C. Warren Axelrod

FAA, GAO … Please Read My Book!

… and my articles, columns, etc. about the dangers of connecting information systems to control systems.

The GAO (US Government Accountability Office) released an April 2015 report, GAO-15-370, on the cybersecurity of air traffic control and avionics systems, with the title “Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity as Agency Transitions to NextGen,” which is available at http://www.gao.gov/assets/670/669627.pdf

The issue about malevolent individuals or terrorists hacking into air traffic and aircraft control systems has been discussed at length. The usual response is denial from the oversight agencies and contractors. Well, yes, researchers demonstrated that they could hack into avionics systems using a smart phone, but that, according to the FAA, EASA, Honeywell and Rockwell Collins, would not be feasible in “the real world” … see my April 21, 2014 BlogInfoSec column “It’s About Time … Tamper-Proofing Aircraft Systems” and also my prior April 10, 2013 BlogInfoSec column “Hacking Avionics Systems.”

So now that we have an authoritative view of the situation from the GAO, what should we do about it? In their report, the GAO first enumerates the following three cybersecurity challenge areas faced by the FAA:

  1. protecting its air traffic control (ATC) information systems,
  2. securing aircraft avionics used to operate and guide aircraft, and
  3. clarifying cybersecurity roles and responsibilities among multiple FAA offices.

The GAO then suggests that the Secretary of Transportation instruct the FAA to do the following:

  • As a first step to developing an agency-wide threat model, assess the potential cost and timetable for developing such a threat model and the resources required to maintain it.
  •  Incorporate the Office of Safety into FAA’s agency-wide approach by including it on the Cybersecurity Steering Committee.
  • Given the challenges FAA faces in meeting OMB’s guidance to implement the latest security controls in NIST’s revised guidelines within one year of issuance, develop a plan to fund and implement the NIST revisions within OMB’s time frames.

These are all worthwhile demands, but they are neither sufficiently comprehensive nor do they suggest the required level of urgency. The threats to and vulnerabilities of these systems are growing daily. Security guidelines need to be implemented today, if not sooner. Over the past several years, we have seen pilots replacing piles of paper for navigation information with tablets, with apparent fuel savings in the millions of dollars just from the reduced weight. At some point, these off-the-shelf systems will likely be connected to airplanes’ control systems. Sophisticated passengers, well versed in hacking methods, can supposedly gain access to aircraft flight management systems from ports under their seats. And who knows what well-funded nation states might be able to do?

In my book, “Engineering Safe and Secure Software Systems,” (Artech House, 2012), I specifically address issues that arise from combining security-critical information systems and safety-critical control systems. I describe in detail the development lifecycles of both security-critical and safety-critical cyber-physical systems and how both lifecycle processes must be brought together with expertise in both cybersecurity and system safety brought into the picture. It is now more than two years since my book was published and I wasn’t the first to raise these issues by any means.

What will it take to make all this a top priority and accelerate and expand these government efforts? Perhaps it has already happened. There was an accident on May 9, 2015 in which an Airbus A400M military cargo and troop transport plane crashed on a test flight resulting in the deaths of four persons. Several weeks later it was revealed that the crash was caused by faulty software installation, as described in Mike Wheatley’s article “Faulty Software Install Led to Airbus A400M Plane Crash,” in SiliconAngle, June 1, 2015 … see http://siliconangle.com/blog/2015/06/01/faulty-software-install-led-to-airbus-a400m-plane-crash/

There have been other software failures in modern aircraft that fortunately didn’t lead to loss of life. Do we have to witness a major disaster before the authorities take this matter more seriously and place tighter deadlines on putting stringent security-safety measures in place? Implementing security controls “within one year of issuance” of NIST’s revised guidance isn’t good enough, by far. We need them now.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*