The FAA says that their airworthiness tests “do not contain adequate or appropriate safety standards for these design features”. So basically, it seems that there’s a grey area for now, leaving the responsibility in the aeroplane manufacturers. Still, they gave these guidelines to Boeing:
1. Boeing must ensure electronic system security protection for the aircraft control domain and airline information domain from access by unauthorized sources external to the aeroplane, including those possibly caused by maintenance activity.
2. Boeing must ensure that electronic system security threats from external sources are identified and assessed, and that effective electronic system security protection strategies are implemented to protect the aeroplane from all adverse impacts on safety, functionality, and continued airworthiness.
In theory, the flight systems and passenger networks on the Boeing 747-8 and the ever-delayed Dreamliner are separated. But Vijay Takanti, VP for Security for Exostar, says that “there is some crossover and [the industry]is trying very hard to make sure the number of crossover points are very limited”.
What does Takanti mean with “crossovers points”? And why don’t just keep both network separated? That would fix any potential security breaches, right? Not the case, which is what the FAA is hinting in their guidelines: The mere existence of two networks in a plane – one accessible by the passengers – is a security hole in itself. The FAA says that Boeing should find a way to prevent “access by unauthorised sources external to the aeroplane, including those possibly caused by maintenance activity“. That’s the key. While it’s difficult, tampering with the networking systems inside the plane is a possibility at the maintenance stage. And if history has taught us something is that any security system can be broken, no matter how well engineered it is.
On top of that, the fact that the FAA doesn’t have regulations for these systems makes me a bit nervous. It is not that their regulations or tests could make things hacker-proof, but the idea of leaving this responsibility to private companies is not good, as demonstrated in recent times.
The only 100 per cent secure option: Fly without any kind of passenger networking. But then again, would you live without your newly acquired habit of viewing YouTube cat videos during flights? Would you sacrifice that, like you already sacrificed your dignity at the security checkpoint?