Wireless technology can be used to transfer to an aircraft the various data bases required for aircraft functions such as navigation. An unlikely corruption of these data bases can result in a hazardous or even a catastrophic event on the aircraft. Corruption of a data base by natural effects (e.g. a bit change due to electrical noise) is well protected against by using traditional approaches such as a cyclic redundancy check. However, corruption can also be caused by malicious acts. An example is a malicious change of location of an obstacle in a chart. Protection against such “non-natural” events falls into the realm of “security” rather than information integrity. Threats to security include but are not limited to denial of service attacks, the monitoring and stealing of information and spoofing, also known as “man in the middle” intrusions.
Although inconvenient, a denial of service is not an aircraft safety issue. If the database is not loaded the pilot will not dispatch the aircraft. Similarly, misappropriation of information is a commercial issue but does not directly affect aircraft safety. For these non-safety issues, off the shelf low assurance level software provides some level of protection which may improve operations and customer satisfaction levels.
However, for the transferring of information such as databases for navigation or flight management system operating systems, corruption of a database by malicious means is a safety threat. This can be done by spoofing and/or man in the middle attacks. To protect against this intrusion, data must be verified to have originated from the authorized web site. That is, in security terms, “signed” data.
Because a data security breach can impact aircraft safety, intrusion security software needs to be developed to Considerations in Airborne Systems and Equipment Certification (CSASEC) DO178B standards or, developed using costly methods specific to Common Criteria EAL security standards. Such standards are needed to certify use of such software for aviation use by certification authorities (e.g. FAA).
Communications software packages that include multi-purpose security protection are very large and many times are available off-the-shelf without any DO178B development assurance. In some cases the communications and security software is provided on separate hardware such as personal computing devices used as electronic flight bags. However, to take advantage of the lower cost of off-the-shelf solutions yet still maintain safety/security, a method is needed to partition security software/hardware such that only that portion of the security software needed for the safety of the aircraft is developed and FAA certified by more rigorous and costly methods.
One approach to the solving the issues surrounding security functions is to use a “high design assurance” level operating system and to partition the security software into lower and higher levels of design assurance. Deos™ is an example of such an operating system. It provides high assurance level partitioning which means that low assurance level software (e.g. off-the-shelf) can run in one partition while higher assurance software can run in another, without fear of interference. However, many times the off-the-shelf software would have to be extensively re-written to operate on such an operating system which defeats the purpose of low cost acquisition of such software.
Under current aviation standards, avionics equipment and components are developed to meet a specific assurance level in a scale of design assurance levels (DAL). The scale includes DAL levels A-E that define the criticality of potential defects on flight safety. Catastrophic criticality corresponding to DAL A is the highest with “no effect” corresponding to DAL E.
Other systems that implement the security checking for wireless loading onto aircraft follow different approaches. Some systems are implemented in a DO178B design assurance level of D or E, to provide minimal assurance that the security algorithms are developed correctly. The disadvantage of this approach is that it does not address the issue of purposeful database corruption while wirelessly transferring data that require higher than level D or better software. Still other systems implement security checking that is developed to a high “Common Criteria” level, but usually these systems do not comply with DO178B.
Hence, an immediate need is for security for the transferring of navigation and other databases that require a higher assurance level for certification such as DO178B. The wireless loading of databases on business and commercial aircraft needs to be updated every few weeks. Wireless loading of databases can prevent the need for costly maintenance action that takes the aircraft out of service while the databases were being loaded.