FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

In article ,
Larry Dighera wrote:

On Sun, 06 Jan 2008 14:18:41 -0500, Bob Noel
wrote in
:

Apparently Boeing is not currently in compliance, hence the conflict
with FAA over certification of the Dreamliner.

What conflict?



http://www.wired.com/politics/securi...liner_security
Boeing's new 787 Dreamliner passenger jet may have a serious
security vulnerability in its onboard computer networks that could
allow passengers to access the plane's control systems, according
to the U.S. Federal Aviation Administration.

Larry, I don't see a conflict there between the FAA and Boeing.

--
Bob Noel
(goodness, please trim replies!!!)

In article , wrote:

There are two major schools of thought as to what the rest of the rational
world can do:

1. Totally ignore him to reduce the wasted bandwidth, but there will
also allways be someone who will respond whether it is because they
are new or because he particularly ticks someone off.

Either you totally ignore him or you don't. You can't have it both ways.


2. Respond to the extent that it corrects his usually incorrect and
sometimes dangerous postings least someone who doesn't know the
source actually believes what he says.

and thereby feeding the troll

The only way to deal with a troll is completely ignoring it.

--
Bob Noel
(goodness, please trim replies!!!)

"Gerry Caron" wrote in message


From my experience working on the 787, I'd put this issue way down on
the list of challenges Boeing has to deal with.

Sounded like it from the release. But it's still fodder for anti-Boeing/787
or pro-Airbus folks to play with.

--
John T
http://sage1solutions.com/blogs/TknoFlyer
http://sage1solutions.com/products
NEW! FlyteBalance v2.0 (W&B); FlyteLog v2.0 (Logbook)
____________________

On Sun, 6 Jan 2008 17:21:27 -0500, "Gerry Caron"
wrote in
:

When an applicant submits for a TC, the FAA has to make a determination if
that design is compliant with the rules (14 CFR Part 25 for air transports).
Often, when the design has something new and novel, there just isn't a rule
to address the issues associated with the new design, so the FAA makes up a
new "rule" and calls it a "Special Condition". If they actually wanted to
make it a rule, it would have to go thru the whole rule making process.
(Technically 14 CFR 25.1309 pretty much covers anything you can propose, but
it is very general and subject to interpretation. So the Special Condition
is used to eliminate any ambiguities in the FAA's position.) Special
Conditions normally end up being incorporated into a new rule sometime later
during a general update to Part 25.

From my experience working on the 787, I'd put this issue way down on the
list of challenges Boeing has to deal with.


You mean like this:



--------------------------------------------------------------------------------

3 January 2008



--------------------------------------------------------------------------------

[Federal Register: January 2, 2008 (Volume 73, Number 1)]
[Rules and Regulations]
[Page 27-29]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr02ja08-5]


[[Page 27]]

-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Part 25

[Docket No. NM364 Special Conditions No. 25-356-SC]


Special Conditions: Boeing Model 787-8 Airplane; Systems and Data
Networks Security--Isolation or Protection From Unauthorized Passenger
Domain Systems Access

AGENCY: Federal Aviation Administration (FAA), DOT.

ACTION: Final special conditions.

-----------------------------------------------------------------------

SUMMARY: These special conditions are issued for the Boeing Model
787-8
airplane. This airplane will have novel or unusual design features
when
compared to the state of technology envisioned in the airworthiness
standards for transport category airplanes. These novel or unusual
design features are associated with connectivity of the passenger
domain computer systems to the airplane critical systems and data
networks. For these design features, the applicable airworthiness
regulations do not contain adequate or appropriate safety standards
for
protection and security of airplane systems and data networks against
unauthorized access. These special conditions contain the additional
safety standards that the Administrator considers necessary to
establish a level of safety equivalent to that established by the
existing standards. Additional special conditions will be issued for
other novel or unusual design features of the Boeing Model 787-8
airplanes.

DATES: Effective Date: February 1, 2008.

FOR FURTHER INFORMATION CONTACT: Will Struck, FAA, Airplane and Flight
Crew Interface, ANM-111, Transport Airplane Directorate, Aircraft
Certification Service, 1601 Lind Avenue SW., Renton, Washington 98057-
3356; telephone (425) 227-2764; facsimile (425) 227-1149.

SUPPLEMENTARY INFORMATION:

Background

On March 28, 2003, Boeing applied for an FAA type certificate for
its new Boeing Model 787-8 passenger airplane. The Boeing Model 787-8
airplane will be an all-new, two-engine jet transport airplane with a
two-aisle cabin. The maximum takeoff weight will be 476,000 pounds,
with a maximum passenger count of 381 passengers.

