 Hello everyone, this is Mike Vangardi with the Boeing Company, and I'm here to talk to you about product cyber security specifically the secure airplane development life cycle used within Boeing commercial airplanes. And as a short primer on what I'll be talking about today, I just want everybody I think it understands that the aviation industry is focused on safety. Everybody in the Boeing Company works hard to achieve this. We also have a new concept called the E-enabled aircraft. And what I mean by that is that we now have airplanes that have awkward connectivity that may employ the use of commercial off-the-shelf software and services like the internet product this week. But so what the good comes the bad though, right? So because of this we now need to contend for cyber security threats. And so the way airplanes are developed now need to take this into consideration and so malicious intent via cyber methods is an air concern that needs to be accounted for during design, development, test, and analysis. So developing a product that is both safe and secure is of the utmost importance to the company. We also need to protect, you know, our airline customers, protect our brand and the aviation system as a whole. In order to do this, we need to secure the airplane but we also need to secure those data links, that connectivity and build a company culture that puts security right up there with where safety is today. Only then can we truly have an airplane that's secured throughout its entire life cycle. Now sounds simple, right? So let's talk about the complexity and what this really means. Now this chart really kind of shows that, you know, aviation is pretty large in scope and you can have all the security you want on the aircraft, but if we don't do our part to the rest of the ecosystem, meaning the ground systems, maintenance, you know, the federated systems that might come in through SACCOM or a global navigation, then we're not as secure as we need to be. And so Boeing is spending a lot of effort and time working across these different parts of aviation and as again, we'll talk about some of that stuff that here in the next few slides. And so as I kind of talked about connectivity, we have seen a growth in this in the Enable aircraft. Unfortunately, with all the good, you know, comes the need to drive cyber protections now. And so this is a new, it's a new norm within aviation. Like there was a time when cyber security wasn't a big deal, but those days are long gone. And so this is going to require protections that are both on the airborne assets, you know, the avionics, the airplane systems and those type of devices as well as processes and controls on the ground based systems to achieve this, you know, because airplanes are a global commodity that fly all over the world. Information sharing is one of those key enablers. You know, we partnered with the aviation information sharing and analysis center to get some good threat intelligence and basically just to build trust in relationships. So in the case of a cyber event, you know, that can affect multiple stakeholders in this industry, we have those relationships to be able to, you know, share that data. And we're actually getting to the point where with the connectivity, we're now going to need a way to manage all these connectivity solutions and basically the networks just like we do on traditional ground systems. So that's definitely going to be the norm. And then I got a couple of these line charts to just show the relationship right now between safety and security. So on the left, we have safety events. And what you'll see is that over time, those safety events become less common and actually, you know, based on good learning from mistakes, learning from history, you know, they tend not to show up or repeat themselves. Conversely, though, on security, though, you know, we know that the attack surface grows over time. And so in the case of an aircraft, which typically has a life cycle of, you know, close to 30 plus years, if you were to never update, you know, the systems on the airplane, what kind of security issues might have popped up in between the initial certification and that time frame. So we know that that's an issue to solve and we are working towards that. And I'll kind of talk a little later about what we've done to help mitigate that. Now Boeing commercial airplanes has been involved with network security since 94. That was when we first released the white paper for the 777 that really looked at what would happen if you used a tamper maliciously or intentionally tamper with software. So we had some lessons learned from that. It kind of opened the eyes to some of our designers. Then came the 787 with the first Enable platform. And we've actually continued to, you know, add those types of systems to the rest of our fleets. So the 377s and 777s and 47-8s. And essentially the FAA at the time has realized that, you know, existing regulations did not adequately account for intentional misuse. And so we have something called special conditions. Those are the requirements levied on us by our regulator. They kind of fit into two different buckets. Protect the aircraft from internal passenger access. Those that want to do harm. Protect the aircraft from those trying to attack it external to the aircraft. And so right now we're actually, we're in the 2020 timeframe. We have some new guidance coming out that will, is a little more inclusive in talking about securing the whole ecosystem. I'll talk