Aerospace Village - Product Cybersecurity: Secure Airplane Development Lifecycle
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 374 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/49212 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Product (business)Software testingMathematical analysisConnectivity (graph theory)IPCommercial Orbital Transportation ServicesSystem programmingAreaCybersexProduct (business)Software developerInformation securityCybersexVideo gameCycle (graph theory)InternetworkingCommunications protocolSuite (music)Arithmetic meanSoftware testingContent (media)Mathematical analysisConnected spaceSoftwareService (economics)Computer animation
01:10
Imperative programmingProduct (business)Service (economics)Information securityFocus (optics)CybersexSystem programmingOrder (biology)Physical systemRight angleLink (knot theory)Video gameProduct (business)Information securityEntire functionCycle (graph theory)Computer animation
01:44
Kolmogorov complexitySystem programmingLink (knot theory)ChainProduct (business)Physical systemMereologyDifferent (Kate Ryan album)Slide ruleInformation securityComplex (psychology)Right angleSoftware maintenanceMultiplication signEngineering drawingProgram flowchart
02:30
CybersexConnectivity (graph theory)Normed vector spaceProcess (computing)InformationData managementComputer networkSurfaceInformation securityProduct (business)System programmingInformation securityCybersexMultiplication signPoint (geometry)Line (geometry)Goodness of fitSoftwareType theoryNormal (geometry)Shared memoryEvent horizonCASE <Informatik>Connected spaceMathematical analysisBuildingInformationPhysical systemPublic key certificateProcess (computing)Frame problemVideo gameCycle (graph theory)SurfaceGame controllerComputer animation
04:47
Condition numberComputer networkSystem programmingProduct (business)Digital signalInformation securityInformation security7 (number)Multiplication signRegulator geneBitStandard deviationType theorySoftwareFitness functionPhysical systemCondition numberFrame problemComputing platformComputer animation
06:10
ArchitectureInformation securityTime domainSystem programmingUniqueness quantificationData integrityComputer networkSoftwareSurfaceGUI widgetCondition numberControl flowInformationService (economics)Product (business)CybersexDiagramDifferent (Kate Ryan album)Level (video gaming)Domain namePhysical systemInformation securityProduct (business)Ring (mathematics)Game controllerService (economics)MereologyInformation systemsSystem administratorComputer architecturePhysicalismInformationOperator (mathematics)Software maintenancePiPersonal digital assistantSlide ruleComputer animation
07:21
Information securityView (database)Time domainSynchronizationComputer iconSide channel attackMereologySystem programmingProduct (business)Local area networkDifferential (mechanical device)Functional (mathematics)MereologyView (database)SoftwareDependent and independent variablesDomain nameTablet computerRight angleSoftware architectureSoftware design patternLatent heatInformation securityAreaSlide ruleProduct (business)InternetworkingDifferent (Kate Ryan album)Computer animation
08:29
Closed setCybersexPunched cardMusical ensembleControl flowSystem programmingDomain nameConnectivity (graph theory)User interfaceMass storageProduct (business)Time domainPiSoftware frameworkBlogMIDIComputer networkNewton's law of universal gravitationLink (knot theory)Different (Kate Ryan album)Service (economics)Operator (mathematics)SoftwareSoftware maintenanceServer (computing)Connected spaceGame controllerDomain namePhysical systemView (database)Interface (computing)Musical ensembleProgram flowchart
10:03
Regulator geneFocus (optics)CybersexSystem programmingProduct (business)CybersexRegulator geneAreaInformation securityCirclePhysical systemLevel (video gaming)WordFocus (optics)Reduction of orderLikelihood functionMultiplication signVenn diagramEvent horizonRight angleComputer animation
11:20
Standard deviationRegulator geneCybersexSoftware testingInformation securityComputing platformInterface (computing)Product (business)System programmingData managementSoftware frameworkTable (information)Computer-assisted translationFocus (optics)ACIDMenu (computing)Information securityCybersexProduct (business)Configuration spaceWhiteboardComputer programmingHacker (term)Different (Kate Ryan album)Machine learningVideo gameCycle (graph theory)Dependent and independent variablesPhase transitionFrequencyVirtual machineGame theoryWordIncidence algebraMereologyPhysical systemSoftware testingStandard deviationSoftware frameworkSoftware maintenanceMultiplication signPublic key certificateUniverse (mathematics)Data managementRegulator geneInterface (computing)National Institute of Standards and TechnologyFormal verificationComputer animation
15:19