Type Certification Basis

Under provisions of 14 Code of Federal Regulations (CFR) 21.17,
Boeing must show that Boeing Model 787-8 airplanes (hereafter referred
to as ``the 787'') meet the applicable provisions of 14 CFR part 25,
as
amended by Amendments 25-1 through 25-117, except Sec. Sec. 25.809(a)
and 25.812, which will remain at Amendment 25-115. If the
Administrator
finds that the applicable airworthiness regulations do not contain
adequate or appropriate safety standards for the 787 because of a
novel
or unusual design feature, special conditions are prescribed under
provisions of 14 CFR 21.16.
In addition to the applicable airworthiness regulations and
special
conditions, the 787 must comply with the fuel vent and exhaust
emission
requirements of 14 CFR part 34 and the noise certification
requirements
of part 36. The FAA must also issue a finding of regulatory adequacy
pursuant to section 611 of Public Law 92-574, the ``Noise Control Act
of 1972.''
The FAA issues special conditions, as defined in Sec. 11.19,
under
Sec. 11.38, and they become part of the type certification basis
under
Sec. 21.17(a)(2).
Special conditions are initially applicable to the model for which
they are issued. Should the type certificate for that model be amended
later to include any other model that incorporates the same or similar
novel or unusual design feature, the special conditions would also
apply to the other model under Sec. 21.101.

Novel or Unusual Design Features

The digital systems architecture for the 787 consists of several
networks connected by electronics and embedded software. This proposed
network architecture is used for a diverse set of functions, including
the following:
1. Flight-safety-related control and navigation and required
systems (Aircraft Control Domain).
2. Airline business and administrative support (Airline
Information
Domain).
3. Passenger entertainment, information, and Internet services
(Passenger Information and Entertainment Domain).
The proposed architecture of the 787 is different from that of
existing production (and retrofitted) airplanes. It allows new kinds
of
passenger connectivity to previously isolated data networks connected
to systems that perform functions required for the safe operation of
the airplane. Because of this new passenger connectivity, the proposed
data network design and integration may result in security
vulnerabilities from intentional or unintentional corruption of data
and systems critical to the safety and maintenance of the airplane.
The
existing regulations and guidance material did not anticipate this
type
of system architecture or electronic access to aircraft systems that
provide flight critical functions. Furthermore, 14 CFR regulations and
current system safety assessment policy and techniques do not address
potential security vulnerabilities that could be caused by
unauthorized
access to aircraft data buses and servers. Therefore, special
conditions are imposed to ensure that security, integrity, and
availability of the aircraft systems and data networks are not
compromised by certain wired or wireless electronic connections
between
airplane data buses and networks.

Discussion of Comments

Notice of Proposed Special Conditions No. 25-07-01-SC for the 787
was published in the Federal Register on April 13, 2007 (72 FR 18597).
One comment was received from the Air Line Pilots Association,
International (ALPA) and several from Airbus.
ALPA Comment: ALPA strongly recommended that a backup
means must also be provided for the flightcrew to disable passengers'
ability to connect to these specific systems.
FAA Response: These special conditions apply to the design of
airplane systems and networks, and would not preclude a security
mitigation strategy that provides a means for the flightcrew to
disable
passenger connectivity to the networks or to disable access to
specific
systems connected to the airplane networks. However, the FAA would
prefer not to dictate specific design features to the applicant but
rather to allow applicants the flexibility to determine the
appropriate
security protections and means to address all potential
vulnerabilities
and risks posed by allowing this access. For example, the security
protection response to a suspected network security violation could
result in--
The system automatically disabling passenger access to the
network or certain functions,
Flight deck annunciation and flightcrew disabling of
passenger access to certain systems or capabilities, or
Various combinations of the above.
AIRBUS General Comment 1: In Airbus's opinion these
special conditions leave too much room for interpretation, and related
guidance and acceptable means of compliance should be developed in an
advisory circular for use by future applicants.
FAA Response: We agree that guidance is necessary and specific,
detailed compliance guidelines and

[[Page 28]]

