http://blog.wired.com/27bstroke6/2008/01/faa-responds-to.html By Kim Zetter Wired.com January 09, 2008 Following up on a story that Wired News published last week about a possible security vulnerability in the design of Boeing's new 787 Dreamliner jet, I received an e-mail from the Federal Aviation Administration responding to some of the questions I asked the agency last week before the story was published. At the time, a spokesman had told me he wouldn't be able to respond to me until this week. The story was about a special condition that the FAA had published in the Federal Register regarding a novel design in the Boeing 787 that, for the first time, connects a passenger internet network with networks that control the plane's navigation and maintenance systems. The special condition disclosed that such a design could put critical data at risk and stated that Boeing would have to demonstrate that proper safeguards were in place to prevent this from occurring. FAA spokesman Allen Kenitzer wrote me in an e-mail yesterday that the fact that the FAA issued a special condition about this does not mean that the Boeing design is vulnerable, just that it has the potential to be vulnerable unless implemented properly, and that Boeing will be required to demonstrate that the system is not vulnerable before the FAA will certify the plane for use. [Update: I added the emphasis on the word is here; it's not in Kenitzer's e-mail. I added it to make sure readers read the sentence correctly.] "Stated another way, the special conditions help ensure the design will not be vulnerable," he wrote. He added that such special conditions are not unusual and that the FAA had issued ten special conditions on the 787 alone (a Boeing spokeswoman had told me last week that the FAA issued eight special conditions on the 787 design). "Special conditions are routinely developed and published in the normal certification program process whenever the FAA determines the current aviation regulations are inadequate to address a potential safety concern," he wrote, adding that, "the applicant is introducing new technology and proposing more connectivity between passenger / cabin services and other airplane networks and systems than on past airplane models in which aircraft networks and systems were more isolated (no or very limited connectivity between these networked systems). The current regulations and guidance do not adequately address the security aspects of this additional connectivity." I had asked him a question about what exactly the FAA meant in its special condition when it wrote that the passenger, navigation and maintenance networks on the 787 were "connected," since I wanted to make sure that I hadn't misinterpreted what the FAA was describing. He wrote: "In the context of the special conditions, the FAA used the concept of 'connection' between the passenger, airline, and airplane domains very broadly. Earlier technology typically had physical and electrical isolation between these systems. These special conditions came about because the new designs do not necessarily provide complete physical and electrical isolation. As a generic example, a 'connection' in this context could be something such as time sharing a satellite receiver for data transmission. Not all types of 'connections' present the same vulnerabilities. Each must be assessed and addressed by Boeing." __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Fri Jan 11 2008 - 01:02:57 PST