CybersexGame controllerPhysical systemSoftware testingOperations researchExpert systemProduct (business)System programmingOperations researchInformation securityDifferent (Kate Ryan album)Incidence algebraDependent and independent variablesComputer forensics
15:54
Information securityPerformance appraisalProduct (business)Process (computing)Vulnerability (computing)Image resolutionSystem programmingInformation securityIdentifiabilityVulnerability (computing)Uniform resource locatorSelf-organizationInformation technology consultingMereologyFocus (optics)Product (business)Computer programmingRight angleDifferent (Kate Ryan album)Goodness of fitComputer animation
17:00
Software testingPhysical systemMathematical analysisInformation securityProduct (business)SurfaceLevel (video gaming)System programmingArchitectureMathematicsType theorySystems engineeringMathematical analysisFehlerbaumFormal verificationHazard (2005 film)Physical systemNetwork topologyLogic gateSoftware developerInformation securityAbstractionNormal (geometry)Software testingProcess (computing)Level (video gaming)Computer architectureProduct (business)Service (economics)Event horizonVulnerability (computing)SurfaceComputer animation
18:48
Information securityStandard deviationProcess (computing)Military operationInformationSoftware frameworkLoginEvent horizonIntegrated development environmentMereologySoftwareDigital signalElectronic program guideSystem programmingSide channel attackProduct (business)CybersexInformation securitySoftware frameworkPublic key certificateStandard deviationInformationGoodness of fitElectronic program guidePublic-key infrastructureData managementElectronic signatureSoftwareDigitizingEvent horizonNational Institute of Standards and TechnologyComputer animation
20:03
Time domainFlow separationComputer networkCybersexGUI widgetInformation securityLevel (video gaming)System programmingZugriffskontrolleAuthenticationDefault (computer science)Density of statesProduct (business)Different (Kate Ryan album)Slide ruleInformation securityConfiguration managementOptical disc driveLogic gateLatent heatDefault (computer science)INTEGRALSoftwareLevel (video gaming)Game controllerAuthenticationState of matterPhysical systemComputer animation
21:33
Mathematical analysisInformationService (economics)Coma BerenicesSoftware frameworkAddress spaceInformation securityOperations researchEvent horizonSystem programmingProduct (business)Mathematical analysisRight angleMereologyInformationShared memoryInformation securityCybersexComputer animation
22:20
Information securityCASE <Informatik>Process (computing)Dependent and independent variablesBuildingProduct (business)Data managementInteractive televisionMotion capturePhysical systemCybersexSystem programmingInformation securityCybersexPhysical systemContext awarenessView (database)BuildingSlide ruleMultiplicationIterationRight angleComputer animation
23:03
Information securityEntire functionProduct (business)CollaborationismCybersexSystem programmingStandard deviationCybersexInformation securitySoftware developerCollaborationismCycle (graph theory)Product (business)Standard deviationMultiplication signEntire functionVideo gameBitData managementKey (cryptography)Message passingMultilaterationReduction of orderComputer animation
Transcript: English(auto-generated)
00:05
Hello everyone, this is Mike Vangardi with the Boeing Company, and I'm here to talk to you about product cybersecurity, specifically the secure airplane development lifecycle used within Boeing commercial airplanes. And as a short primer on what I'll be talking about today,
00:23
just want everybody I think understands that the aviation industry is focused on safety. Everybody in the Boeing Company works hard to achieve this. We also have a new concept called the e-enabled aircraft. And what I mean by that is that we even now have airplanes that have awkward connectivity that may employ the use of commercial off-the-shelf software and
00:44
services like the Internet Protocol Suite. But so with the good comes the bad though, right? Because of this we now need to contend for cyber security threats. And so the way airplanes are developed now need to take this into consideration. And
01:02
malicious intent via cyber methods is an air concern that needs to be accounted for during design, development, tests, and analysis. So developing a product that is both safe and secure is of the utmost importance to the company. We also need to protect, you know, our airline customers,
01:21
protect our brand and the aviation system as a whole. In order to do this, we need to secure the airplane, but we also need to secure those data links that connectivity and build a company culture that puts security right up there with where safety is today. Only then can we truly have an airplane that's secured throughout its entire life cycle.