criteria have been developed for this aircraft certification program,
specific to this airplane's network architecture and design, providing
initial guidance on an acceptable means of compliance for the 787.
Additionally, the FAA intends to participate in an industry committee
chartered with developing acceptable means of compliance to address
aircraft network security issues, and hopes to endorse the results of
the work of that committee by issuing an advisory circular (AC). Until
such time as guidance is developed for a general means of compliance
for network security protection, these special conditions and the
agreed-to guidance are imposed on this specific network architecture
and design.
AIRBUS Comment (a): Airbus stated that the requirement in
the proposed special conditions is not ``high level'' enough because
it
considers a solution or an architecture. Airbus believes that criteria
or assumptions for defining the domains are missing (for example,
systems criticality, interfaces, rationale for the need to protect one
domain from another one, trust levels * * *). The commenter maintained
that the Aircraft Control Domain (ACD), Airline Information Domain
(AID) and Passenger Information and Entertainment Domain (PIED) need
to
be precisely defined.
FAA Response: We do not agree that the requirement in the proposed
special conditions prescribes a solution or an architecture. These
special conditions and the acceptable means of compliance were
developed based on the Boeing-proposed 787 network architecture and
connectivity between the Passenger Information and Entertainment
Domain
and the Aircraft Control Domain and Airline Information Domain. The
applicant is responsible for the design of the airplane network and
systems architecture and for ensuring that potential security
vulnerabilities of providing passenger access to airplane networks and
systems are mitigated to an appropriate level of assurance, depending
on the potential risk to the airplane and occupant safety. This
responsibility is similar to that entailed in the current system
safety
assessment process of 14 CFR 25.1309. (See also AC 25.1309-1A and the
ARAC-recommended Arsenal version of this AC, which can be found at
http://www.faa.gov/regulations_polic...TAE_SDA_T2.pdf
, and SAE (Society of Automotive Engineers)

ARP (Aerospace Recommended Practice) 4754). We believe the general
definitions for the airplane network ``domains'' are sufficient for
these special conditions.
AIRBUS Comment (b): Airbus stated that in the sentence
``The design shall prevent all inadvertent or malicious changes to,
and
all adverse impacts * * *'', the wording ``shall prevent ALL'' can be
interpreted as a zero allowance. According to the commenter,
demonstration of compliance with such a requirement during the entire
life cycle of the aircraft is quite impossible because security
threats
evolve very rapidly. The only possible solution to such a requirement
would be to physically segregate the Passenger Information and
Entertainment Domain from the other domains. This would mean, for
example, no shared resources like SATCOM (satellite communications),
and no network connections. Airbus maintained that such a solution is
not technically and operationally viable, saying that a minimum of
communications is always necessary. Airbus preferred a less
categorical
requirement which allows more flexibility and does not prevent
possible
residual vulnerabilities if they are assessed as acceptable from a
safety point of view. Airbus said this security assessment could be
based on a security risk analysis process during the design,
validation, and verification of the systems architecture that assesses
risks as either acceptable or requiring mitigations even through
operational procedures if necessary. Airbus noted that this process,
based on similarities with the SAE ARP 4754 safety process, is already
proposed by the European Organization for Civil Aviation Equipment
(EUROCAE) Working Group 72 for consideration of safety risks posed by
security threats or by the FAA through the document ``National
Airspace
System Communication System Safety Hazard Analysis and Security Threat
Analysis,'' version v1.0, dated Feb. 21, 2006. Airbus said such a
security risk analysis process could be used as an acceptable means of
compliance addressed by an advisory circular.
FAA Response: We agree that Airbus's interpretation of zero
allowance for any ``inadvertent or malicious changes to, and all
adverse impacts'' to airplane systems, networks, hardware, software,
and data is correct. However, this does not prevent allowing
appropriate access if the design incorporates robust security
protection means and procedures to prevent inadvertent and intentional
actions that could adversely impact airplane systems, functionality,
and airworthiness. Airbus commented that ``a minimum of communications
is always necessary.'' Unauthorized users, however, must not be
allowed
communication access to aircraft systems and equipment in such a way
that inadvertent or intentional actions can have any adverse impact on
the aircraft systems, equipment, and data. Technology exists which
allows sharing of resources without allowing unauthorized access and
inappropriate actions to systems and data. As previously mentioned,
detailed compliance guidelines and criteria, specific to the 787
network architecture, have been developed into an acceptable means of
compliance for this airplane certification program. In addition, we
intend to participate in future related industry committees (such as
SAE S-18, which is currently revising ARP 4754, EUROCAE Working Group
72, and RTCA (RTCA, Incorporated; formerly Radio Technical Commission
for Aeronautics) Special Committee 216). These groups will be
developing additional aircraft network security guidance, and we hope
to be able to endorse the results of their efforts as an acceptable
means of compliance for network security issues on future aircraft
certification programs.
AIRBUS Comment (c): Airbus said that this requirement is
limited to the design (``The design shall prevent all inadvertent or
malicious changes * * * ''), but security solutions are always
dependent on organizational procedures. Airbus said that because the
efficiency of a security solution relies on the weakest link in the
overall chain (design, operations, organizations, processes, * * *),
the robustness of the design may be impaired (by, for instance, cabin
crew interfaces being used by unauthorized passengers) if equivalent
security requirements are not mandated for other involved parties, as,
for example, through an operational or maintenance approval.
FAA Response: The applicant is responsible for developing a design
compliant with these special conditions and other applicable
regulations. The design may include specific technology and
architecture features, as well as operator requirements, operational
procedures and security measures, and maintenance procedures and
requirements, to ensure an appropriate implementation that can be
properly used and maintained to ensure safe operations and continued
operational safety. These special conditions do not preclude
organizational, process, operational, monitoring, or maintenance
procedures and requirements from being part of the design to ensure
security protection. As with other aircraft models, the operator is
obligated to