about those, those standards here in a bit. And so let's talk about what it means to have a secure aircraft architecture. And so one of the things that airplanes are built around is a something called domain model. And they're specific to, to find an A-Ring 6-6-4-4-5. I have a diagram on the next slide that will give a little more explanation. But essentially there's three different trust levels on the aircraft. You have your front of aircraft, the aircraft control domain. Those are systems that, you know, really have a command and control impact to the aircraft. You have those that sit in the airline information systems domain or services domain. Those are systems that are used to support maintenance or aircraft efficiencies and whatnot. Then we got the PI's domain or your passenger and information entertainment systems domain. Now each of these domains has, has different trust levels and they also have different designs and protections, you know, to mitigate any intentional cyber intrusions. These protections along with some administrative physical access and operational controls are what holistically together provide security for an aircraft. Now as I was briefly just talked about on the previous slide, the A-Ring 6-6-4-5 model is something that's in a published specification. This actually, this view right here, I kind of broken it into different views, a security view or responsibility, airline ops roles and functions. This is similar to a software architecture design pattern, say 4 plus 1, where you have different concurrent views to account for, you know, different aspects of those domains. And so in the security view, we have what is done in the closed part of the network, the aircraft. That's done by the air framer. We have those responsibilities that are done on the private side, which are those for the airline to control. And then we have things, you know, the passengers, as myself, I'm a passenger. I had the freedom to bring my own devices, whether it's a cell phone or a tablet. I'm on the ground. I can use AT&T of Verizon, you know, to connect to the internet or other stuff like that. So there's different trust domains. They have different roles and they should come with their own different threats. To give a little more granular view on the connectivity and how they relate to the aircraft domains, this is a pretty busy chart, but it just kind of shows you, there's a lot happening right here. So on the far left in the red, that's our aircraft control domain. Those are systems that are, again, needed for safety of flight, typically in command and control of the aircraft. Some of the data links that are used on there are your L-band SACCOM for safety services. That would encompass things like AT&T OSI, ACARS. It will make use of mediums like VHF, if you're over terrestrial networks. SACCOM, if you're oceanic, you then have the middle of the airplane, which is AISD. There's a lot of different ground network interfaces for that, mostly broadband, anywhere from cell alerts to Wi-Fi. Also can use SACCOM in that regard. That SACCOM, though, is a KUDK band SACCOM. Again, that domain is mostly for airline operational use, just for flight crew, maintenance crews, and cabin crews. And then at the backside of the aircraft, we have, again, the entertainment domain. And this is what as a flying passenger, if you've ever wanted to get internet access while you were flying, you're going to connect to your IFEC, your Flight Entertainment Connectivity Server. That's going to, again, normally be a third-party like ARIEM or MRSAT. That's going to provide that for you. Now, this VEM diagram right here is to just kind of show the intersection of two main things. And so we all know that aviation safety is by far the main focus of all regulations in commercial airlines or commercial aviation. But then we also have all these other systems on the aircraft that maybe have nothing to do with safety or they're just for quality or passenger experience. That's the aviation cybersecurity. Again, there's not a whole lot of regulations around that. But in that intersection, the inner circle is where we have our aviation cybersecurity. And these are under purview of the regulator. This is really making sure that systems that have a criticality associated with them based on their design assurance level, that those systems are robust against cyber security concerns. In other words, to say that is a reduced chance or likelihood of a safety event happening in these cyber means. And so that's, again, a new area that's getting a lot of focus. That's where Boeing and its trusted partner spend a lot of time focusing on. And so what else is Boeing doing right now to get to that secure and safe aircraft? And so we actually do the airplane certification, something that is different than a typical airplane certification is now there is a separate activity to account for the security aspects. So almost like a security certification just to look at the malicious misuse, this demonstrates the security compliance. It verifies that the airplane meets the stringent security requirements. Also make sure that any other guidelines and things that the regulator is going to review is also accounted for. We're spending, you know, like most companies, we're always trying to innovate and find new cool things to make us more competitive, to make our customers find more value. And so we're partnering up with both internal and external parties. Some of these are private entities, others are like academia