Says Some Computer Systems May Be Vulnerable To Outside
Attacks
The FAA published a notice in the
CFR earlier this month indicating some computer systems on the
747-8 and 747-8F may be vulnerable to outside attacks due to the
nature of their connectivity. And the agency said current
airworhiness standards do not take the vulnerability into
account.
"This airplane will have novel or unusual design features
associated with the architecture and connectivity capabilities of
the airplane's computer systems and networks, which may allow
access to external computer systems and networks," the agency
published in the Federal Register. "Connectivity to external
systems and networks may result in security vulnerabilities to the
airplane's systems. The applicable airworthiness regulations do not
contain adequate or appropriate safety standards for these design
features. These special conditions contain the additional safety
standards that the Administrator considers necessary to establish a
level of safety equivalent to that established by the existing
airworthiness standards."
The suspect systems are described as digital systems
architecture composed of several connected networks. The
architecture and network configuration may be used for, or
interfaced with, a diverse set of functions, including:
- Flight-safety related control, communication, and navigation
systems (aircraft control domain).
- Airline business and administrative support (airline
information domain).
- Passenger information and entertainment systems (passenger
entertainment domain).
- The capability to allow access to or by external network
sources.
The FAA's concern is that the architecture and network
configuration may allow the exploitation of network security
vulnerabilities resulting in
intentional or unintentional destruction, disruption, degradation,
or exploitation of data, systems, and networks critical to the
safety and maintenance of the airplane. The existing regulations
and guidance material did not anticipate these types of airplane
system architectures. Furthermore, 14 CFR regulations and current
system safety assessment policy and techniques do not address
potential security vulnerabilities, which could be exploited by
unauthorized access to airplane networks, data bases, and servers.
Therefore, these special conditions and a means of compliance are
provided to ensure that the security (i.e., confidentiality,
integrity, and availability) of airplane systems is not compromised
by unauthorized wired or wireless electronic connections.
The FAA is requiring Boeing to ensure electronic system security
protection for the aircraft control domain and airline information
domain from access by unauthorized sources external to the
airplane, including those possibly caused by maintenance activity.
It further says Boeing must ensure that electronic system security
threats from external sources are identified and assessed, and that
effective electronic system security protection strategies are
implemented to protect the airplane from all adverse impacts on
safety, functionality, and continued airworthiness.
The order currently applies only to the 747-8 and -8F, but the
FAA says "Should Boeing apply at a later date for a change to the
type certificate to include another model incorporating the same
novel or unusual design features, these special conditions would
apply to that model as well."
ANN FAQ: Contributing To Aero-TV
See All