[[Page 29]]

operate and maintain the aircraft in conformance with regulations and
with requirements for operation and maintenance of the product.
AIRBUS Comment (d): Airbus noted that the special
conditions consider only interference between the Passenger
Information
and Entertainment Domain (PIED) and the Airline Information Domain or
Aircraft Control Domain. It notes there is no requirement for
protecting the Aircraft Control Domain from the Airline Information
Domain, if this one is considered less trusted than the Aircraft
Control Domain. As an example, it said that the Airline Information
Domain could implement portable electronic flight bags.
FAA Response: These special conditions address only the interfaces
between the passenger domain (PIED) and other aircraft systems and
networks. Other interfaces and accesses are addressed by current
regulations and policy, and by another proposed special conditions.
AIRBUS Comment (e): Airbus said that, depending on the
meaning of ``unauthorized external access,'' these special conditions
may be redundant to proposed special conditions 25-07-02-SC (see
comment ``b'' about 25-07-02-SC).
FAA Response: These special conditions are not redundant. The
passenger PIED and its security implementation are part of the
airplane
model and type design, and are not considered ``external'' to the
aircraft. In reviewing the Boeing-proposed 787 network architecture
and
design during development of these special conditions, we determined
the need for two separate special conditions. To ensure appropriate
security protection of the aircraft and its systems, one special
condition was needed for access from the passenger domain, and one for
access from sources external to the airplane.
AIRBUS proposed text revision: Airbus proposed the
following revised wording for these special conditions.

The applicant shall ensure that security threats from all points
within the Passenger Information and Entertainment Domain, are
identified and risk mitigation strategies are implemented to protect
the Aircraft Control Domain and Airline Information Services Domain
from adverse impacts reducing the aircraft safety.

FAA Response: As noted previously, the purpose of these special
conditions is to ensure security protection from all inadvertent or
malicious changes to, and all adverse impacts to, airplane systems,
networks, hardware, software, and data from accesses through the
passenger domain. We do not believe the commenter's proposal is
specific enough to achieve this purpose, and we will retain the
current
wording.

Applicability

As discussed above, these special conditions are applicable to the
787. Should Boeing apply at a later date for a change to the type
certificate to include another model on the same type certificate
incorporating the same novel or unusual design features, these special
conditions would apply to that model as well.

Conclusion

This action affects only certain novel or unusual design features
of the 787. It is not a rule of general applicability.

List of Subjects in 14 CFR Part 25

Aircraft, Aviation safety, Reporting and recordkeeping
requirements.

0
The authority citation for these special conditions is as follows:

Authority: 49 U.S.C. 106(g), 40113, 44701, 44702, 44704.

The Special Conditions

Accordingly, pursuant to the authority delegated to me by the
Administrator, the following special conditions are issued as part of
the type certification basis for the Boeing Model 787-8 airplane.

The design shall prevent all inadvertent or malicious changes
to, and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain.

Issued in Renton, Washington, on December 21, 2007.
Ali Bahrami,
Manager, Transport Airplane Directorate, Aircraft Certification
Service.
[FR Doc. E7-25467 Filed 12-31-07; 8:45 am]

BILLING CODE 4910-13-P

On Sun, 06 Jan 2008 17:33:59 -0500, Bob Noel
wrote in
:

In article ,
Larry Dighera wrote:

On Sun, 06 Jan 2008 14:18:41 -0500, Bob Noel
wrote in
:

Apparently Boeing is not currently in compliance, hence the conflict
with FAA over certification of the Dreamliner.

What conflict?



http://www.wired.com/politics/securi...liner_security
Boeing's new 787 Dreamliner passenger jet may have a serious
security vulnerability in its onboard computer networks that could
allow passengers to access the plane's control systems, according
to the U.S. Federal Aviation Administration.

Larry, I don't see a conflict there between the FAA and Boeing.

If the FAA is pointing out a potential vulnerability in Boeing's
design, what would you call it?

Larry Dighera wrote in
:

On Sun, 06 Jan 2008 17:33:59 -0500, Bob Noel
wrote in
:

In article ,
Larry Dighera wrote:

On Sun, 06 Jan 2008 14:18:41 -0500, Bob Noel
wrote in
:

Apparently Boeing is not currently in compliance, hence the
conflict
with FAA over certification of the Dreamliner.

What conflict?




http://www.wired.com/politics/securi...liner_security
Boeing's new 787 Dreamliner passenger jet may have a serious
security vulnerability in its onboard computer networks that
could
allow passengers to access the plane's control systems,
according
to the U.S. Federal Aviation Administration.

