The latest generation of airplane, such as the Boeing 787 and Airbus A350, include airplane data networks which introduce potential cyber security vulnerabilities. Cyber security vulnerabilities are not a new concept, however they are new in regards to airworthiness. This network provides connectivity between airplane and ground systems for transferring data to and from the airplane as well as connectivity to maintenance ground support equipment. An Airplane Network Security Program is required to safeguard this datalink.
Legacy airplane design involved the use of data busses such as ARINC 429/629 or MIL-STD-1553. Latest airplane designs can use, among other things, non-aviation standard TCP/IP to convey a wide variety of digital information including, but not limited to, passenger information and entertainment systems. Experience has shown that this type of technology is prone to a wide variety of attacks. Unless properly managed, any networked aviation system, if successfully attacked, can affect airplane software configuration. Operators must follow the instructions regarding information network security recommended by type certificate holders, supplementary type certificate holders, CASA regulations and policy in order to remain airworthy. Loadable Software Parts or Field Loadable Software are types of software applications used to alter airplane software configuration. It is important to regard software with the same airworthiness intent as physical based parts. Loadable software parts will require authorized release certificates. The handling of these software based parts requires the understanding of some unique concepts. Changes in software applications change the airplane software configuration.
“e-Enabled” airplane are composed of highly integrated interconnected software and firmware driven computer systems with specific real-time computing and control tasks. TCP/IP data links in-flight and on-ground transfer and receive critical control, navigation, operations and maintenance information. While bringing a higher level of efficiency to flight and business operations, they also bring safety implications, risks and requirements.
E-Enabled (or e-enabled) airplane have the capability to reprogram flight critical avionics components wirelessly and via various data transfer mechanisms. This capability alone, or coupled with passenger connectivity on the e-Enabled airplane network, may result in cyber security vulnerabilities from intentional or unintentional corruption of data and/or systems critical to the safety and continued airworthiness of the airplane.
Electrical systems of airplane and other specialized vehicles typically include line-replaceable units (“LRUs” or “LRU”). LRUs are modular electronics systems, which perform various vehicle operations. LRUs generally have, among other things, input and output electrical connections and an internal bus, typically a serial bus.
Airplane LRUs may be categorized according to how critical they are to the airplane operation, i.e., categorized according to criticality. The least critical LRUs are responsible for operations such as passenger in-flight entertainment, while the most critical LRUs are responsible for airplane airworthiness, e.g., flight controls. For example, the Airplane Control Domain (ACD) LRU is a most-critical LRU, the Aviation Information Systems (AIS) LRU is a middle-critical LRU, and the In-Flight Entertainment (AIF) LRU is a least-critical LRU.
Modern airplane are extremely complex. For example, an airplane may have many types of electronic systems on board. An electronic system on an airplane may be a LRU. A LRU is designed to be easily replaceable. A line-replaceable unit may be replaced when the airplane is in flight or while the airplane is on the ground.
LRUs may take on various forms. A LRU on an airplane may be, for example, without limitation, a flight management system, an autopilot, an in-flight entertainment system, a communications system, a navigation system, a flight controller, a flight recorder, a collision avoidance system, a system to support maintenance functions, or a system to support crew processes. The various LRUs on an airplane may be parts of an airplane network data processing system.
LRUs may use software or programming to provide the logic or control for various operations and functions. Typically, software on an airplane is treated as one or more separate parts or is combined with a hardware part and is unchangeable without changing the hardware part number. Airplane software that is treated as an airplane part may be referred to as a loadable airplane software part or an airplane software part. Airplane software parts are parts of the configuration of an airplane.
Current e-enabled airplane have a process whereby an airplane generates a private key on board which is matched to a digital certificate to give the plane a cryptographic identity. When this process is extended to airplane that has a high availability design the naïve approaches, which include key (identity) replication, essentially enable us to violate some original security requirement in order to retain availability of off board communications. In particular redundancy enables, if not encourages, one to accidentally (or intentionally) continue to use a identity keys that are open to compromise since a key that is still in use can be extracted from the LRU via forensics analysis.