http://blog.wired.com/27bstroke6/2008/01/faa-responds-to.html
By Kim Zetter
Wired.com
January 09, 2008
Following up on a story that Wired News published last week about a
possible security vulnerability in the design of Boeing's new 787
Dreamliner jet, I received an e-mail from the Federal Aviation
Administration responding to some of the questions I asked the agency
last week before the story was published. At the time, a spokesman had
told me he wouldn't be able to respond to me until this week.
The story was about a special condition that the FAA had published in
the Federal Register regarding a novel design in the Boeing 787 that,
for the first time, connects a passenger internet network with networks
that control the plane's navigation and maintenance systems. The special
condition disclosed that such a design could put critical data at risk
and stated that Boeing would have to demonstrate that proper safeguards
were in place to prevent this from occurring.
FAA spokesman Allen Kenitzer wrote me in an e-mail yesterday that the
fact that the FAA issued a special condition about this does not mean
that the Boeing design is vulnerable, just that it has the potential to
be vulnerable unless implemented properly, and that Boeing will be
required to demonstrate that the system is not vulnerable before the FAA
will certify the plane for use. [Update: I added the emphasis on the
word is here; it's not in Kenitzer's e-mail. I added it to make sure
readers read the sentence correctly.]
"Stated another way, the special conditions help ensure the design will
not be vulnerable," he wrote.
He added that such special conditions are not unusual and that the FAA
had issued ten special conditions on the 787 alone (a Boeing spokeswoman
had told me last week that the FAA issued eight special conditions on
the 787 design).
"Special conditions are routinely developed and published in the normal
certification program process whenever the FAA determines the current
aviation regulations are inadequate to address a potential safety
concern," he wrote, adding that, "the applicant is introducing new
technology and proposing more connectivity between passenger / cabin
services and other airplane networks and systems than on past airplane
models in which aircraft networks and systems were more isolated (no or
very limited connectivity between these networked systems). The current
regulations and guidance do not adequately address the security aspects
of this additional connectivity."
I had asked him a question about what exactly the FAA meant in its
special condition when it wrote that the passenger, navigation and
maintenance networks on the 787 were "connected," since I wanted to make
sure that I hadn't misinterpreted what the FAA was describing. He wrote:
"In the context of the special conditions, the FAA used the concept of
'connection' between the passenger, airline, and airplane domains very
broadly. Earlier technology typically had physical and electrical
isolation between these systems. These special conditions came about
because the new designs do not necessarily provide complete physical and
electrical isolation. As a generic example, a 'connection' in this
context could be something such as time sharing a satellite receiver for
data transmission. Not all types of 'connections' present the same
vulnerabilities. Each must be assessed and addressed by Boeing."
__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/
Received on Jan 11 2008
Intro