01:46
Now sounds simple, right? So let's talk about their complexity and what this really means. Now this chart really kind of shows that, you know, aviation is pretty large in scope. And you can have all the security you want on the aircraft, but if we don't do our part to the rest of the ecosystem, meaning the ground systems,
02:05
maintenance, you know, the federated systems that might come in through SATCOM or global navigation, then we're not as secure as we need to be. And so Boeing is spending a lot of effort and time working across these different parts of aviation. And as, again,
02:25
and we'll talk about some of that stuff here in the next few slides. And so as I kind of talked about connectivity, we have seen a growth in this in the enabled aircraft. Unfortunately, with all the good, you know, comes the need to drive cyber protections now.
02:44
And so this is a new, it's a new norm within aviation. Like there was a time when cybersecurity wasn't a big deal, but those days are long gone. And so this is going to require protections that are both on the airborne assets, you know, the avionics, the airplane systems, and those type of devices, as well as processes and
03:04
controls on the ground-based systems. To achieve this, you know, because airplanes are a global commodity that fly all over the world, information sharing is one of those key enablers. You know, we partnered with the Aviation Information Sharing and Analysis Center to get some good threat intelligence and basically just to build trust and relationships.
03:25
So in the case of a cyber event, you know, that can affect multiple stakeholders in this industry, we have those relationships to be able to, you know, share that data. And we're actually getting to the point where with the connectivity,
03:40
we're now going to need a way to manage all these connectivity solutions and basically the networks, just like we do on traditional ground systems. So that's definitely going to be the norm. Then I got a couple of these line charts to just show the relationship right now between safety and security. So on the left, we have safety events.
04:00
And what you'll see is that over time, those safety events become less common and actually, you know, based on good learning from mistakes, learning from history, you know, they tend not to show up or repeat themselves. Conversely, though, on security, though, you know, we know that the attack surface grows over time. And so in the case of an aircraft, which typically has a life cycle of, you know, close to 30 plus years,
04:26
if you were to never update, you know, the systems on the airplane, what kind of security issues might have popped up in between the initial certification and then that time frame. So we know that that's an issue to solve.
04:40
And we are working towards that. And I'll kind of talk a little later about what we've done to help mitigate that. Now Boeing Commercial Airplanes has been involved with network security since 94. That was when we first released the white paper for the 777 that really looked at what would happen if you used a tamper maliciously or intentionally tamper with software.
05:05
So we had some lessons learned from that. It kind of opened the eyes to some of our designers. Then came the 787 with the first E-enabled platform. And we've actually continued to, you know, add those type of systems to the rest of our fleets. So the 3-7s and 777s and 4-7-8s.
05:24
And essentially, the FAA at the time has realized that, you know, existing regulations did not adequately account for intentional misuse. And so we have something called special conditions. Those are the requirements laid on us by our regulator.
05:42
They kind of fit into two different buckets. Protect the aircraft from internal passenger access, those that want to do harm. Protect the aircraft from those trying to attack it external to the aircraft. And so right now, we're actually, we're in the 2020 timeframe. We have some new guidance coming out that is a little more inclusive.
06:02
And talking about securing the whole ecosystem, I'll talk about those standards here in a bit. And so let's talk about what it means to have a secure aircraft architecture. And so one of the things that airplanes are built around is something called domain model.
06:22
And they're specific to, as defined in A-ring 664, part five. I have a diagram on the next slide that will give a little more explanation. But essentially, there's three different trust levels on the aircraft. You have your front of aircraft, the aircraft control domain. Those are systems that, you know, really have a command and control impact to the aircraft.
