Federal Aviation Administration Inflight Connectivity & Cyber Security Presented by: Peter Skaves, FAA CSTA for Advanced Avionics Date: June 9, 2016 Presented to:

Federal Aviation Administration 2 Briefing Overview Security Terminology Aircraft Connectivity Avionics Security Considerations IFE Connectivity to Aircraft Systems IFE Block Diagram Potential Risks IFE Plane Layout Safety & Economic Benefits Change Impact Analysis Continued Airworthiness Discussion and Wrap-up

Federal Aviation Administration 3 What is Aircraft Systems Information Security Protection Today?

Federal Aviation Administration 4 Security Terminology (sheet 1 of 2)  We’ve used several terms for security from electronic attacks on networks and systems: network security, information security, systems security, and cyber security  These terms are often used interchangeably, which may cause confusion as to their intended meaning

Federal Aviation Administration 5 Security Terminology (sheet 2 of 2)  We are now trying to standardize on the term Aircraft Systems Information Security Protection (ASISP)… …to indicate security from electronic attacks on aircraft networks and systems  We’re talking aircraft Electronic Connectivity Including U.S. governmental services which have specific requirements for information security

Federal Aviation Administration 6 FAA AVS Strategic Plan Focus  Cyber Security & Aircraft Systems Information Security Protection (ASISP) We’re focusing in, for the most part, on electronic connectivity to internal and external aircraft systems and networks We believe that the greatest threat is the exploitation of aircraft electronic access points via public networks such as the internet We have published policy statements, special conditions, and issue papers to address and mitigate any potential aircraft electronic connectivity vulnerabilities We have sponsored an Aviation Rulemaking Advisory Committee (ARAC) comprised of industry and government experts to provide additional recommendations on ASISP

Federal Aviation Administration 7 Aircraft Connectivity to the Internet

Federal Aviation Administration 8 Aircraft Connectivity (sheet 1 of 2)  Prior to the availability of e-Enabled technologies, legacy aircraft have used architectures with limited wired or wireless connectivity to non-governmental service providers  This is rapidly changing as aircraft are incorporating: Wi-Fi Electronic Flight Bags Wireless Field Loadable Software Real-time aircraft health monitoring and reporting Passenger Information and Entertainment Systems connectivity to public networks such as the internet

Federal Aviation Administration 9 Aircraft Connectivity (sheet 2 of 2)  Aircraft operators have the option to include a wireless network on e-Enabled aircraft to: Remotely upload software parts, aeronautical charts, airplane flight manuals, electronic checklists, performance information, flight plan information, etc., to aircraft systems located anywhere in the world Continuously monitor health information from aircraft systems and record data to an onboard maintenance computer and send information to airlines operations centers in real-time

Federal Aviation Administration 10 NextGen Connectivity Diagram  SatCom, ACARS  IP Broadband  Software  Hardware  ACARS  Hardware  Navigation Data  Airline, ATM  MRO  Supplier  HW - SW  Nav Charts  SW Supplier  PC Cards  IC’s  SW  Elec Parts

Federal Aviation Administration 11 Notional Airplane Domain Concepts  To better understand cyber-security threats and vulnerabilities, industry has defined conceptual aircraft block diagrams called domains for transport category airplanes Aircraft Control Domain Airline Information Service Domain Passenger Information and Entertainment Services  Fault propagation across domains is not allowed  A security risk assessment is required to ensure that any potential, “hacking” into the passenger entertainment system will be isolated, and contained  Depending on the aircraft data buss type, some aircraft may have a high level of connectivity between systems  Low speed uni-directional data busses (ARINC-429) are less susceptible to “hacking” than high speed bi-directional data busses (Avionics Full-Duplex Switched Ethernet (AFDX))

Federal Aviation Administration 12 Notional Aircraft Domains CNS/ATM & NextGen Services Communication Navigation & Surveillance Air Traffic Control Centers GPS & Ground Navigation Aids Airline Networks (ACARS) Internet / Public Networks Controls Network Security Access Points Air Traffic Services (ATS) Provider Non-Air Traffic Services Provider Figure 1 - Aircraft Systems Information Security Protection (ASISP) FAA Air Traffic Services Connectivity Internal Aircraft Network Security Controls E-Enabled Aircraft Connectivity including FLS