Larry, I don't see a conflict there between the FAA and Boeing.

If the FAA is pointing out a potential vulnerability in Boeing's
design, what would you call it?


Constructive criticsm.
But of course, I have a brain, so that;'s just me.



Bertie

Bob Noel wrote in
:

In article ,
wrote:

There are two major schools of thought as to what the rest of the
rational world can do:

1. Totally ignore him to reduce the wasted bandwidth, but there will
also allways be someone who will respond whether it is because they
are new or because he particularly ticks someone off.

Either you totally ignore him or you don't. You can't have it both
ways.


2. Respond to the extent that it corrects his usually incorrect and
sometimes dangerous postings least someone who doesn't know the
source actually believes what he says.

and thereby feeding the troll

The only way to deal with a troll is completely ignoring it.


There are always other options.


Bertie

Larry Dighera wrote in
news
On Sun, 6 Jan 2008 17:21:27 -0500, "Gerry Caron"
wrote in
:

When an applicant submits for a TC, the FAA has to make a
determination if that design is compliant with the rules (14 CFR Part
25 for air transports). Often, when the design has something new and
novel, there just isn't a rule to address the issues associated with
the new design, so the FAA makes up a new "rule" and calls it a
"Special Condition". If they actually wanted to make it a rule, it
would have to go thru the whole rule making process. (Technically 14
CFR 25.1309 pretty much covers anything you can propose, but it is
very general and subject to interpretation. So the Special Condition
is used to eliminate any ambiguities in the FAA's position.) Special
Conditions normally end up being incorporated into a new rule sometime
later during a general update to Part 25.

From my experience working on the 787, I'd put this issue way down on
the list of challenges Boeing has to deal with.


You mean like this:



----------------------------------------------------------------------
-
---------

3 January 2008



----------------------------------------------------------------------
-
---------

[Federal Register: January 2, 2008 (Volume 73, Number 1)]
[Rules and Regulations]
[Page 27-29]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr02ja08-5]


[[Page 27]]

----------------------------------------------------------------------
-

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Part 25

[Docket No. NM364 Special Conditions No. 25-356-SC]


Special Conditions: Boeing Model 787-8 Airplane; Systems and Data
Networks Security--Isolation or Protection From Unauthorized Passenger
Domain Systems Access

AGENCY: Federal Aviation Administration (FAA), DOT.

ACTION: Final special conditions.

----------------------------------------------------------------------
-

SUMMARY: These special conditions are issued for the Boeing Model
787-8
airplane. This airplane will have novel or unusual design features
when
compared to the state of technology envisioned in the airworthiness
standards for transport category airplanes. These novel or unusual
design features are associated with connectivity of the passenger
domain computer systems to the airplane critical systems and data
networks. For these design features, the applicable airworthiness
regulations do not contain adequate or appropriate safety standards
for
protection and security of airplane systems and data networks against
unauthorized access. These special conditions contain the additional
safety standards that the Administrator considers necessary to
establish a level of safety equivalent to that established by the
existing standards. Additional special conditions will be issued for
other novel or unusual design features of the Boeing Model 787-8
airplanes.

DATES: Effective Date: February 1, 2008.

FOR FURTHER INFORMATION CONTACT: Will Struck, FAA, Airplane and Flight
Crew Interface, ANM-111, Transport Airplane Directorate, Aircraft
Certification Service, 1601 Lind Avenue SW., Renton, Washington 98057-
3356; telephone (425) 227-2764; facsimile (425) 227-1149.

SUPPLEMENTARY INFORMATION:

Background

On March 28, 2003, Boeing applied for an FAA type certificate for
its new Boeing Model 787-8 passenger airplane. The Boeing Model 787-8
airplane will be an all-new, two-engine jet transport airplane with a
two-aisle cabin. The maximum takeoff weight will be 476,000 pounds,
with a maximum passenger count of 381 passengers.

Type Certification Basis

Under provisions of 14 Code of Federal Regulations (CFR) 21.17,
Boeing must show that Boeing Model 787-8 airplanes (hereafter referred
to as ``the 787'') meet the applicable provisions of 14 CFR part 25,
as
amended by Amendments 25-1 through 25-117, except Sec. Sec. 25.809(a)
and 25.812, which will remain at Amendment 25-115. If the
Administrator
finds that the applicable airworthiness regulations do not contain
adequate or appropriate safety standards for the 787 because of a
novel
or unusual design feature, special conditions are prescribed under
provisions of 14 CFR 21.16.
In addition to the applicable airworthiness regulations and
special
conditions, the 787 must comply with the fuel vent and exhaust
emission
requirements of 14 CFR part 34 and the noise certification
requirements
of part 36. The FAA must also issue a finding of regulatory adequacy
pursuant to section 611 of Public Law 92-574, the ``Noise Control Act
of 1972.''
The FAA issues special conditions, as defined in Sec. 11.19,
under
Sec. 11.38, and they become part of the type certification basis
under
Sec. 21.17(a)(2).
Special conditions are initially applicable to the model for which
they are issued. Should the type certificate for that model be amended
later to include any other model that incorporates the same or similar
novel or unusual design feature, the special conditions would also
apply to the other model under Sec. 21.101.

