SEATTLE – Before Boeing Co.’s new 787 jetliner gets the green light to fly passengers, the jet maker will have to prove the plane’s computer network can’t be hacked.
Boeing claims it has engineered safeguards to keep unauthorized users out, but some security analysts worry that wiring designed to let passengers surf the Internet could leave flight control, navigation and communications systems vulnerable.
“The odds of this being perfect are zero,” said Bruce Schneier, chief technology officer at the security services firm BT Counterpane. “It’s possible Boeing can make their connection to the Internet secure. If they do, it will be the first time in mankind anyone’s done that.”
Boeing has designed the 787 to allow airlines to offer passengers more in-flight entertainment and Internet options than it has with previous planes.
Those new features and other aspects of the 787’s computer network go beyond the scope of existing regulations, so the Federal Aviation Administration is requiring Boeing to show the new technology won’t pose a safety threat.
In a “special condition” the FAA has ordered Boeing to satisfy, the agency notes that the 787 “allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane.
“Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane.”
Boeing spokeswoman Lori Gunter said the 787’s aviation electronics “are not connected in any way to the Internet. Also, there is not any place where the passenger interface to the Internet shares hardware with the plane’s aviation electronics.”
Special conditions are a normal part of the regulatory process aircraft makers go through to get their planes certified for flight. The FAA issues them any time new designs introduce safety concerns that aren’t fully addressed in existing regulations.
Boeing rival Airbus SAS argues that the only way to satisfy the new requirement would be to physically separate the passenger information and entertainment systems from all other systems on the plane. In written comments to the FAA, Airbus said that solution “is not technically and operationally viable.”
Gunter declined to specify exactly how and to what degree the plane’s computer networks are physically separated. “One of the things you do to ensure security is not talk about the protections in any great detail,” she said.
Boeing has already completed all lab tests the FAA has ordered for computer security, Gunter said. Final approval will come after Boeing runs another set of tests during flight testing, which is scheduled to begin in March. The company is set to deliver the first 787 by the end of the year.
The Air Line Pilots Association has urged the FAA to require a backup system that would allow flight attendants to disable passengers’ Internet connections. The FAA declined, saying its job is not to dictate specific designs, but Boeing said that capability already exists.