A few interesting things in the news today. In fact, I think they are most interesting in the presence of each other. You may know that November 7-8 was the CyberSat conference? If you weren’t aware of it, CyberSat is an event that is “…dedicated to assessing the ever-evolving threat of cyber attacks in the satellite and aerospace landscape.” So kinda like Blackhat, Infosec World, etc. but for planes and plane paraphenalia.
Anyway, a bunch of stuff happened leading up to – and during – that event. The biggest security news of course is the US Homeland Security team remotely hacking a 757. I linked the CSO article because I thought it outlined the salient facts without a lot of “blah blah blah” or editorializing about how terrible the whole thing is. Those of you that remember this stuff probably remember that attacks against airplanes have been a thing for years. But the DHS publicly outlining their testing is new. The plane that was tested was from Boeing. Hold that fact for later.
While that’s interesting on its own, there were other things that happened during the event as well. The one that caught my eye was a recap of the session, “How to Achieve End-to-End Protection”. The whole recap makes for a good read if you’re interested in what these folks have on their mind about security, but I found the comments from Boeing senior director of strategy to be most interesting. Specifically, he says that conversations must be ongoing, that OEM vendors must be flexible and willing to communicate, that folks need to protect against multiple different types of threats. Here’s the direct quote:
Bruce Chesley, senior director of strategy for Boeing Space and Missile Systems, said that the conversations around cybersecurity must be both persistent and dynamic. Original equipment manufacturers and service providers must be flexible and willing to communicate in order to adequately serve the wide range of satellite customers and their different demands. “For certain satellite customers, the boundaries of the system and the scope of what we deliver varies pretty widely,” Chesley said. The cybersecurity challenge for a mature operator such as Intelsat, for example, is different for other customers for whom Boeing will develop, operate and maintain the entire core network, including the user terminals. “The edges of the ecosystem that have to be protected is a variable threat surface from a cyber point of view,” he said.
So what’s interesting to me is that there’s an implicit criticism here. Specifically, it’s a call to action for satellite vendors (and by extensions others that are in Boeing’s supply chain) about what they should be doing about security. But couldn’t those same things (and the criticism it implies) be leveled against Boeing on the basis of the DHS test? Here’s what I mean in a point-by-point breakdown:
- Persistence of discussion – we’ve known about – or suspected – attacks against planes for years. Honestly, I thought the issue was nobody cared about it — not, in fact, that we didn’t know it could happen. Was Boeing having persistent and dynamic conversations since 2014 (the publication date from that article I cited) about how to find and fix these issues? I’m not sure if they have. There’s not much of a regulatory framework for this stuff, so it’s up to individual companies to show leadership and moral fortitude (i.e. to chose “security and safety” over “increased profitability”). Did they? If they did have this conversations, were they enough and did they lead to action? It took DHS 2 days to find the issue — did Boeing do more than two days of systematic testing? If so, what happened in their process that they didn’t find this too?
- Willingness to communicate – Does Boeing itself pass the “willing to communicate” test? I’d argue that, if you want to harden your systems, you’d let independent and interested researchers test against them in a virtual environment. Maybe you pay those researchers a ridiculous bounty if they find a problem. Bear in mind that, for DHS to conduct their test, they had to buy a plane. Am I going to buy a plane to bug hunt Boeing’s product? No. Would I test it in a virtual apparatus in the hope of making 100k if I find something? I’m not sure if I would or wouldn’t, but it’d at least be an option.
- Addresses a variable threat surface – What the DHS found are RF attacks. RF. This is probably the first attack surface that folks are going to probe, right? What about the other attack surfaces: segmentation of in-flight WiFi, electromagnetic interference, rowhammer attacks, etc.? Is Boeing addressing variable threats? It seems unlikely to me if they have major problems getting RF right.
Look, I’m not a Boeing exec. I also don’t know much about the “Satellite and Aviation” space since I’ve never worked in it. I do, however, feel that people should measure themselves with the same ruler they use to measure others. If Boeing is going to initiate a call to action for their supply chain participants to do certain things about security, it seems to me like they should hold themselves to the same standard. It’s the moral thing since health/safety is involved, but it’s also the best way for them to lead… by example.
This isn’t an indictment of Boeing by the way. I think there’s a real opportunity for them here. They can step up and show leadership for the industry and for other health and safety-impacting IoT vendors (looking at you biomed) as well. Regulators are years late to the party and trying to regulate will probably take still years more. In the meantime, Boeing should be leading the discussions. Who better? They can either take the leadership role and make that part of their competitive advantage — or they can let a competitor do it. Airbus maybe. Boeing is certainly leading the “talking about it” part as evidence by this panel. That’s a good first step. Will they lead the “doing it” part too?