilities of these operating systems may be more widely known than are the vulnerabilities of proprietary operating systems that the avionics manufacturers currently use.
Longtime readers will immediately recognize the “security by obscurity” argument. Its main problem is that it’s fragile. The information is likely less obscure than you think, and even if it is truly obscure, once it’s published you’ve just lost all your security.
This is me from 2014, 2004, and 2002.
The comment period for this proposed rule is ongoing. If you comment, please be polite—they’re more likely to listen to you.
William Woody • June 26, 2017 7:32 AM
On reading the proposed FAA rule (and knowing something about the way avionics are designed) it sounds to me what Embraer is doing with their new aircraft is introducing some systems (probably the in-flight entertainment system) which uses off-the-shelf operating systems (probably Linux), and have provided a gateway between the entertainment system (“the passenger-entertainment domain”) and the aircraft monitoring domain for control purposes. (The “aircraft safety domain”.)
And it seems they are requiring the FAA to establish additional safety requirements–specifically, requiring a “security-risk assessment”. (Also, see item 1 of the “special conditions” at the end.)
Previously aircraft have physically never connected the passenger-entertainment domain and the aircraft safety domain: most modern aircraft run two completely separate and physically disconnected systems. The only physical way to access the aircraft safety domain was through the cockpit and through external access panels that can only be opened on the ground. Also note that most modern aircraft’s flight control services are on a separate physical system–generally controlled through hydraulics assisted with control cables or through electronic signals sent through separate cables that do not interact with the aircraft safety domain. (This is so that the aircraft remains under pilot control even if the in-flight electronics blow up.) Modern aircraft are also required to provide a backup mechanical compass, mechanical air speed indicator and mechanical attitude display. This allows an aircraft with a complete failure of all avionics to receive guidance from air traffic control and land safely.
I think this is a good thing because the FAA is realizing that aircraft have in-flight network systems and they must embrace computer network security as part of the airworthiness design process. Until now, intrusion tests were not necessary because there was no physical connection–but as designers move forward with aircraft that require fewer people to fly, eventually things like in-flight entertainment will need to be controlled from within the cockpit. Further pilots may wish to use the in-flight wifi to receive updated navigation and weather products when available.
So if I were to comment I would suggest ways in which intrusion detection can be performed. Think of the FAA as a bunch of old pilots who are trying to figure out new technology; be kind, realize these are smart people, and help them learn how to perform intrusion testing.