Federal Aviation Administration 13 ASISP Overview  Since 2005, the FAA Aviation Safety (AVS) service has been using research and applying special conditions / companion issue papers to address electronic cyber-security threats to aircraft systems and networks (First special condition issued on B787 airplane program)  The FAA Transport Airplane Directorate has issued over twenty special conditions for certain make and model airplanes to address: (1) Aircraft Electronic Systems Security Protection from unauthorized external access Addresses threats from external connectivity to aircraft systems from public networks such as the internet (refer to item 1 in figure 1) (2) Isolation of Aircraft Electronic System Security Protection from Unauthorized Internal Access Addresses threats across aircraft systems domains such as potential hacking of entertainment systems (refer to item 2 in figure 1)

Federal Aviation Administration 14 Federated Aircraft Systems

Federal Aviation Administration 15 Aircraft Rules, Processes & Standards  Federal Aviation Regulation's (FARs) FAR “General Requirements for Intended Function” FAR “Equipment Systems and Installation” Special Conditions establish the rule basis for Aircraft Systems Information Security Protection (ASISP) for certain make and model aircraft with new and novel architectures  Companion Issue Papers to Special Conditions provide a means of compliance  Development Assurance Industry Process Standards RTCA DO-178C “Software Development Guidance” RTCA DO-254 “Airborne Electronic Hardware Development Guidance” ARP 4754a “Guidelines for Development of Civil Aircraft and Systems” ARP 4761 “Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems”  ASISP Industry Standards for Transport Category Airplanes RTCA, DO-326a, DO-355, DO-356 “Industry standards for ASISP include initial certification and continued airworthiness to address the ever-evolving security threat environment ”  Technical Standard Orders (TSO) for External Aircraft Connectivity FAA TSO’s invoke certain industry standards for aircraft safety, performance and interoperability connectivity requirements to United States Air Traffic Service Providers (ATS) TSO’s include aircraft standards for connectivity to Air Traffic Management (ATM), NextGen Communication, Navigation, and Surveillance (CNS) services and public networks

Federal Aviation Administration 16 Policy Statement for ASISP  The FAA issued Policy Statement PS-AIR , Establishment of Special Conditions for Cyber Security, on March 6, 2014 “The Federal Aviation Administration (FAA) will issue special conditions for initial type certificate (TC), supplemental type certificate (STC), amended TC, or amended STC applications for aircraft systems that directly connect to external services and networks as follows: The external service or network is non-governmental; The aircraft system receives information from the non- governmental service or network; and, The failure effect classification of the aircraft system is “major” or higher”

Federal Aviation Administration 17 Avionics Security Considerations  Transport Category Airplanes systems have fault tolerant, fail- safe designs and use redundancy management and independent back-up systems to address and mitigate failure conditions caused by inadvertent or intentional system degradation  Commercial airplanes are extremely reliable and safe based in part on their avionics architectures  There are no single point failures to exploit which could cause an unsafe condition  Multiple attacks would be required on various aircraft systems in parallel to significantly degrade airplane performance

Federal Aviation Administration 18 Airplane Diagram

Federal Aviation Administration 19 Why do we connect IFE to aircraft systems?

Federal Aviation Administration 20 IFE Aircraft Connectivity  Aircraft Connection interfaces: Global Positioning Systems (GPS) and Inertial Navigation Systems (INS) for aircraft position information (latitude and longitude) and airspeed for passenger moving maps Wi-Fi networks Satellite Communication (SATCOM) for internet access, live TV, etc. Data loaders to update IFE software parts Connect to power ports for portable electronic devices (PED) charging

Federal Aviation Administration 21 Wi-Fi Overview  Wi-Fi is the standard way computers connect to wireless networks  Nearly all modern computers have built-in Wi-Fi integrated circuits that allow users to find and connect to wireless routers  When a device establishes a Wi-Fi connection with a router, it can communicate with the router and other devices on the network  The router must be connected to the internet (via a DSL or modem cable) in order to provide internet access to connected devices  FAA Policy Statement PS-ANM-25-13, dated December 9, 2013 “Electromagnetic Compatibility Demonstration for Airplane Wireless Radio Frequency Networks”

Federal Aviation Administration 22 IFE Block Diagram

Federal Aviation Administration 23 Passenger Portable Device

Federal Aviation Administration 24 In-Seat Display Unit

Federal Aviation Administration 25 Passenger Entertainment Security  The FAA does not currently require a security risk assessment for information displayed to the passengers via the entertainment system  Threatening or hostile messages that could be sent to the passengers personal PEDs and IFE systems are being reviewed by the FAA for potential safety impacts  To date, no significant safety impacts of PEDs or IFE systems related to information security have been identified  The FAA does require a security risk assessment for IFE connectivity to aircraft systems  Aircraft architectures do not allow electronic transmission of in-flight entertainment data to aircraft guidance and control systems

