Aircraft systems are becoming ever more connected to the outside world. While the Boeing 787, the Airbus 380 and the Airbus 350 are touted as e-Enabled, older models are rushing to catch up. The trajectory is clearly to link more and more to the outside world, not just for the passengers but for the pilots, and not just through staid airline data links but over the Internet. Cockpit doors lock out the bad guys, but is the information inside the vault as secure as it should be?
|Installation of the Honeywell Wireless Data Loader for Primus Epic Cockpits. Photo: Honeywell.|
Pilots of experimental and light sport aircraft already can buy applications that let them use iPads and iPhones to push data, such as route updates, to their avionics. Airlines also want to use the Internet not only for passenger entertainment but also for business productivity. Avionics companies are poised to deliver products in the near term. But a complicating issue is how best to protect the airline flight deck from the attack vectors that this new avenue could open up.
“In everyday life we all are very connected,” says Ken Snodgrass, Honeywell’s vice president of marketing and product management for integrated cockpits. The shift is slower in the cockpit because of certification process, but this development is not really in the future anymore.
This year Honeywell expects to complete the certification of a wireless data loader for Primus Epic cockpits used in business and regional aviation. The drop-in replacement and forward-fit equipment initially will be certified for ground use only, but it is designed to work during flight using the Internet. The data loader is intended to be able to transfer data securely from the aircraft in flight to an airline or to flight operations for a business jet. The signal would travel from the airplane via a satellite link to an Earth station, to a Honeywell server, and the appropriate destination.
Once the signal hits the Honeywell server, it would travel to the recipient via the Internet, but in a carefully restricted manner. “Firewall” hardware and software on the airplane system would only talk to devices with certain security certificates using fully encrypted communications, Snodgrass explains. A Public Key Infrastructure (PKI) certificate authority tailored to the aerospace industry would provide these certificates, he says.
“There are no direct hacking paths into the flight deck,” says Daniel Johnson, an engineer fellow on advanced technology at Honeywell Aerospace. “Real threats would be indirect and complicated, but negligence and error will always be around. It’s the combined results that worry me most — when someone deliberately creates a dangerous automated script or virus that is then spread through negligence and error.”
The biggest cyber threats to aviation systems are probably malware and human error in following practices and procedures, says Ernie Arvai, a partner in AirInsight, an aviation business consultancy. He cites the possible use of infected computers to upload information to aircraft. Still, the more connectivity we put into an airplane (the more the cockpit and cabin are connected to the Internet) the more chances there are for people to try to hack in,” he says.
The best protections we have today in commercial aviation are tight control over aircraft configurations in software and databases, and separation of non-critical from critical aircraft systems, according to Johnson. Quality assurance is also built into the software development process.
Current commercial transports, for example, “use separate satcom and Wi-Fi systems for cabin versus flight deck purposes,” he explains. “They will include separate systems for cabin satcom, passenger Wi-Fi, cockpit satcom and, in some advanced aircraft, maintenance Wi-Fi. It is also important to note that the separation is mandated.” As systems become more and more accessible, however, “we will need to increase our ability to detect and respond to cyber security events,” he adds.
On the positive side, essential systems are designed to be “fail operational,” Johnson pointed out in a presentation. The pilot is in the loop, monitoring traffic, radios, and flight plans, and able to recognize irregularities and land the plane in an emergency, even without the help of air traffic controllers and non-essential systems. On the deficit side, the aircraft’s autonomy and mobility mean there is “no system administrator,” so that “active detection and response to cyberattack is currently difficult or impossible,” he says.
It’s also important to think about security as a process, not just as an applied technology, says Don Kearney, senior engineering manager with Rockwell Collins’ commercial systems security engineering team. The unit performs ongoing security assessments of products, as security threats emerge.
The FAA has not been oblivious to security concerns. For many years it has recognized DO-178 as a standard for the development of aviation software. Although DO-178 is a safety standard, in the avionics world, safety and security are closely related areas. The more recent DO-326A specification specifically addresses security needs, providing guidance to certification authorities for achieving security in aircraft with information systems, Kearney says. But the agency seems to have realized that more is needed. On Feb. 3, it announced the assignment of a new task for its Aviation Rulemaking Advisory Committee (ARAC). This is to provide recommendations on Aircraft Systems Information Security Protection (ASISP).
