Safety Measures To Secure Field-Loadable Software

Lufthansa Technik technicians
As more aircraft systems rely on software components, Lufthansa Technik is taking steps to assure the security of field-loadable software.
Credit: Sonja Brueggemann/Lufthansa Technik

As a new generation of software-centric aircraft displaces legacy equipment, the security of field-loadable software (FLS)—also termed aircraft controlled software (ACS)—has become increasingly critical.

“The security of field-loadable software has become more important in recent years, since more aircraft systems heavily rely on software,” explains Christian Oerter, head of team technical fleet engineering at Lufthansa Technik. “There is an industry-wide trend to use general-purpose hardware running specific software components that define the functionality and features of software-defined aircraft systems, primarily in electric and avionics systems.”

Scott Smith, lead principal engineer at ARINC Industry Activities of the SAE Industry Technologies Consortia, notes that airlines acknowledge that risks do exist, even while a threat may not be immediately evident. “As with any software, the ones and zeros can be manipulated to negatively affect an aircraft system,” he says. “The fact that the use of software-defined functions and systems has proliferated over the past 15 years only increases the number of systems vulnerable to tampering.”

FLS incorporates key features, which include the capability to be loaded on or off the aircraft, with no changes to the target hardware part number that hosts it. The FLS has its own unique identification/part number that is electrically verifiable on aircraft. The software part number may be aircraft-type-certified and may take the form of an application or even a database.

MBS Electronic Systems portable data loader
Most field-loadable software is installed on an aircraft via a portable data loader such as the one from MBS Electronic Systems (pictured). Credit: MBS Electronic Systems 

With even a basic understanding of FLS, it is easy to see why the major concern is maintaining its integrity and authenticity when in transit across networks or in storage on servers, portable data loaders (PDL) or the airborne data loaders on e-enabled aircraft such as the Boeing 787 and the Airbus A350. Tom Nicholls, systems lead in the UK office of MBS Electronic Systems, says “the concern applies to all scenarios where loading is required”—not only loading on aircraft but also in the shop environment where electronic software distribution (EDS) and network-connected data loaders are employed.

Traditionally, software was loaded into the target hardware of aircraft at the OEM facility. This eventually transitioned to the use of field-loadable software and databases, with the loading being performed by the airline or MRO via portable data loaders, or directly onto an airborne data loader-equipped aircraft. This meant that the software had to be transferred from the OEM to the airline or MRO prior to loading.

Initially, the software was stored on physical media such as a floppy disk, CD or memory card, and processes were developed for it to be delivered and handled by the airline or MRO in a secure manner. “But this transitioned to network-connected airborne data loaders and portable data loaders, where the software is transferred via networks,” Nicholls explains. As a result, additional threats to the integrity and authenticity of loadable software parts when in transit and in storage were introduced. “Unintended software could be installed on the target hardware, causing it to function in an unintended way,” he says.

While there are certain controls and procedures in place that would detect such an interference, the main concern, says Nicholls, is if the software has been manipulated by a malevolent party. One example of controls he cites is the use of public key infrastructure (PKI), which incorporates procedures to facilitate a secure transfer of electronic information to ensure that the software part came from the intended party and has not been changed during transfer or storage prior to loading. “The introduction of PKI to protect the integrity and authenticity of FLS during transmission and storage is a major element of new security requirements,” Nicholls says.

MBS Electronic Systems is an active member of the ARINC Software Distribution and Loading (SDL) subcommittee, which develops data-loading security standards. As an example, Nicholls reports that a major element of security updates is hardening requirements relating to commercial off-the-shelf (COTS) hardware such as a laptops and COTS software like MS Windows. “These types of devices are not only used for data loading, but for other general day-to-day tasks, which means that they are particularly vulnerable to potential attacks,” Nicholls cautions.

Lufthansa Technik’s Oerter confirms that the industry is trending toward the adoption of more COTS components to decrease development and life-cycle costs. At the same time, he notes, it is implementing measures such as PKI-based signature processes for FLS to allow for end-to-end security assurance from the software developer to the aircraft or aircraft component. “Assuring security of field-loadable software requires additional know-how and processes,” he says.

Airlines are, in fact, focusing on FLS security enhancements as an ongoing process. Donald van Tongeren, a KLM project manager, reports that the Amsterdam-based airline is eliminating storage media such as compact disks (CD). KLM electronically distributes software, in 95% of all cases, from servers with strict access control. From the servers, distribution is to the portable data loaders, or directly to the aircraft.

The portable data loaders have always been under strict physical access control and restricted to a limited set of people, van Tongeren stresses. “A misplaced portable data loader could be maliciously used to load software which the target hardware does not recognize,” he says. “Unlike the A350, 787 and newer 777s, most aircraft do not have the ability to recognize the loader—other than the protocol of loading. This is why we always know where and with whom the portable data loaders are.”

This, says van Tongeren, is why external electronic interaction is where the greatest vulnerabilities lie. “You have to make sure who is initiating this interaction. With wireless interaction, it can be even done from outside the airport premises.”

Consequently, the preferred software distribution method today is electronic—directly from the OEM to the operator, says Ted Patmore of Delta Air Lines’ avionics software management, aircraft cybersecurity team. Software distribution, he notes, “utilizes PKI that implements digitally encrypted signatures,” which are controlled as certificates issued by a certificate authority and renewed periodically to prevent the use of any compromised certificate.

“Software is stored in an encrypted format in software vaults and portable data loaders to prevent any reverse engineering that may expose the function of software-driven systems, giving would-be hackers ideas,” says Patmore. “The primary concern is that the encryptions’ key signatures are not broken by hackers.”

Among the more vulnerable areas of the distribution chain, he says, is the software vault where software is received, authenticated, encrypted and stored. “These areas should have secure network connections that use protection such as a virtual private network (VPN) to prevent direct contact by hackers.”

Asked to describe some of the software security measures Delta has implemented, Patmore explains that software is distributed from external sources using a secure digital signature method to ensure the software’s integrity and authenticity. “Once the software is entered into an on-site software vault, physical security controls play a significant part,” he reports. “Access controls are implemented using gates and badges, and sign-in credentials are assigned to those with proper roles and responsibilities. This is to address the risk of tampering with or unintentional corruption of the software stored in the vault.”

As for portable data-loader security, Patmore says the chain of custody is controlled through a check-out/check-in process at Delta.

“We change all default passwords, use tamper tabs to indicate any disassembly of portable data loaders and ensure the portable data-loader system software is kept up to date and current,” he notes. “We also examine log files collected by portable data loaders and define the level of access roles that restrict access to system settings only to those that require it. They use only internal networks and/or secure communications protocols such as VPNs via external networks.”