and universities to go ahead and, you know, work together to come up with some new stuff. Things like machine learning and AI, you know, blockchain, got to throw that out there because those are the buzzwords up today. But you kind of look at those, work with those different folks to come up with new solutions. We have a dedicated team that's looking to air-to-ground interfaces. How do we get more data out the aircraft so we can do protective maintenance and trending and things like that. We also spend time doing risk assessments of risk management. We subscribe to the NIST framework, cybersecurity framework. This helps us focus on where we're going to, you know, what the big rocks are to go solve and spend money accordingly. Something else that's kind of aligned to risk management is the use of tabletop exercises, thread-teaming, wargaming, different words to say the same thing as we're going to look at, you know, with different stakeholders to see, you know, are our assumptions good? Where should we focus? Are there any gaps in those assumptions and whatnot? And a new thing that our team within Boeing and Product Security has just stood up is a team dedicated to doing product security incident response. So, as we get more vesting partners and working with the security researcher community, we need folks that are dedicated to handling any issues so that we can mitigate and fix those accordingly. And also to account for the sustainment. Now, most folks realize that the operational phase of any system is the longest period and the most costly. And so, because aircraft, you know, our 30-plus year flying machine, we have to do the security sustainment activities to make sure that those aircraft remain cyber-resilient, cyber-secure over that life cycle. To help us, you know, investigate that, we do a lot of testing. And so, we have a dedicated, secure, aircraft-cyber test lab. This lab has a, it's mattering of different systems that we can go use to test, but it also has reach-back capability into other parts of the company. And different other labs, whether they're different configuration or other systems. This allows us to do penetration testing both in-house as well as with, you know, trusted third parties that we brought on board or collaborated with to go look at stuff. And then lastly, we have these public and private partnerships that we, I don't know, we're only as good as the folks we surround ourselves. And so, we take an interest in leading industry standards activities, working with their European counterparts. One of the initiatives that we're tied into is their aircraft-cyber initiative. And that's a tri-chair with the FAA, DHS and DOD and working with some of those special programs. And then I talked about the Aviation ISAC. And that's something that we're heavily involved with. And so, I just kind of talked about our secure lab. We call that our SCORE lab. And that stands for a secure center for operational research and experimentation. We do a lot of different things in here from R&D to incident response, forensics if needed. And again, this is just one of the capabilities that, you know, as the airframeer having access to the embedded avionics, the different avionics buses and having all of those broke out into a way we can have access to them really helps with demonstrating, you know, the security of the airplane. And again, as part of that new focus on working together, again, with the folks like yourselves here at DEF CON, we've stood up a vulnerability disclosure kind of program. We didn't have one. And so, you know, that's something we just stood up. If you can see it there on the URL right there, that helps us and, you know, folks that do responsible disclosure. Also trying to partner with, again, the Aerospace Village and other organizations that are really focusing on making good partnerships, education and teaching each other, you know, both sides of the visit, the aviation side and the security side. And again, those partnerships I just talked about like the ACI working with different national labs, airlines, consultants or whatnot. Again, the goal is to do all of this work together to identify new issues, new gaps, things that maybe we didn't think about so that we can make our products better, safer and more secure. So speaking about a secure airplane development, this wanted to talk about some of the processes that we use to go do that. So we had the concept of a system engineering V and system engineering, but we focus on a system security engineering V. What that really means is it's still subscribed to the same systematic process for doing design and development, but adding those security activities as an abstraction layer on top of the normal system development. And so what that means is, you know, we'll do system security analysis. We'll make sure we'll do requirements verification, make sure that those systems have all the right requirements to reduce the risks based on those type of activities. Threat modeling, attack surface analysis, similar to how we do fault trees and fault hazard assessments, we do the same thing for security through a threat tree and looking at the and and or gates that could lead to a security event. Those all aggregate up to what we do then at the airplane level. So we do this for each system on the aircraft, but then what does that look like? You know, maybe you don't have a significant risk at a single system, but if you were to aggregate all of these different risks across the integrated