The Federal Register announcement expresses concern with updating ASISP guidance and regulations to meet evolving threats. The agency would like input for possible changes to rulemaking, policy, and best practices for certification and continued airworthiness purposes. The agency mentions the need to prevent “unauthorized access to aircraft systems and networks,” which could result in “malicious use of networks and [the] loss or corruption of data” via “software worms, viruses, or other malicious entities.” It also cites the need to harmonize its approach with that of other authorities.
The FAA has a “special conditions” process, requiring plans on how to address security issues raised by new aircraft features in the certification process. The particulars regarding specific cases, however, are not publicly available. So now the agency says that the development of an Advisory Circular (AC) or other guidance on ASISP best practices and security controls may be appropriate. The initiative is an effort to formalize the security approach used in aircraft certification, according to Kearney.
|The MyMaintainer app allows maintainers to rapidly access and analyze information in the fault history database. Pilots also can use the app to download maintenance data onto their iPads in remote locations.
The emergence of multicore processors further raises the bar for analyzing the security and safety requirements of flight systems. There is still a lot to be investigated in this area at the industry level, Kearney says. “It adds a little complexity to safety and security” but also provides a means for segregating functionality, he adds.
One of the issues with multicore processors is that a lot of them have shared resources, explains Joe Wlad, senior director of safety certification for Real-Time Operating System (RTOS) developer, Wind River. That means that things running on one core can have visibility or access to things that run on another core. So, if they share information, one core may be able to see what’s happening in another core. That’s difficult to deal with — “you may need to add some special protection mechanisms to isolate that,” Wlad says.
Wind River is going through a DO-178, Level A, safety certification for a quad-core product, using the new “multicore edition” version of its VxWorks 653 real-time operating system. The company hopes for completion by late 2016. DO-178 is a foundation for some security requirements, as it relates to availability, a key security attribute.
In some multicore modules available today there are 2 billion transistors, including the aggregate of processing, graphics, memory and other functions. That gives rise to more states of operation than can be fully verified in a practical sense. Therein lies the conundrum, Wlad says. If one doesn’t know, with 100 percent confidence, how such a complex part would work, how can one know that it is totally safe and secure?
You need extra mechanisms for security, Wlad says. You need confidence not only in knowing how a system would behave but also in knowing how it wouldn’t behave. Still, the concepts of how to address safety and security at the operating system level are largely the same. The operating system can do some of this, but it’s not a silver bullet, he warns. “We can’t protect the user from all the safety concerns.” Penetration testing may be the next layer of protection, he says, but penetration testing still is not a guarantee.
Penetration testing is performed to prove what the risk level is at the external interfaces, Kearney says. The regulators “basically want to know what potential things can be accessed at that point,” he says. Penetration testing has been going on for many years in other industries but is relatively new to aviation, he adds. Rockwell Collins performs penetration testing early in the development process — at the “onset of the code set,” he says.
Security scrutiny in the U.S., meanwhile, has shifted from the product level to the system level through the use of standards like NIST 800-53. That standard looks at the entire IT infrastructure of a company, Wlad says. It also shifts some of the burden to the integrators, he adds.
Avionics real-time operating systems guarantee availability, explains Michael Putney, security certification lead engineer for RTOS developer, Lynx Software Technologies. “We are agnostic to what is writing on top of us.” When it comes to “interface creep,” there needs to be a firewall or filter between the untrusted and the trusted domains. “We provide the partitioning, so that people could build a filter,” but the filter would be an application-level function.
The wider, systems-level view that is being taken toward security means that “you really can’t maintain the same level of rigor in a system as you could with a product,” Putney says. “We can basically check off the list of things we provide,” while the integrator would have to do other things as part of the systems work.
Multicore technology can be convenient in implementing the partitioning that is already required for safety purposes — partitioning ensures that functions at different levels of safety, hosted on the same module, are kept separate. But the operating system will have to catch stray interrupts and ignore them, Putney says. It will have to make sure that a core, which the operating system dedicates to one thing, remains undisturbed in the presence of additional, potentially unwanted interrupts.
Derived from a 2013 presentation by Daniel Johnson, an engineer fellow, advanced technology, with Honeywell Aerospace. See: http://bit.ly/1ytsvVX
Charlotte Adams has written about aerospace and defense systems, operations and maintenance issues for 30 years. She is a contributor to Avionics, Aviation Maintenance and other industry publications and can be reached at firstname.lastname@example.org.