06:43
You have those that sit in the airline information systems domain or services domain. Those are systems that are used to support maintenance or aircraft efficiencies and whatnot. Then we got the PIES domain, or passenger and information entertainment systems domain. Now, each of these domains has different trust levels.
07:02
And they also have different designs and protections, you know, to mitigate any intentional cyber intrusions. These protections, along with some administrative, physical access, and operational controls are holistically together provide security for an aircraft.
07:22
Now, as I briefly just talked about on the previous slide, the A-ring 664 part five model is something that's in a published specification. This actually, this view right here, I kind of broken it into different views. A security view, responsibility, airline obstacles and functions.
07:41
This is similar to a software architecture design pattern, say a four plus one, where you have different concurrent views to account for, you know, different aspects of those domains. And so in the security view, we have what is done in the closed part of the network, the aircraft, that's done by the air framer. We have those responsibilities that are done on the private side, which are those
08:03
for the airline to control. And then we have things, you know, the passengers, as myself, I'm a passenger, I have the freedom to bring my own devices, whether it's a cell phone or a tablet. If I'm on the ground, I can use AT&T or Verizon, you know, to connect to the internet or other stuff like that.
08:22
So there's different trust domains, they have different roles, and they should come with their own different threats. To give a little more grander view on the connectivity and how they relate to the aircraft domains, this is a pretty busy chart, but just kind of shows you a lot
08:41
happening right here. So on the far left in the red, that's our aircraft control domain. Those are systems that are, again, needed for safety of flight typically in command and control of the aircraft. Some of the data links that are used on there are your L-band SATCOM for safety services. That would encompass things like AT&T OSI, ACARS, it will make use of mediums like
09:06
VHF if you're over terrestrial networks, SATCOM if you're oceanic. You then have the middle of the airplane, which is AISD. There's a lot of different ground network interfaces for that, mostly broadband, anywhere
09:23
from cellular to Wi-Fi. Also can use SATCOM in that regard. That SATCOM, though, is a KUUK band SATCOM. Again, that domain is mostly for airline operational use to support flight crew, maintenance crews, and cabin crews.
09:40
And then at the backside of the aircraft, we have, again, the entertainment domain. And this is what, as a flying passenger, if you've ever wanted to get internet access while you were flying, you're going to connect to your IFEC, your flight entertainment connectivity server. That's going to, again, normally be a third party like Iridium or MRSAT that's going to provide that for you.
10:05
Now, this Venn diagram right here is to just kind of show the intersection of two main things. We all know that aviation safety is by far the main focus of all regulations in commercial airlines or commercial aviation.
10:21
But then we also have all these other systems on the aircraft that maybe have nothing to do with safety, and they're just for quality or passenger experience. That's aviation cybersecurity. Again, there's not a whole lot of regulations around that. But in that intersection, that inner circle is where we have our aviation cyber safety.
10:45
And these are under purview of the regulator. And this is really making sure that systems that have a criticality associated with them, based on their design assurance level, that those systems are robust against cyber
11:01
security concerns. In other words, to say that is a reduced chance or likelihood of a safety event happening in these cyber lanes. That's, again, a new area that's getting a lot of focus. That's where Boeing and its trusted partners spend a lot of time focusing on.
11:21
What else is Boeing doing right now to get to that secure and safe aircraft? We actually do the airplane certification. Something that is different than a typical airplane certification is now there is a separate activity to account for the security aspects. So almost like a security certification, just to look at the malicious misuse.
11:45
This demonstrates the security compliance and verifies that the airplane meets the stringent security requirements. Also, make sure that any other guidelines and things that the regulator is going to review is also accounted for.
