Another Big Lesson from Flight MH370

What we don’t need is another “expert opinion” as to what might have happened to the Malaysia Airlines Boeing 777 that disappeared on the early morning of Saturday, March 8, 2014 … and (who knows?) by the time this column is posted the mystery could have been solved. We all sincerely hope so.

While so much of the opinion offered by self- and media-proclaimed “experts” is purely speculative, it does appear that a person might have disabled the transponder on the plane manually, removing a major source of information about the location of the aircraft. If this is the case … and we may never know for sure … then it calls into question how certification levels of various on-board avionics systems are specified.

In my November 25, 2013 BlogInfoSec column, “Aircraft Software Systems Concerns – Two More Data Points,” I describe the various certification levels required for specific types of system on an aircraft. For the most part, control systems must meet much more stringent requirements than information systems, as would be expected since flight control systems clearly need to keep passengers and crew safe.

It is interesting to note the failure condition classifications for transponders in Australian Technical Standard Order C1004a… see

The designated failure conditions are as follows:

  •  An un-annunciated failure resulting in loss of the … transmit function is classified as Minor, and
  • An un-annunciated failure resulting in broadcast of incorrect … messages is classified as Major.

What is interesting in the above is that loss of transponder data integrity is rated as more hazardous than data unavailability. This is presumably because incorrect information could lead to crashes due to misrepresented aircraft locations. Up until now, a non-functioning transponder was considered to have a minor impact, presumably because there are usually other means of transmitting information about the location of the plane to air-traffic controllers and to other planes. However, the disappearance of flight MH370 suggests a consequence that might be considered catastrophic, namely, the loss of a plane and the inability to determine its location over what is thought to have been many hours.

It comes down to the importance of various aspects of security (i.e., confidentiality, integrity and availability) to the safety of the plane, passengers and crew. As I have mentioned on a number of previous occasions, and in my book “Engineering Safe and Secure Software Systems,” there is a need to have information security experts involved in the design and development of all critical systems, especially safety-critical systems. There are those who dismiss this proposition as being impractical but, as we experience an increasing number of cases in which critical software-intensive systems are not protected from unauthorized or inappropriate access and actions, we see the need to have full consideration of security included in the design and development of all such systems. As systems become ever more complex, and as the dependency on software components increases, the need becomes so much the greater.

While I am not saying that, in the particular instance of the transponder on flight MH370, improved identity and access management and stronger authentication, combined with physical security measures, would have made a significant difference, I do think that there is a chance that such features could have done so. Time may tell. Meanwhile, we need to recognize that safety-critical systems need to be secured and that securing such systems requires expertise that is usually not within the purview of safety engineers responsible for the design and manufacture of these types of systems.

Post a Comment

Your email is never published nor shared. Required fields are marked *