Cryptome have published (3/1/07)
[Docket No. NM364 Special Conditions No. 25-356-SC]
Special Conditions: Boeing Model 787-8 Airplane; Systems and Data Networks Security--Isolation or Protection From Unauthorized Passenger Domain Systems Access
On March 28, 2003, Boeing applied for an FAA type certificate for its new Boeing Model 787-8 passenger airplane. The Boeing Model 787-8 airplane will be an all-new, two-engine jet transport airplane with a two-aisle cabin. The maximum takeoff weight will be 476,000 pounds, with a maximum passenger count of 381 passengers.
The report goes on to detail the fact that the 787 exhibits ... unusual and unique features...
Novel or Unusual Design Features
The digital systems architecture for the 787 consists of several networks connected by electronics and embedded software. This proposed network architecture is used for a diverse set of functions, including the following:
1. Flight-safety-related control and navigation and required systems (Aircraft Control Domain).
2. Airline business and administrative support (Airline Information Domain).
3. Passenger entertainment, information, and Internet services (Passenger Information and Entertainment Domain).
The proposed architecture of the 787 is different from that of existing production (and retrofitted) airplanes. It allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of
the airplane.
Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane. The existing regulations and guidance material did not anticipate this type of system architecture or electronic access to aircraft systems that provide flight critical functions.
Furthermore, 14 CFR regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities that could be caused by unauthorized access to aircraft data buses and servers.
Therefore, special conditions are imposed to ensure that security, integrity, and availability of the aircraft systems and data networks are not compromised by certain wired or wireless electronic connections between airplane data buses and networks.
(Boeing spokeswoman Lori Gunter is reported saying that the wording of the FAA document is misleading, and that the plane's networks don't completely connect.)
After considerable and detailed discussion involving Airbus (in relation to the 380 design) involving the wording of the guidelines ...
Airbus stated that in the sentence ;
``The design shall prevent all inadvertent or malicious changes to, and all adverse impacts * * *'', the wording ``shall prevent ALL'' can be interpreted as a zero allowance. According to the commenter, demonstration of compliance with such a requirement during the entire life cycle of the aircraft is quite impossible because security threats evolve very rapidly. The only possible solution to such a requirement would be to physically segregate the Passenger Information and Entertainment Domain from the other domains. This would mean, for example, no shared resources like SATCOM (satellite communications), and no network connections.
Finally the FAA agreed this wording
The applicant shall ensure that security threats from all points within the Passenger Information and Entertainment Domain, are identified and risk mitigation strategies are implemented to protect the Aircraft Control Domain and Airline Information Services Domain
from adverse impacts reducing the aircraft safety.
In relation to the document as prepared they finalise the various arguments..
Applicability
As discussed above, these special conditions are applicable to the 787. Should Boeing apply at a later date for a change to the type certificate to include another model on the same type certificate incorporating the same novel or unusual design features, these special conditions would apply to that model as well.
Conclusion
This action affects only certain novel or unusual design features of the 787. It is not a rule of general applicability.
and that ..
The Special Conditions
Accordingly, pursuant to the authority delegated to me by the Administrator, the following special conditions are issued as part of the type certification basis for the Boeing Model 787-8 airplane.
The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain.
Issued in Renton, Washington, on December 21, 2007.
Ali Bahrami,
Manager, Transport Airplane Directorate, Aircraft Certification
Service.
[FR Doc. E7-25467 Filed 12-31-07; 8:45 am]
Naturally this has raised a great deal of interest and concern and resulted in many articles in computer echnical press which highlight this technical requirement in a rather high profile and alarming manner ...
Which has been taken up in Press articles with even more sensational and irresponsible headlines .. and evidently an unclear understanding of what the FAA have said and how it operates.
From
The Times January 9, 2008
How a backseat driver could bring terror to new DreamlinerWired By Kim Zetter Email 01.04.08 |
FAA : Boeing's New 787 May Be Vulnerable to Hacker Attackp2p Net News Want to hack a Boeing Dreamliner?
Boeing's response is clear and encouraging
Boeings's Gunter said they have been working on the issue with the FAA for a number of years already and was aware that the agency was planning to publish a "special conditions" document regarding the Dreamliner.
Gunter said the FAA and Boeing have already agreed on the tests that the plane manufacturer will have to do to demonstrate that it has addressed the FAA's security concerns.
"It will all be done before the first airplane is delivered," she said.
The FAA have issued FAA has issued eight special conditions on the Boeing 787,. The FAA publishes them whenever it encounters unusual issues regarding a plane's design or performance in order to communicate on record that it expects the manufacturer to address the issue. It is then the manufacturer responsibility to demonstrate to the FAA that it has solved the problem.
Whilst it is late in the day for such concerns to be raised - it must be remembered that since first applying for Type certification with the FAA in
March 28, 2003, Customer In Flight Entertainment (IFE) has made massive strides to accomadate need / want to use mobile phones (miraculously used on 9/11- God was watching that day) , internet connectivity, video on demand, PC usage between users in flight, multiple gaming etc.,
The Airbus family, has a modular architecture, with 5 physically separate computer boxes in the flight control system (7 with 2 flight augmentation computers, or FAC's) and the flight management and guidance system (FMGS) computer boxes are physically separate from all of these.
The Airbus was of course the first wide bodied jet family to use "fly by wire" (FBW) on the A320, which entered service in 1988 - reducing weight and providing safer flying - and clutter free cockpit without the familiar " yoke ", just a little side positioned joystick (
see layout /pic here) . The same system is also used on the Airbus A330 and A340 and now 380 widebody jets. The only Boeing plane with fly-by-wire technology is the 777 which, as a result has a computer architecture different to the 747 series - about which there have been no concerns. In the 777 the main Common Computer Resource (CCR) box has an internal architecture which is supposed to provide cast-iron separation between partitions so that a partition providing a flight-critical service cannot be interfered with by a less critical process.
Boeing and Airbus differ in their FBW philosophies. In Airbus aircraft, the computer always retains ultimate control and will not permit the pilot to fly outside the normal flight envelope. In a Boeing 777, the pilot can override the system, allowing the plane to be flown outside this envelope in emergencies.
It was precisely trying to meet the demands for IFE services which led to such major delays in launching the Airbus 380, although it was more to do with physically cabling the systems than the systems software architecture .. evidently Airbus have a substantial lead in this area... which they will not sacrifice soon or easily.
Mrs Shanahan is going to see even less of her husband.
Pic is of 1st delivered Airbus 380 at Singapore Airport before first flight by SA staff.