12:01
We're spending, like most companies, we're always trying to innovate and find new cool things to make us more competitive, to make our customers find more value. We're partnering up with both internal and external parties. Some of these are private entities, others are like academia and universities to go
12:21
ahead and work together to come up with some new stuff. Things like machine learning and AI, blockchain, got to throw that out there because that was the buzz words of today. You kind of look at those, work with those different folks to come up with new solutions. We have a dedicated team that's looking at air-to-ground interfaces, how do we get more
12:41
data off the aircraft so we can do protective maintenance and trending and things like that. We also spend time doing risk assessments or risk management. We subscribe to the NIST framework, cyber security framework. This helps us focus on where we're going to, you know, what the big rocks are to go
13:00
solve and spend money accordingly. Something else that's kind of aligned to risk management is the use of tabletop exercises, threat teaming, wargaming, different words to say. The same thing as we're going to look at, you know, with different stakeholders to see, you know, are our assumptions good, where should we be focusing, are there any gaps in those assumptions and whatnot.
13:22
And a new thing that our team within Boeing and product security has just stood up is a team dedicated to doing product security incident response. So as we get more investing partners and working with the security researcher community, we need folks that are dedicated to handling any issues so that we can mitigate and fix
13:46
those accordingly. And also to account for the sustainment. Now, most folks realize that the operational phase of any system is the longest period and the most costly. And so because aircraft, you know, are a 30 plus year flying machine, we have to do
14:03
the security sustainment activities to make sure that those aircraft remain cyber resilient, cyber secure over that life cycle. To help us, you know, investigate that, we do a lot of testing. And so we have a dedicated secure aircraft cyber test lab.
14:20
This lab has a, it's a matter of different systems that we can go use to test, but it also has reach back capability into other parts of the company and different other labs, whether they're different configurations or other systems. This allows us to do penetration testing, both in-house as well as with, you know, trusted third parties that we brought on board or collaborated with to go look at stuff.
14:44
And then lastly, we have these public and private partnerships that we, you know, we're only as good as the folks we surround ourselves. And so we take an interest in leading industry standards activities, working with their European counterparts. One of the initiatives that we're tied into is their aircraft cyber initiative.
15:05
And that's a tri-chair with the FAA, DHS and DOD and working with some of those special programs. And then I talked about the aviation ISAC and that's something that we're heavily involved with. And so I just kind of talked about our secure lab.
15:23
We call that our SCORE lab and that stands for a center or secure center for operational research and experimentation. We do a lot of different things in here from R&D to incident response, forensics, if needed. Again, this is just one of the capabilities that, you know, as the airframe are having
15:40
access to the embedded avionics, the different avionics buses and having all of those broke out into a way we can have access to them really helps with demonstrating, you know, the security of the airplane. And again, as part of that new focus on working together again with the folks like
16:02
yourselves here at DEFCON, we've stood up a vulnerability disclosure kind of program. We didn't have one. And so, you know, that's something we just stood up. If you can see it there on the URL right there, that helps us in, you know, folks to do responsible disclosure. Also trying to partner with, again, the Aerospace Village and other organizations that are really
16:27
focusing on making good partnerships, education and teaching each other, you know, both sides of the visit, the aviation side and the security side. And again, those partnerships I just talked about, like the ACI working with different
16:44
national labs, airlines, consultants or whatnot. Again, the goal is to do all of this work together to identify new issues, new gaps, things that maybe we didn't think about so that we can make our products better, safer, more secure.
17:02
So speaking about a secure airplane development, this wanted to talk about some of the processes that we use to go do that. So we had the concept of a system engineering V and system engineering, but we focus on a system security engineering V. What that really means is it still subscribes to the same systematic process for doing design
17:23
and development, but adding those security activities as an abstraction layer on top of the normal system development. And so what that means is, you know, we'll do system security analysis. We'll make sure we'll do requirements verification, make sure that those systems have all the right requirements to reduce the risks based on those type of activities.
17:45
Threat modeling, attack surface analysis, similar to how we do fault trees and fault hazard assessments, we do the same thing for security through a threat tree and looking at the AND and OR gates that could lead to a security event.
18:00
Those all aggregate up to what we do then at the airplane level. So we do this for each system on the aircraft. But then what does that look like? You know, maybe you don't have a significant risk at a single system, but if you were to aggregate all of these different risks across the integrated aircraft architecture, does your analysis change? And so we do that at the airplane level as well.
