Embedded software is increasingly responsible for plane safety in the air and on the landing strip. But as we’ve learned from the issues of the Boeing 737 Max 8, engineers can sometimes overlook interdependencies between operations, which can lead to catastrophic results. In the Boeing cases, the angle-of-attack (AoA) sensor and other instrument failures were tied to a design flaw involving the Maneuvering Characteristics Augmentation System (MCAS) of the 737 MAX series.
“You’ve got to think of the plane more and more as a unified system,” says Barbara Filkins, Security Consultant, SANS Research Director, and instructor at the California Aeronautical University, who is also working on her PhD in Aeronautical Science. “There also needs to be more alignment between airplane safety culture and cybersecurity culture.”
In this video interview, Barbara explains how embedded software drives aviation today and provides examples of interdependencies impacting flight and landing operations that developers should understand at planning and assessment stages. She also talks about the software-driven cockpit systems in her own home-built experimental plane, which is pictured in her background.
Additional Resources:
- GrammaTech blog on the importance of static and binary analysis in aviation systems and describes a hybrid approach to Agile, CI/CD and DevSecOps: https://blogs.grammatech.com/devsecops-in-safety-critical-avionic-software-and-the-role-of-static-analysis.
- EU/US DO-178C, Software Considerations in Airborne Systems and Equipment Certification specifically calls out DevSecOps.
- DO-326 (2019) “Airworthiness Security Process Specification,” states that manufacturers and operators seeking certification of new aircraft systems and networks, or modifications to existing ones, will be required to address threats that can lead to unauthorized access and disruption of electronic aircraft system interfaces or information.
- The details of the methods and tools for aviation-related security processes are defined in DO-356 (2018), “Airworthiness Security Methods and Considerations”, which defines certification, security risk assessment and security development activities. Security risks evaluated during assessment activities require security development activities to mitigate the risk to the aircraft. These activities are meant to be integrated into the safety processes required for the software.
- The FAA’s 2017 AC 20-115D for airborne software assurance, section 6.1.4 defines the relationships of vendor-supplied software: Vendor-supplied software is usually related to In-Flight Entertainment (IFE), navigational databases, and Terrain Awareness and Warning Systems (TAWS). This software is usually subject to frequent updates and is managed through OpSpecs, operator engineering documents, or contractual agreements with the vendor.