[SystemSafety] GAO report on FAA cybersecurity vulnerabilities ... and an instance
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Sat Apr 18 10:25:27 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I sent the following to Peter Neumann's Risks Forum.
The US Government Accounting Office has published a report on the vulnerability of FAA equipment
and avionics to cyberattack http://www.gao.gov/products/GAO-15-370 . It makes three main points.
The third one is organisational; I am concerned here with the first two.
First, the FAA has not developed and apparently doesn't intend to develop a threat model for its
ground-based systems. Unsurprisingly, the GAO thinks it might be a good idea to do so.
Many FAA ground-based systems are decades old and were installed in an era which didn't need to
worry as much about cybersecurity. Many of them are dedicated systems, so some physical access
would be required. But some are not. Does anyone remember the NY ATC outage a quarter century ago?
http://catless.ncl.ac.uk/Risks/12.36.html#subj1.1 Failure of a commercial 4ESS switch took out
ATC. I seem to remember (or was it another incident?) ATCOs coordinating by using their private
mobile phones. A DoS attack on ATC communications nowadays could take out a commercial switch but
would have to take out the cellular phone comms also. So there's the first entry for the threat model.
Second, the GAO queries the wisdom of critical avionics and passenger in-flight entertainment
systems (IFE) sharing network resources. So did many of us when it was first mooted (for the
Boeing 787, I seem to recall). Because, after all, the best start on assuring non-interference is
physical separation of networks and good shielding. And indeed someone recently claimed on Fox
News to be able to hack avionics through the IFE
http://www.foxnews.com/us/2015/04/17/security-expert-pulled-off-flight-by-fbi-after-exposing-airline-tech/
He was apparently subsequently pulled from a flight out of Denver by the FBI, interviewed for a
number of hours and relieved of some kit.
People may think: "shooting the messenger". But hang on. Roberts told Fox News (I quote from Fox)
"We can still take planes out of the sky thanks to the flaws in the in-flight entertainment
systems...."
Here is a guy who claims publicly to be able to "take planes out of the sky" getting on an
airplane with computer equipment. It is surely the task of security services to ensure he is not a
threat in any way. If you were a passenger on that airplane, wouldn't you like at least to know he
is not suicidal/paranoid/psychotic? In fact, wouldn't you rather he got on with a nice book to
read and sent his kit ahead, separately, by courier?
Some of this is quoted from my blog post
http://www.abnormaldistribution.org/2015/04/18/cybersecurity-vulnerabilities-in-commercial-aviation/
PBL
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Je suis Charlie
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJVMhT3AAoJEIZIHiXiz9k+bYwH/2sJj4zEewaZZ6RlVFFYFVfJ
qc3foyTxemiGqd7IBSq87RbqkOS3lbJKZVugj1F7at6vV/xJSj191jn4Jg7Ay3dp
ZVojHTP2Z5TBtCDgIf6lPY8beRnddayUI2ggQKoYjTm9J8JhHrD4JQf2zp8Kn/OF
/vXkWBdJYuhneNQ2P3NGHU39oWm7/74tPpdeO0Bsl6LzqDUE/gdVOKivDojwSzdN
oS+3tc0z9Z6RJ873W49N8bkcWyywCmfnNvW61V099mx5234YLfeap48tOLFrm/o0
mujnEc3OZ2WkuwRZLx446hhyVYOIIPs2/YvrtVEGR8ZRHJZgW5CJzzear1aMmrg=
=MJQS
-----END PGP SIGNATURE-----
More information about the systemsafety
mailing list