{"id":678,"date":"2017-11-16T15:55:13","date_gmt":"2017-11-16T15:55:13","guid":{"rendered":"https:\/\/securitycurve.com\/?p=678"},"modified":"2017-11-16T15:55:13","modified_gmt":"2017-11-16T15:55:13","slug":"boeing-the-security-measures-apply-to-you-too","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=678","title":{"rendered":"Boeing: The security measures apply to you too"},"content":{"rendered":"

A few interesting things in the news today. In fact, I think they are most interesting in the presence of each other.\u00a0 You may know that November 7-8 was the CyberSat conference<\/a>?\u00a0If you weren’t aware of it, CyberSat is an event that is “…dedicated to assessing the ever-evolving threat of cyber attacks in the satellite and aerospace landscape.”\u00a0 So kinda like Blackhat, Infosec World, etc. but for planes and plane paraphenalia.<\/p>\n

Anyway, a bunch of stuff happened leading up to – and during – that event.\u00a0 The biggest security news of course is the US Homeland Security team remotely hacking a 757<\/a>.\u00a0 I linked the CSO article because I thought it outlined the salient facts without a lot of “blah blah blah” or editorializing about how terrible the whole thing is.\u00a0 Those of you that remember this stuff probably remember that attacks against airplanes have been a thing for years.\u00a0 But the DHS publicly outlining their testing is new.\u00a0 The plane that was tested was from Boeing.\u00a0 Hold that fact for later.<\/p>\n

While that’s interesting on its own, there were other things that happened during the event as well.\u00a0 The one that caught my eye was a recap of the session, “How to Achieve End-to-End Protection”<\/a>.\u00a0 The whole recap makes for a good read if you’re interested in what these folks have on their mind about security, but I found the comments from Boeing senior director of strategy to be most interesting.\u00a0 Specifically, he says that conversations must be ongoing, that OEM vendors must be flexible and willing to communicate, that folks need to protect against multiple different types of threats.\u00a0 Here’s the direct quote:<\/p>\n

Bruce Chesley, senior director of strategy for Boeing Space and Missile Systems, said that the conversations around cybersecurity must be both persistent and dynamic. Original equipment manufacturers and service providers must be flexible and willing to communicate in order to adequately serve the wide range of satellite customers and their different demands. \u201cFor certain satellite customers, the boundaries of the system and the scope of what we deliver varies pretty widely,\u201d Chesley said. The cybersecurity challenge for a mature operator such as Intelsat, for example, is different for other customers for whom Boeing will develop, operate and maintain the entire core network, including the user terminals. \u201cThe edges of the ecosystem that have to be protected is a variable threat surface from a cyber point of view,\u201d he said.<\/p><\/blockquote>\n

So what’s interesting to me is that there’s an implicit criticism here.\u00a0 Specifically, it’s a call to action for satellite vendors (and by extensions others that are in Boeing’s supply chain) about what they should be doing about security.\u00a0 But couldn’t those same things (and the criticism it implies) be leveled against Boeing on the basis of the DHS test?\u00a0 Here’s what I mean in a point-by-point breakdown:<\/p>\n