C. Warren Axelrod

Aircraft Software Systems Concerns – Two More Data Points

I recently travelled to and from Europe on two different aircraft operated by two different airlines, and there were significant problems on both trips with the in-flight entertainment systems. On both flights the systems had to be rebooted and they still continued to fail and needed to be reset.

Why is this important? In simple terms, if critical avionics systems were as unreliable as aircraft entertainment systems, nobody would fly.

As described in my book, Engineering Safe and Secure Software Systems (Artech House, 2012), there are different levels of certification for aircraft computer systems. These levels are based upon the amount and seriousness of harm that could potentially be inflicted as a result of malfunction or failure of various types of software system. A table of these levels, taken from the RTCA/DO-178B Standard applied to aircraft certification, is shown here:

System

Type

Certification   Level

Flight control system Control Level A. Catastrophic
Cockpit display and controls Control Level A. Catastrophic
Flight management system Control Level A. Catastrophic
Brakes & ground guidance system Control Level B. Hazardous
Centralized alarms management Information Level C. Major
Cabin management system Information Level D. Minor
Onboard communications system Information Level D. Minor
Centralized maintenance system Information Level D. Minor
Entertainment system Information Level E. None

 

It is clear from the above categorization why entertainment systems have been allowed to deteriorate on so many aircraft.

However, from the passenger viewpoint, it is very disconcerting to see just how poorly such entertainment systems are maintained since, in the first place, these are the systems that passengers are most directly exposed to and, second, there are serious implications regarding the quality of maintenance of other more critical systems. Perhaps the aircraft manufacturers and the airlines are taking the approach that they will only apply the minimum care and due diligence that enables them to meet the various levels in the standard.

This situation is all well and good (though questionable) as long as the control systems are isolated from the information systems. This may well have been true in the past but its continuing to be the case is highly questionable going forward as systems are interconnected. It has already been shown that it is theoretically possible to hack aircraft from an Android phone … see my April 22,  2013 BlogInfoSec column “Hacking Avionics Systems,” where I refer to Zeljka Zorz’s April 10, 2013 blog post “Hacking airplanes with an Android phone,” which describes how someone using a smart phone with particular apps might be able take over the flight management systems of aircraft … see http://www.net-security.org/secworld.php?id=14733. Of course, we see from the above table that a successful exploit against flight management systems could be catastrophic.

Also, automotive vehicle systems are subjected to a similar set of certification requirements, called “SILs” for “safety integrity levels,” with steer-by-wire and brake-by-wire systems at the most stringent level, namely SIL 3, and good old entertainment systems, along with navigation and diagnostic systems, not worthy of any SIL. However, as vehicles’ electronics systems take over more and more critical functions, it is becoming increasingly feasible to commandeer electronically speed, direction, braking, etc. While auto manufacturers try to comfort drivers and passengers with assertions that control and information systems are separate, you will not be mollified if you read Andy Greenberg’s Forbes article, “Hackers Reveal Nasty New Car Attacks—With Me Behind The Wheel (Video)” at http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/  and especially if you watch the video. You might also find my BlogInfoSec column “Driverless Vehicles—From No Liability to High Risk” helpful in gaining a broader view of the issues.

In summary, the traditional classifications of computer systems and networks with respect to the harm that they might inflict may no longer be appropriate or viable. As systems are interconnected and connected to public networks, they take on the damage level of the most dangerous of their components. It is not reassuring to be told that control and information systems are separate or air-gapped as we are seeing integration of various critical and non-critical systems creating new vectors for potential attacks on safety-critical systems. And as I write in my book, Engineering Safe and Secure Software Systems, there remains a considerable gap of knowledge, understanding and culture between InfoSec folks and software safety engineers, which has to be rapidly closed if we are to avoid catastrophic attacks through seemingly innocuous routes.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*