Re: [SystemSafety] GAO report on FAA cybersecurity vulnerabilities ... and an instance

From: Matthew Squair < >
Date: Mon, 20 Apr 2015 18:30:33 +1000


Likewise, but perhaps we should apply the 10th man principle...

Matthew Squair

MIEAust, CPEng
Mob: +61 488770655
Email; Mattsquair_at_xxxxxx
Web: http://criticaluncertainties.com

On 20 Apr 2015, at 6:15 pm, RICQUE Bertrand (SAGEM DEFENSE SECURITE) < bertrand.ricque_at_xxxxxx

I am rather skeptical. The avionics are on ARINC bus, and even if it is connected through a firewall to an IP network (why ?) I don't see it can be possible to enter an avionics box.

Bertrand Ricque
Program Manager
Optronics and Defence Division
Sights Program
Mob : +33 6 87 47 84 64
Tel : +33 1 58 11 96 82
Bertrand.ricque_at_xxxxxx

-----Original Message-----

From: systemsafety-bounces_at_xxxxxx mailto:systemsafety-bounces_at_xxxxxx <systemsafety-bounces_at_xxxxxx Bernard Ladkin
Sent: Saturday, April 18, 2015 10:25 AM
To: The System Safety List
Subject: [SystemSafety] GAO report on FAA cybersecurity vulnerabilities ... and an instance

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

I sent the following to Peter Neumann's Risks Forum.

The US Government Accounting Office has published a report on the vulnerability of FAA equipment and avionics to cyberattack http://www.gao.gov/products/GAO-15-370 . It makes three main points. The third one is organisational; I am concerned here with the first two.

First, the FAA has not developed and apparently doesn't intend to develop a threat model for its ground-based systems. Unsurprisingly, the GAO thinks it might be a good idea to do so.

Many FAA ground-based systems are decades old and were installed in an era which didn't need to worry as much about cybersecurity. Many of them are dedicated systems, so some physical access would be required. But some are not. Does anyone remember the NY ATC outage a quarter century ago? http://catless.ncl.ac.uk/Risks/12.36.html#subj1.1 Failure of a commercial 4ESS switch took out ATC. I seem to remember (or was it another incident?) ATCOs coordinating by using their private mobile phones. A DoS attack on ATC communications nowadays could take out a commercial switch but would have to take out the cellular phone comms also. So there's the first entry for the threat model.

Second, the GAO queries the wisdom of critical avionics and passenger in-flight entertainment systems (IFE) sharing network resources. So did many of us when it was first mooted (for the Boeing 787, I seem to recall). Because, after all, the best start on assuring non-interference is physical separation of networks and good shielding. And indeed someone recently claimed on Fox News to be able to hack avionics through the IFE http://www.foxnews.com/us/2015/04/17/security-expert-pulled-off-flight-by-fbi-after-exposing-airline-tech/ He was apparently subsequently pulled from a flight out of Denver by the FBI, interviewed for a number of hours and relieved of some kit.

People may think: "shooting the messenger". But hang on. Roberts told Fox News (I quote from Fox) "We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems...."

Here is a guy who claims publicly to be able to "take planes out of the sky" getting on an airplane with computer equipment. It is surely the task of security services to ensure he is not a threat in any way. If you were a passenger on that airplane, wouldn't you like at least to know he is not suicidal/paranoid/psychotic? In fact, wouldn't you rather he got on with a nice book to read and sent his kit ahead, separately, by courier?

Some of this is quoted from my blog post http://www.abnormaldistribution.org/2015/04/18/cybersecurity-vulnerabilities-in-commercial-aviation/

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Je suis Charlie Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de

-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJVMhT3AAoJEIZIHiXiz9k+bYwH/2sJj4zEewaZZ6RlVFFYFVfJ qc3foyTxemiGqd7IBSq87RbqkOS3lbJKZVugj1F7at6vV/xJSj191jn4Jg7Ay3dp ZVojHTP2Z5TBtCDgIf6lPY8beRnddayUI2ggQKoYjTm9J8JhHrD4JQf2zp8Kn/OF /vXkWBdJYuhneNQ2P3NGHU39oWm7/74tPpdeO0Bsl6LzqDUE/gdVOKivDojwSzdN oS+3tc0z9Z6RJ873W49N8bkcWyywCmfnNvW61V099mx5234YLfeap48tOLFrm/o0 mujnEc3OZ2WkuwRZLx446hhyVYOIIPs2/YvrtVEGR8ZRHJZgW5CJzzear1aMmrg= =MJQS
-----END PGP SIGNATURE-----



The System Safety Mailing List
systemsafety_at_xxxxxx #
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."

" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #

The System Safety Mailing List
systemsafety_at_xxxxxx


The System Safety Mailing List
systemsafety_at_xxxxxx Received on Mon Apr 20 2015 - 10:30:44 CEST

This archive was generated by hypermail 2.3.0 : Fri Feb 22 2019 - 14:17:06 CET