aircraft architecture, does your analysis changes? So we do it at the airplane level as well. And then we also do the testing on some things you can't analyze away. You can't do through analysis. And so especially when we're talking about robustness and resiliency, we do a lot of the testing at the system and aircraft level. And that covers your traditional requirements based testing as well as those type of more invasive the penetration testing, the robustness and then looking for vulnerabilities and things that have already been documented. Kind of talked about the security standards and there's a whole lot of them in aviation. The top three are probably the most centric to aviation cybersecurity right now. And those are DL326, DL355 and DL356 and their European counterparts and you're okay. Those are all centered on how to do security risk assessments, how to do aircraft secure design. And actually they're gonna become the new methods of compliance on how to certify aircraft from a security standpoint. I lifted a couple others, A-Ring 811, that's an odor, it's a little stale but still has good information on it. The NIST kind of risk assessment guide and risk management framework, although not aviation centric, there still have a lot of good information. A couple of these are just specific to how to do security event logging 832, 835 is how do you do secure software loading using PKI and digital signatures. Spec 42 is used with an aviation as more of a digital information and a certificate policies and whatnot. So these are just again, some of the industry best standards that we use to help build and design and secure aircraft. Some of the principles that are caught out, like and say a DL356A and again, other places within industry are kind of listed on the slide here. So we do get a derived benefit from having such a strong safety culture. That means that typically we wanna be safe by default but we're working toward being secured by default. Now these can be at odds sometimes. And so there's always de-confliction and in trays that have to happen. Integrity monitoring, defense and death, availability, number of segmentation, these aren't really new or these aren't specific to aviation but again, the principles still apply to us. Something that I think is a little more unique on aviation is configuration management. So we had the ability to do maintenance and do what we call data loading so new software on the aircraft. Now to protect that against misuse, we have a lot of different inhibits and interlocks that prevent that. Some of this is discrete logic. We might use a mechanical interlock or an avionics label or bus like 429 that you need to be in a certain state to accomplish that. We do look at systems that design assurance level or their criticality has caught out on DL17AC. We also are now looking at security assurance level that has caught out on DL356 and then access control and authentication at least privilege again. These aren't unique to aviation but we're still leveraging the best we can. And then just a plug to the AI SAC, the Aviation Information Sharing and Analysis Center. I kind of talked to them a little bit before but again, when we're talking cyber security and we're talking an industry like this where this has such a global impact, right? If you have say an aircraft was to get hacked or have some major issues, you would need to know that because that could propagate through a fleet of aircraft across the world. And so to help mitigate that, again, we're part of the Aviation AI SAC. We help stand that up. We engage regularly with both airline customers, our supply base, other industry and government partners to again, to collectively build a better and more secure industry. And so just a couple more slides here. So managing ongoing risk. I talked about us going doing tabletops. We tend to do this through multiple iterations, whether it's an existing system that's been out there for a while or a new system that we wanna bring online. But essentially we wanna bring the right people and stakeholders together, get different views and what that really means. Understand what our threats are. What do we need to do in the future to build more resilient aircraft? And so that's really pushing us towards again and getting folks aware of why cybersecurity on aircraft matter and building that new cybersecurity culture. So in summary, just wanted folks to understand within communities like this is that we don't just stick stuff on an aircraft. We actually spend a lot of time looking at cybersecurity and it's looked at across the ecosystem. We're leveraging the industry best standards and practices. We embed security throughout the entire product development lifecycle. One of the ways that we help to be more secure is collaboration with our stakeholders because that's really the way that we can reduce risk collectively. We do take a proactive stance on managing ongoing risk. And so, just doesn't happen by itself. Cyber safety, cybersecurity and cyber resiliency are key principles within Boeing. And ultimately the message I wanna share with the folks here at DEF CON and Aerospace Village is we wanna proactively work with you. We wanna work with the researchers, wanna work with folks that are interested in making the industry better and more secure. And so hopefully this gave you a little bit of insight into how Boeing is managing a secure lifecycle and going forward help to work with y'all someday soon. Thanks for watching and we'll talk to you later.