[SystemSafety] GAO report on FAA cybersecurity vulnerabilities ... and an instance

From: Peter Bernard Ladkin < >
Date: Sat, 18 Apr 2015 10:25:27 +0200


Hash: SHA256

I sent the following to Peter Neumann's Risks Forum.

The US Government Accounting Office has published a report on the vulnerability of FAA equipment and avionics to cyberattack http://www.gao.gov/products/GAO-15-370 . It makes three main points. The third one is organisational; I am concerned here with the first two.

First, the FAA has not developed and apparently doesn't intend to develop a threat model for its ground-based systems. Unsurprisingly, the GAO thinks it might be a good idea to do so.

Many FAA ground-based systems are decades old and were installed in an era which didn't need to worry as much about cybersecurity. Many of them are dedicated systems, so some physical access would be required. But some are not. Does anyone remember the NY ATC outage a quarter century ago? http://catless.ncl.ac.uk/Risks/12.36.html#subj1.1 Failure of a commercial 4ESS switch took out ATC. I seem to remember (or was it another incident?) ATCOs coordinating by using their private mobile phones. A DoS attack on ATC communications nowadays could take out a commercial switch but would have to take out the cellular phone comms also. So there's the first entry for the threat model.

Second, the GAO queries the wisdom of critical avionics and passenger in-flight entertainment systems (IFE) sharing network resources. So did many of us when it was first mooted (for the Boeing 787, I seem to recall). Because, after all, the best start on assuring non-interference is physical separation of networks and good shielding. And indeed someone recently claimed on Fox News to be able to hack avionics through the IFE http://www.foxnews.com/us/2015/04/17/security-expert-pulled-off-flight-by-fbi-after-exposing-airline-tech/  He was apparently subsequently pulled from a flight out of Denver by the FBI, interviewed for a number of hours and relieved of some kit.

People may think: "shooting the messenger". But hang on. Roberts told Fox News (I quote from Fox) "We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems...."

Here is a guy who claims publicly to be able to "take planes out of the sky" getting on an airplane with computer equipment. It is surely the task of security services to ensure he is not a threat in any way. If you were a passenger on that airplane, wouldn't you like at least to know he is not suicidal/paranoid/psychotic? In fact, wouldn't you rather he got on with a nice book to read and sent his kit ahead, separately, by courier?

Some of this is quoted from my blog post http://www.abnormaldistribution.org/2015/04/18/cybersecurity-vulnerabilities-in-commercial-aviation/

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Je suis Charlie
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de

iQEcBAEBCAAGBQJVMhT3AAoJEIZIHiXiz9k+bYwH/2sJj4zEewaZZ6RlVFFYFVfJ qc3foyTxemiGqd7IBSq87RbqkOS3lbJKZVugj1F7at6vV/xJSj191jn4Jg7Ay3dp ZVojHTP2Z5TBtCDgIf6lPY8beRnddayUI2ggQKoYjTm9J8JhHrD4JQf2zp8Kn/OF /vXkWBdJYuhneNQ2P3NGHU39oWm7/74tPpdeO0Bsl6LzqDUE/gdVOKivDojwSzdN oS+3tc0z9Z6RJ873W49N8bkcWyywCmfnNvW61V099mx5234YLfeap48tOLFrm/o0 mujnEc3OZ2WkuwRZLx446hhyVYOIIPs2/YvrtVEGR8ZRHJZgW5CJzzear1aMmrg= =MJQS

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Sat Apr 18 2015 - 10:25:36 CEST

This archive was generated by hypermail 2.3.0 : Sun Feb 17 2019 - 21:17:06 CET