1001001
Well Known Member
Here's a topic I have been thinking about for some time. I tend to follow computer security issues relatively closely, as my girlfriend has spent a large part of her career researching and dealing with them. I don't know the extent to which this has been discussed before, and I haven't seen much to address the subject on the major vendor's web sites.
We all are (or by now, should be) familiar with the many and varied major cracking scandals that have plagued internet businesses for some time. It is somewhat less well known, except in some industries such as power generation and chemical processeing (in which I have spent the bulk of my career), that there are major vulnerabilities associated with connectivity between "business" and "plant" networks. Indeed, the Stuxnet controversy of a couple of years ago is only the tip of the iceberg that is industrial vulnerability to attack through computer networks (for those of you unfamiliar with Stuxnet, look it up, and pay particular attention to how it is spread). Stuxnet was designed to spread undetectably through computer networks and detect when it was installed in a particular type of control system. It then injected its package of malware to issue commands to the system that eventually resulted in the destruction of physical equipment. Regardless of the fact that it was designed to destroy Iranian uranium processing centrifuges, it also represents a demonstration of how any control system in the world that is insufficiently protected can be compromised to cause damage and harm in the physical world. Stuxnet has reportedly been modified by others (not its original authors) to provide tools to crackers that may wish to do harm to or extort industries and individuals whose business and safety rely on control systems.
I don't really want to get into the many possible ways that a compromised glass cockpit system could be used to inflict harm, but many of them should be obvious.
Vulnerabilities in industrial networks are typically a result of insufficient consideration for threats by hardware manufacturers, network integrators, and IT departments, but the greatest threat may lie in the fact that the vast majority of computer users really aren't aware of how computer malware spreads. I'm not an expert in that field, and I don't intend to try to educate folks on it, but I feel the need to ask the following questions about "Glass Cockpit" hardware and software in general.
1. Given that many glass cockpit systems rely on USB or SD data cards for data transfer, and the vulnerabilities demonstrated particularly with USB, what are the glass cockpit manufacturers doing to avoid infection from compromised USB devices and other vectors?
2. Regardless that glass cockpits may not seem a big target (especially in small aircraft) worthy of cracking efforts at the moment, what are manufacturers doing to build their systems to be resistant to or to detect malware that may be introduced to their systems?
I am not necessarily asking for technical specifics about what companies are doing. I understand that they may want to keep these efforts close to the chest, notwithstanding the past demonstrated ineffectiveness of "Security through Obscurity." However, I think we, as current and potential customers who risk our safety and our wallets by using these products, deserve to know that manufacturers are actively considering this potential threat.
We all are (or by now, should be) familiar with the many and varied major cracking scandals that have plagued internet businesses for some time. It is somewhat less well known, except in some industries such as power generation and chemical processeing (in which I have spent the bulk of my career), that there are major vulnerabilities associated with connectivity between "business" and "plant" networks. Indeed, the Stuxnet controversy of a couple of years ago is only the tip of the iceberg that is industrial vulnerability to attack through computer networks (for those of you unfamiliar with Stuxnet, look it up, and pay particular attention to how it is spread). Stuxnet was designed to spread undetectably through computer networks and detect when it was installed in a particular type of control system. It then injected its package of malware to issue commands to the system that eventually resulted in the destruction of physical equipment. Regardless of the fact that it was designed to destroy Iranian uranium processing centrifuges, it also represents a demonstration of how any control system in the world that is insufficiently protected can be compromised to cause damage and harm in the physical world. Stuxnet has reportedly been modified by others (not its original authors) to provide tools to crackers that may wish to do harm to or extort industries and individuals whose business and safety rely on control systems.
I don't really want to get into the many possible ways that a compromised glass cockpit system could be used to inflict harm, but many of them should be obvious.
Vulnerabilities in industrial networks are typically a result of insufficient consideration for threats by hardware manufacturers, network integrators, and IT departments, but the greatest threat may lie in the fact that the vast majority of computer users really aren't aware of how computer malware spreads. I'm not an expert in that field, and I don't intend to try to educate folks on it, but I feel the need to ask the following questions about "Glass Cockpit" hardware and software in general.
1. Given that many glass cockpit systems rely on USB or SD data cards for data transfer, and the vulnerabilities demonstrated particularly with USB, what are the glass cockpit manufacturers doing to avoid infection from compromised USB devices and other vectors?
2. Regardless that glass cockpits may not seem a big target (especially in small aircraft) worthy of cracking efforts at the moment, what are manufacturers doing to build their systems to be resistant to or to detect malware that may be introduced to their systems?
I am not necessarily asking for technical specifics about what companies are doing. I understand that they may want to keep these efforts close to the chest, notwithstanding the past demonstrated ineffectiveness of "Security through Obscurity." However, I think we, as current and potential customers who risk our safety and our wallets by using these products, deserve to know that manufacturers are actively considering this potential threat.