Novel or Unusual Design Features

The digital systems architecture for the 787 consists of several
networks connected by electronics and embedded software. This proposed
network architecture is used for a diverse set of functions, including
the following:
1. Flight-safety-related control and navigation and required
systems (Aircraft Control Domain).
2. Airline business and administrative support (Airline
Information
Domain).
3. Passenger entertainment, information, and Internet services
(Passenger Information and Entertainment Domain).
The proposed architecture of the 787 is different from that of
existing production (and retrofitted) airplanes. It allows new kinds
of
passenger connectivity to previously isolated data networks connected
to systems that perform functions required for the safe operation of
the airplane. Because of this new passenger connectivity, the proposed
data network design and integration may result in security
vulnerabilities from intentional or unintentional corruption of data
and systems critical to the safety and maintenance of the airplane.
The
existing regulations and guidance material did not anticipate this
type
of system architecture or electronic access to aircraft systems that
provide flight critical functions. Furthermore, 14 CFR regulations and
current system safety assessment policy and techniques do not address
potential security vulnerabilities that could be caused by
unauthorized
access to aircraft data buses and servers. Therefore, special
conditions are imposed to ensure that security, integrity, and
availability of the aircraft systems and data networks are not
compromised by certain wired or wireless electronic connections
between
airplane data buses and networks.

Discussion of Comments

Notice of Proposed Special Conditions No. 25-07-01-SC for the 787
was published in the Federal Register on April 13, 2007 (72 FR 18597).
One comment was received from the Air Line Pilots Association,
International (ALPA) and several from Airbus.
ALPA Comment: ALPA strongly recommended that a backup
means must also be provided for the flightcrew to disable passengers'
ability to connect to these specific systems.
FAA Response: These special conditions apply to the design of
airplane systems and networks, and would not preclude a security
mitigation strategy that provides a means for the flightcrew to
disable
passenger connectivity to the networks or to disable access to
specific
systems connected to the airplane networks. However, the FAA would
prefer not to dictate specific design features to the applicant but
rather to allow applicants the flexibility to determine the
appropriate
security protections and means to address all potential
vulnerabilities
and risks posed by allowing this access. For example, the security
protection response to a suspected network security violation could
result in--
The system automatically disabling passenger access to the
network or certain functions,
Flight deck annunciation and flightcrew disabling of
passenger access to certain systems or capabilities, or
Various combinations of the above.
AIRBUS General Comment 1: In Airbus's opinion these
special conditions leave too much room for interpretation, and related
guidance and acceptable means of compliance should be developed in an
advisory circular for use by future applicants.
FAA Response: We agree that guidance is necessary and specific,
detailed compliance guidelines and

[[Page 28]]

criteria have been developed for this aircraft certification program,
specific to this airplane's network architecture and design, providing
initial guidance on an acceptable means of compliance for the 787.
Additionally, the FAA intends to participate in an industry committee
chartered with developing acceptable means of compliance to address
aircraft network security issues, and hopes to endorse the results of
the work of that committee by issuing an advisory circular (AC). Until
such time as guidance is developed for a general means of compliance
for network security protection, these special conditions and the
agreed-to guidance are imposed on this specific network architecture
and design.
AIRBUS Comment (a): Airbus stated that the requirement in
the proposed special conditions is not ``high level'' enough because
it
considers a solution or an architecture. Airbus believes that criteria
or assumptions for defining the domains are missing (for example,
systems criticality, interfaces, rationale for the need to protect one
domain from another one, trust levels * * *). The commenter maintained
that the Aircraft Control Domain (ACD), Airline Information Domain
(AID) and Passenger Information and Entertainment Domain (PIED) need
to
be precisely defined.
FAA Response: We do not agree that the requirement in the proposed
special conditions prescribes a solution or an architecture. These
special conditions and the acceptable means of compliance were
developed based on the Boeing-proposed 787 network architecture and
connectivity between the Passenger Information and Entertainment
Domain
and the Aircraft Control Domain and Airline Information Domain. The
applicant is responsible for the design of the airplane network and
systems architecture and for ensuring that potential security
vulnerabilities of providing passenger access to airplane networks and
systems are mitigated to an appropriate level of assurance, depending
on the potential risk to the airplane and occupant safety. This
responsibility is similar to that entailed in the current system
safety
assessment process of 14 CFR 25.1309. (See also AC 25.1309-1A and the
ARAC-recommended Arsenal version of this AC, which can be found at
http://www.faa.gov/regulations_polic...ttees/arac/med
i
a/tae/TAE_SDA_T2.pdf , and SAE (Society of Automotive Engineers)