Federal Aviation Administration 26 Typical Application & Services Cockpit Terminal - EFB Attendant EFB Wireless Cabin Distribution Airborne Communication Links (ACARS, XM, Sirius,JetConnect) Flight Ops  Weather  Electronic Manuals/Charts  Cabin Surveillance  Surface Moving Maps  Flight Papers/Data Typical Applications and Services Onboard/Passenger  Rebooking/IRROPS  Customer Profiles  Buy On Board  Live Audio  /WAP Browsing Maintenance  *FIX  Flight Data Downloads  Electronic Logbook  Maintenance Data Collection  Electronic MEL Server Air to Air Data Link (Sirius/XM or JetConnect)

Federal Aviation Administration 27 Security Considerations

Federal Aviation Administration 28 Potential Risks (sheet 1 of 2)  Examples of potential ASISP risks: Erroneous maintenance messages Corrupted software loads to aircraft systems Malware to infect an aircraft system Corrupted software applications An attacker to use onboard wireless to access aircraft system interfaces

Federal Aviation Administration 29 Potential Risks (sheet 2 of 2)  Examples of potential ASISP risks: Denial of service of wireless interfaces Misuse of personal devices that access aircraft systems Misuse of off-board network connections to access aircraft system interfaces Denial of service of safety critical systems

Federal Aviation Administration 30 IFE Connectivity

Federal Aviation Administration 31 IFE Airplane Layout (sheet 1 of 2)

Federal Aviation Administration 32 IFE Airplane Layout (sheet 2 of 2)

Federal Aviation Administration 33 Safety and Economic Benefits of new Technologies include Electronic Flight Bags Enabled by Internet Connectivity

Federal Aviation Administration 34 Transform the Paper Environment

Federal Aviation Administration 35 EFB Electronic Displays

Federal Aviation Administration 36 Aircraft Systems & Security  Several postings on the internet question whether there's truth to the assurances from aircraft manufacturers and government officials that aviation systems are as secure as claimed  There have been reports that hackers have compromised aircraft guidance and control systems  Certain Internet postings have questioned the security of passenger entertainment systems

Federal Aviation Administration 37 Change Impact Analysis  For every aircraft modification a Change Impact Analysis (CIA) is required ●The results of the change impact analysis may be used to determine if an aircraft level or system level security risk assessment is required ●An ASISP change impact analysis is required for modification to aircraft systems and networks connectivity to non-ATS provider networks ●A change impact analysis is simplified for legacy aircraft using federated systems and uni-directional ARINC-429 data-busses ●For Integrated Modular Avionics (IMA) aircraft using bi-directional high speed data busses across aircraft domains, involvement and coordination with the original aircraft manufacturer may be required for certain modifications ●Industry has published standards on conducting a CIA for security such as RTCA DO-326A

Federal Aviation Administration 38 Continued Airworthiness & Security  Commercial Aircraft may have 30 plus years of service expectancy Approximately 25,000 flights per day in the United States FAA FAR Part 21.3 “Reporting of Failures, Malfunctions, and Defects” FAA reviews all reports of potential electronic hacking FAA is publishing criteria for designees to find compliance for aircraft networks & cyber security systems Industry has published standards for continuing airworthiness such as RTCA DO-355 FAA sponsors research and publication of information on avionics security FAA audits and reviews applicants security plans FAA Sponsored Security ARAC, Final Report due August, 2016

Federal Aviation Administration 39 Airworthiness Directives  An airworthiness directive means a document issued or adopted by the Federal Aviation Administration which mandates actions to be performed on an aircraft to restore an acceptable level of safety, when evidence shows that the safety level of this aircraft may otherwise be compromised  Airworthiness Directives (ADs) are legally enforceable regulations issued by the FAA in accordance with 14 CFR part 39 to correct an unsafe condition in a product. Part 39 defines a product as an aircraft, engine, propeller, or appliance.  The FAA Transport Airplane Directorate typically issues 300 ADs per year  The FAA has not issued any ADs directly related to information security for aircraft avionics systems

Federal Aviation Administration 40 Questions & Wrap-Up Peter Skaves, FAA Advanced Avionics CSTA (425)