[SystemSafety] GAO report on FAA cybersecurity vulnerabilities ... and an instance

Matthew Squair mattsquair at gmail.com
Mon Apr 20 10:30:33 CEST 2015


Likewise, but perhaps we should apply the 10th man principle...

Matthew Squair

MIEAust, CPEng
Mob: +61 488770655
Email; Mattsquair at gmail.com
Web: http://criticaluncertainties.com

On 20 Apr 2015, at 6:15 pm, RICQUE Bertrand (SAGEM DEFENSE SECURITE) <
bertrand.ricque at sagem.com> wrote:

I am rather skeptical. The avionics are on ARINC bus, and even if it is
connected through a firewall to an IP network (why ?) I don't see it can be
possible to enter an avionics box.

Bertrand Ricque
Program Manager
Optronics and Defence Division
Sights Program
Mob : +33 6 87 47 84 64
Tel : +33 1 58 11 96 82
Bertrand.ricque at sagem.com

-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de [
mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de
<systemsafety-bounces at lists.techfak.uni-bielefeld.de>] On Behalf Of Peter
Bernard Ladkin
Sent: Saturday, April 18, 2015 10:25 AM
To: The System Safety List
Subject: [SystemSafety] GAO report on FAA cybersecurity vulnerabilities ...
and an instance

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I sent the following to Peter Neumann's Risks Forum.

The US Government Accounting Office has published a report on the
vulnerability of FAA equipment and avionics to cyberattack
http://www.gao.gov/products/GAO-15-370 . It makes three main points.
The third one is organisational; I am concerned here with the first two.

First, the FAA has not developed and apparently doesn't intend to develop a
threat model for its ground-based systems. Unsurprisingly, the GAO thinks
it might be a good idea to do so.

Many FAA ground-based systems are decades old and were installed in an era
which didn't need to worry as much about cybersecurity. Many of them are
dedicated systems, so some physical access would be required. But some are
not. Does anyone remember the NY ATC outage a quarter century ago?
http://catless.ncl.ac.uk/Risks/12.36.html#subj1.1 Failure of a commercial
4ESS switch took out ATC. I seem to remember (or was it another incident?)
ATCOs coordinating by using their private mobile phones. A DoS attack on
ATC communications nowadays could take out a commercial switch but would
have to take out the cellular phone comms also. So there's the first entry
for the threat model.

Second, the GAO queries the wisdom of critical avionics and passenger
in-flight entertainment systems (IFE) sharing network resources. So did
many of us when it was first mooted (for the Boeing 787, I seem to recall).
Because, after all, the best start on assuring non-interference is physical
separation of networks and good shielding. And indeed someone recently
claimed on Fox News to be able to hack avionics through the IFE
http://www.foxnews.com/us/2015/04/17/security-expert-pulled-off-flight-by-fbi-after-exposing-airline-tech/
He was apparently subsequently pulled from a flight out of Denver by the
FBI, interviewed for a number of hours and relieved of some kit.

People may think: "shooting the messenger". But hang on. Roberts told Fox
News (I quote from Fox) "We can still take planes out of the sky thanks to
the flaws in the in-flight entertainment systems...."

Here is a guy who claims publicly to be able to "take planes out of the
sky" getting on an airplane with computer equipment. It is surely the task
of security services to ensure he is not a threat in any way. If you were a
passenger on that airplane, wouldn't you like at least to know he is not
suicidal/paranoid/psychotic? In fact, wouldn't you rather he got on with a
nice book to read and sent his kit ahead, separately, by courier?

Some of this is quoted from my blog post
http://www.abnormaldistribution.org/2015/04/18/cybersecurity-vulnerabilities-in-commercial-aviation/

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld,
33594 Bielefeld, Germany Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de




-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJVMhT3AAoJEIZIHiXiz9k+bYwH/2sJj4zEewaZZ6RlVFFYFVfJ
qc3foyTxemiGqd7IBSq87RbqkOS3lbJKZVugj1F7at6vV/xJSj191jn4Jg7Ay3dp
ZVojHTP2Z5TBtCDgIf6lPY8beRnddayUI2ggQKoYjTm9J8JhHrD4JQf2zp8Kn/OF
/vXkWBdJYuhneNQ2P3NGHU39oWm7/74tPpdeO0Bsl6LzqDUE/gdVOKivDojwSzdN
oS+3tc0z9Z6RJ873W49N8bkcWyywCmfnNvW61V099mx5234YLfeap48tOLFrm/o0
mujnEc3OZ2WkuwRZLx446hhyVYOIIPs2/YvrtVEGR8ZRHJZgW5CJzzear1aMmrg=
=MJQS
-----END PGP SIGNATURE-----
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
#
" Ce courriel et les documents qui lui sont joints peuvent contenir des
informations confidentielles, être soumis aux règlementations relatives au
contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont
pas destinés, nous vous signalons qu'il est strictement interdit de les
divulguer, de les reproduire ou d'en utiliser de quelque manière que ce
soit le contenu. Toute exportation ou réexportation non autorisée est
interdite Si ce message vous a été transmis par erreur, merci d'en informer
l'expéditeur et de supprimer immédiatement de votre système informatique ce
courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or
proprietary information and may be subject to export control laws and
regulations. If you are not the intended recipient, you are notified that
any dissemination, copying of this e-mail and any attachments thereto or
use of their contents by any means whatsoever is strictly prohibited.
Unauthorized export or re-export is prohibited. If you have received this
e-mail in error, please advise the sender immediately and delete this
e-mail and all attached documents from your computer system."
#

_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20150420/f73c5be4/attachment.html>


More information about the systemsafety mailing list