ARP (Aerospace Recommended Practice) 4754). We believe the general
definitions for the airplane network ``domains'' are sufficient for
these special conditions.
AIRBUS Comment (b): Airbus stated that in the sentence
``The design shall prevent all inadvertent or malicious changes to,
and
all adverse impacts * * *'', the wording ``shall prevent ALL'' can be
interpreted as a zero allowance. According to the commenter,
demonstration of compliance with such a requirement during the entire
life cycle of the aircraft is quite impossible because security
threats
evolve very rapidly. The only possible solution to such a requirement
would be to physically segregate the Passenger Information and
Entertainment Domain from the other domains. This would mean, for
example, no shared resources like SATCOM (satellite communications),
and no network connections. Airbus maintained that such a solution is
not technically and operationally viable, saying that a minimum of
communications is always necessary. Airbus preferred a less
categorical
requirement which allows more flexibility and does not prevent
possible
residual vulnerabilities if they are assessed as acceptable from a
safety point of view. Airbus said this security assessment could be
based on a security risk analysis process during the design,
validation, and verification of the systems architecture that assesses
risks as either acceptable or requiring mitigations even through
operational procedures if necessary. Airbus noted that this process,
based on similarities with the SAE ARP 4754 safety process, is already
proposed by the European Organization for Civil Aviation Equipment
(EUROCAE) Working Group 72 for consideration of safety risks posed by
security threats or by the FAA through the document ``National
Airspace
System Communication System Safety Hazard Analysis and Security Threat
Analysis,'' version v1.0, dated Feb. 21, 2006. Airbus said such a
security risk analysis process could be used as an acceptable means of
compliance addressed by an advisory circular.
FAA Response: We agree that Airbus's interpretation of zero
allowance for any ``inadvertent or malicious changes to, and all
adverse impacts'' to airplane systems, networks, hardware, software,
and data is correct. However, this does not prevent allowing
appropriate access if the design incorporates robust security
protection means and procedures to prevent inadvertent and intentional
actions that could adversely impact airplane systems, functionality,
and airworthiness. Airbus commented that ``a minimum of communications
is always necessary.'' Unauthorized users, however, must not be
allowed
communication access to aircraft systems and equipment in such a way
that inadvertent or intentional actions can have any adverse impact on
the aircraft systems, equipment, and data. Technology exists which
allows sharing of resources without allowing unauthorized access and
inappropriate actions to systems and data. As previously mentioned,
detailed compliance guidelines and criteria, specific to the 787
network architecture, have been developed into an acceptable means of
compliance for this airplane certification program. In addition, we
intend to participate in future related industry committees (such as
SAE S-18, which is currently revising ARP 4754, EUROCAE Working Group
72, and RTCA (RTCA, Incorporated; formerly Radio Technical Commission
for Aeronautics) Special Committee 216). These groups will be
developing additional aircraft network security guidance, and we hope
to be able to endorse the results of their efforts as an acceptable
means of compliance for network security issues on future aircraft
certification programs.
AIRBUS Comment (c): Airbus said that this requirement is
limited to the design (``The design shall prevent all inadvertent or
malicious changes * * * ''), but security solutions are always
dependent on organizational procedures. Airbus said that because the
efficiency of a security solution relies on the weakest link in the
overall chain (design, operations, organizations, processes, * * *),
the robustness of the design may be impaired (by, for instance, cabin
crew interfaces being used by unauthorized passengers) if equivalent
security requirements are not mandated for other involved parties, as,
for example, through an operational or maintenance approval.
FAA Response: The applicant is responsible for developing a design
compliant with these special conditions and other applicable
regulations. The design may include specific technology and
architecture features, as well as operator requirements, operational
procedures and security measures, and maintenance procedures and
requirements, to ensure an appropriate implementation that can be
properly used and maintained to ensure safe operations and continued
operational safety. These special conditions do not preclude
organizational, process, operational, monitoring, or maintenance
procedures and requirements from being part of the design to ensure
security protection. As with other aircraft models, the operator is
obligated to