18:20
And then we also do the testing on some things you can't analyze away, you can't do through analysis. And so especially when we're talking about robustness and resiliency, we do a lot of the testing at the system and aircraft level, and that covers your traditional requirements based testing, as well as those type of more invasive, the penetration testing, the robustness, and then looking for vulnerabilities and things that have already
18:46
been documented. Kind of talked about the security standards. There's a whole lot of them in aviation. The top three are probably the most centric to aviation cyber security right now, and those are DO 326, DO 355, and DO 356 and their European counterparts and Euro K.
19:06
Those are all centered on how to do security risk assessments, how to do aircraft secure design, and actually they're going to become the new methods of compliance on how to certify aircraft from a security standpoint. I listed a couple others, A-RINK 811, that's an older, it's a little stale, but still
19:25
has good information on it. The NIST kind of Risk Assessment Guide and Risk Management Framework, although not aviation centric, they still have a lot of good information. A couple of these are just specific to how to do security event logging.
19:41
852, 835 is how to do secure software loading using PKI and digital signatures. Spec 42 is used within aviation as more of a digital information and certificate policies and whatnot. So these are just, again, some of the industry best standards that we use to help build and design secure aircraft.
20:03
Some of the principles that are called out, like in, say, DO 356A, and again other places within industry are kind of listed on the slide here. So we do get a direct benefit from having such a strong safety culture. That means that, you know, typically we want to be safe by default, but we're working
20:22
towards being secured by default. Now these can be at odds sometimes, and so there's always de-confliction and trays that have to happen. Integrity monitoring, defensive depth, you know, availability, network segmentation, these aren't really new, or these aren't specific to aviation, but again the principles
20:41
still apply to us. Something that I think is a little more unique on aviation is configuration management. So we have the ability to do maintenance and do what we call data loading and sell new software on the aircraft. Now to protect that against misuse, we have a lot of different inhibits and interlocks that prevent that. Some of this is discrete logic.
21:01
We might use a mechanical interlock or an avionics label or bus like 429 that you need to be in a certain state to accomplish that. We do look at systems at design assurance level for their criticality, as called out on DO 170 AC. We also are now looking at security assurance level that is called out on DO 356.
21:23
And then access control and authentication, least privilege, again, these aren't unique to aviation, but we're still leveraging them the best we can. And then just a plug to the AI SAC, the Aviation Information Sharing and Analysis
21:40
Center, I kind of talked to them a little bit before. But again, when we're talking cybersecurity and we're talking an industry like this where this has such a global impact, right? If you have, say, an aircraft was to get hacked or have some major issues, you would need to know that because that could propagate through a fleet of aircraft across the world.
22:00
And so to help mitigate that, again, we're part of the Aviation AI SAC. We help stand that up. We engage regularly with both the airline customers, our supply base, other industry and government partners to collectively build a better and more secure industry.
22:21
And so just a couple more slides here. So managing ongoing risk. I talked about us going doing tabletops. We tend to do this through multiple iterations, whether it's an existing system that's been out there for a while or a new system that we want to bring online.
22:40
But essentially, we want to bring the right people and stakeholders together to get different views and what that really means, understand what our threats are, what do we need to do in the future to build more resilient aircraft. And so that's really pushing us towards, again, getting folks aware of why cybersecurity on aircraft matter and building that new cybersecurity culture.
23:05
So in summary, just wanted folks to understand within communities like this is that we don't just stick stuff on an aircraft. We actually spend a lot of time looking at cybersecurity and it's looked at across the ecosystem. We're leveraging the industry best standards and practices.
23:23
We embed security throughout the entire product development lifecycle. One of the ways that we help to be more secure is collaboration with our stakeholders because that's really the way that we can reduce risk collectively.
23:40
We do take a proactive stance on managing ongoing risk, and so it just doesn't happen by itself. Cyber safety, cybersecurity, and cyber resiliency are key principles within Boeing. And ultimately, the message I want to share with the folks here at DEF CON and Aerospace Village is we want to proactively work with you. We want to work with the researchers.
24:01
We want to work with folks that are interested in making the industry better and more secure. And so hopefully this gave you a little bit of insight into how Boeing is managing a secure lifecycle and going forward to help work with you all someday soon. Thanks for watching, and we'll talk to you later.