[[Page 29]]

operate and maintain the aircraft in conformance with regulations and
with requirements for operation and maintenance of the product.
AIRBUS Comment (d): Airbus noted that the special
conditions consider only interference between the Passenger
Information
and Entertainment Domain (PIED) and the Airline Information Domain or
Aircraft Control Domain. It notes there is no requirement for
protecting the Aircraft Control Domain from the Airline Information
Domain, if this one is considered less trusted than the Aircraft
Control Domain. As an example, it said that the Airline Information
Domain could implement portable electronic flight bags.
FAA Response: These special conditions address only the interfaces
between the passenger domain (PIED) and other aircraft systems and
networks. Other interfaces and accesses are addressed by current
regulations and policy, and by another proposed special conditions.
AIRBUS Comment (e): Airbus said that, depending on the
meaning of ``unauthorized external access,'' these special conditions
may be redundant to proposed special conditions 25-07-02-SC (see
comment ``b'' about 25-07-02-SC).
FAA Response: These special conditions are not redundant. The
passenger PIED and its security implementation are part of the
airplane
model and type design, and are not considered ``external'' to the
aircraft. In reviewing the Boeing-proposed 787 network architecture
and
design during development of these special conditions, we determined
the need for two separate special conditions. To ensure appropriate
security protection of the aircraft and its systems, one special
condition was needed for access from the passenger domain, and one for
access from sources external to the airplane.
AIRBUS proposed text revision: Airbus proposed the
following revised wording for these special conditions.

The applicant shall ensure that security threats from all points
within the Passenger Information and Entertainment Domain, are
identified and risk mitigation strategies are implemented to protect
the Aircraft Control Domain and Airline Information Services Domain
from adverse impacts reducing the aircraft safety.

FAA Response: As noted previously, the purpose of these special
conditions is to ensure security protection from all inadvertent or
malicious changes to, and all adverse impacts to, airplane systems,
networks, hardware, software, and data from accesses through the
passenger domain. We do not believe the commenter's proposal is
specific enough to achieve this purpose, and we will retain the
current
wording.

Applicability

As discussed above, these special conditions are applicable to the
787. Should Boeing apply at a later date for a change to the type
certificate to include another model on the same type certificate
incorporating the same novel or unusual design features, these special
conditions would apply to that model as well.

Conclusion

This action affects only certain novel or unusual design features
of the 787. It is not a rule of general applicability.

List of Subjects in 14 CFR Part 25

Aircraft, Aviation safety, Reporting and recordkeeping
requirements.

0
The authority citation for these special conditions is as follows:

Authority: 49 U.S.C. 106(g), 40113, 44701, 44702, 44704.

The Special Conditions

Accordingly, pursuant to the authority delegated to me by the
Administrator, the following special conditions are issued as part of
the type certification basis for the Boeing Model 787-8 airplane.

The design shall prevent all inadvertent or malicious changes
to, and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain.

Issued in Renton, Washington, on December 21, 2007.
Ali Bahrami,
Manager, Transport Airplane Directorate, Aircraft Certification
Service.
[FR Doc. E7-25467 Filed 12-31-07; 8:45 am]

BILLING CODE 4910-13-P



Wow, you're not a netkkop.

You're worse. You're a netlawyer.


Bertie

On Jan 7, 2:26 am, Mxsmanic wrote:
george writes:
Surprise for you.
Aircraft have had computer systems for quite q while now.

But they haven't been accessible to passengers up to now. With everything on
the same network, anyone could hack into the control network from the
passenger network. That's what is alarming in this case. It would have been
much easier and safer to just install two physically independent networks.

To 'hack' into a system you have to have an input device like a
keyboard.
A touch screen that allows you to select a film channel, audio channel
or Air phone is scarcely going to go any further than that !
I built networks.
In one building the server ran an Office network, a Student network
and our Tech network.
We could see everything on the other networks.
The students could only see their own network.
The Office staff could only see their own network.

It would appear that your knowledge of computers and IT is right up
there with your knowledge of aviation !

george wrote:
On Jan 7, 2:26 am, Mxsmanic wrote:
george writes:
Surprise for you.
Aircraft have had computer systems for quite q while now.

But they haven't been accessible to passengers up to now. With everything on
the same network, anyone could hack into the control network from the
passenger network. That's what is alarming in this case. It would have been
much easier and safer to just install two physically independent networks.

To 'hack' into a system you have to have an input device like a
keyboard.
A touch screen that allows you to select a film channel, audio channel
or Air phone is scarcely going to go any further than that !

Maybe.

My bank's ATMS have touch screens.

One day recently I walked up to them and one clearly had a Microsoft
BSOD.

I didn't try to hack in, but someone might.

Whether or not they are successful depends on how well the system
was designed.

I built networks.
In one building the server ran an Office network, a Student network
and our Tech network.
We could see everything on the other networks.
The students could only see their own network.
The Office staff could only see their own network.

Yes, such is quite common in the real world.

It would appear that your knowledge of computers and IT is right up
there with your knowledge of aviation !

Is that surprising?


--
Jim Pennino

Remove .spam.sux to reply.