Computer Security in Aviation: Vulnerabilities, Threats, and Risk
Sistem komputer dan telekomunikasi di dunia penerbangan merupakan fundamental security yang berhubungan dengan resiko, keamanan dan kehandalan penerbangan. Hal yang utama perlu untuk dicermati adalah kerentanan dan resiko meliputi bidang IT, teknis navigasi dan infrastruktur. Prioritas utama adalah untuk keselamatan penerbangan sipil, namun tetap memperhatikan pula kepentingan militer. Dengan berbagai kejadian dan kecelakaan yang telah terjadi, dibutuhkan pencegahan terhadap resiko terjadinya kecelakaan atau kriminalitas di dunia penerbangan.
Beberapa problem security di dunia penerbangan.
Kerentanan keamanan jaringan. Kebanyakan sistem operasi komputer memiliki otentikasi yang lemah dan relatif mudah untuk di tembus. Kebanyakan sistem tersebut memiliki kontrol akses yang lemah dan cenderung memiliki konfigurasi yang buruk, dan sebagai hasilnya relatif mudah disalahgunakan. Sistem yang buruk sering diincar pada fasilitas yang rentan dan mudah ditembus. Akibatnya, penyalahgunaan oleh orang luar dan orang dalam berpotensi mudah menembus jaringan dan terkadang sangat sulit untuk dideteksi.
Keamanan sistem tergantung pada banyak faktor. Sistem keselamatan biasanya tergantung pada keamanan sistem yang memadai dan kehandalan sistem yang memadai (dan juga faktor lainnya). Hal ini dapat terganggu oleh perangkat keras dan masalah software, serta oleh falibilitas manusia dan lingkungan operasi nonbenevolent. Akibatnya, dalam banyak kasus yang dibahas di sini, suatu peristiwa yang terjadi tanpa sengaja alternatif bisa saja dipicu sengaja, dengan atau tanpa niat jahat. Kesimpulan dari pengamatan itu adalah bahwa pendekatan yang masuk akal untuk keamanan harus mencakup pendekatan yang masuk akal untuk sistem keamanan dan keandalan sistem secara keseluruhan.
Ancaman terhadap keamanan dan keselamatan. Kisaran ancaman yang dapat mengeksploitasi kerentanan ini sangat besar, yang berasal dari kegiatan teroris mungkin, sabotase, spionase, persaingan industri atau nasional, kejahatan peniru, kerusakan mekanis, dan kesalahan manusia. Serangan mungkin melibatkan penyisipan Trojan-horse dan gangguan fisik, termasuk tindakan pembalasan oleh karyawan yang tidak puas atau mantan karyawan atau pelecehan. Denial of service attack sangat berbahaya, karena mereka begitu sulit untuk mempertahankan diri dan karena efeknya dapat menghancurkan. Sistem terhubung ke Internet atau tersedia dengan dial-up adalah korban potensi penetrasi eksternal. Bahkan sistem yang tampaknya benar-benar terisolasi tunduk pada penyalahgunaan internal. Selain itu, banyak dari sistem-sistem yang tampaknya terisolasi dapat dikontrol dari jarak jauh karena fasilitas mereka untuk diagnosa remote dan pemeliharaan remote. Interferensi elektromagnetik adalah jenis yang rumit dan ancaman.
Resiko. Konsekuensi dari kerentanan dan ancaman terkait menyiratkan bahwa risiko bisa sangat besar. Yang berkaitan dengan penyalahgunaan komputer dapat (misalnya) mengakibatkan hilangnya kerahasiaan, kehilangan integritas sistem ketika sistem rusak, kehilangan integritas data ketika data berubah, penolakan layanan yang membuat sumber daya tersedia, atau pencurian. Penyalahgunaan tersebut mungkin disengaja atau tidak disengaja. Mungkin akan sangat sulit untuk dideteksi karena dalam kasus Trojan horse laten, atau mungkin tampak jelas seperti dalam kasus wipeout sistem yang lengkap. Lebih luas lagi, risiko sistem secara keseluruhan termasuk besar lalu lintas udara kontrol padam, penutupan bandara, hilangnya pesawat, kematian banyak penumpang, dan gangguan utama lainnya.
Review kejadian dan kecelakan yang telah terjadi
Radio-frequency spoofing of air-traffic control. Several people have masqueraded as air-traffic controllers on designated radio frequencies (in Miami, in Manchester, England, and in Virginia -- the ``Roanoake Phantom''), altering flight courses and causing serious confusion. (Some communication authentication might help mitigate problems of this type.)
Power and telecommunication infrastructural problems. Vulnerabilities of the power infrastructure and other computer problems have seriously affected air-traffic control (Chicago, Oakland, Miami, Washington DC, Dallas-FortWorth, Cleveland, all three New York airports, Pittsburgh, Oakland, etc.). An FAA report listed 114 major telecom outages in a 12-month period in 1990-91. Twenty air-traffic control centers were downed by a fiber-optic cable inadvertently cut by a farmer burying his cow (4 May 1991). The Kansas City ATC was brought down by a beaver-chewed cable (1990); other outages were due to lightning strikes, misplaced backhoe buckets, blown fuses, and various computer problems, as well as a 3-hour outage and airport delays in Boston that resulted from unmarked electronic components being switched. The AT&T outage of 17 September 1991 blocked 5 million calls and crippled air travel with 1,174 flights cancelled or delayed. Many such cases have been recorded. (Much greater recognition is needed of the intricate ways in which air-traffic control depends on the power and telecommunication infrastructures.)
Fatal aircraft incidents. The list of computer-related aircraft accidents is not encouraging. Undeserved faith in the infallibility of computer systems and the people who use them played a role in the Korean Airlines 007 shootdown, the Vincennes' Aegis shootdown of the Iranian Airbus, the F-15 shootdowns of two U.S. BlackHawks over Iraq, the Air New Zealand crash into Mt Erebus, the Lauda Air thrust-reverser problem, NW flight 255, the British Midlands 737 crash, several Airbus A320 crashes, the American Airlines Cali crash, the Ilyushin Il-114 crash -- to name just a few.
Near-misses and near-accidents. Numerous near-misses have also been reported, and probably many more have not. The recent missile observed passing AA 1170 over Wallops Island reminds us that accidents can be caused by friendly fire (as was indeed the case in the two UH-60 BlackHawks shot down by our own F-15Cs over Iraq). The sections in References 2 and 3 on commercial and military aviation are particularly well worth reviewing.
Electromagnetic interference. Interference seem to be a particularly difficult type of threat, although its effects on aircraft computers and communications are still inadequately understood. Passenger laptops with cable-attached devices appear to be a particularly risky source of in-flight radiation. EMI was considered as one possible explanation for the U.S. Air Force F-16 accidentally dropping a bomb on rural West Georgia on 4 May 1989. EMI was the cited cause of several UH-60 BlackHawk helicopter hydraulic failures. Australia's Melbourne Airport reported serious effects on their RF communications, which were finally traced to a radiating video cassette recorder near the airport.
Risks inherent in developing complex systems. Computer-communication system difficulties associated with air-traffic control are of particular concern. Significant problems have arisen in computer-communication systems for air-traffic control and procurements for military and commercial aviation and defense systems. Unfortunately, these problems are not indigenous to the aviation industry. There have been real fiascos elsewhere in attempts to develop large infrastructural computer-communication systems, which are increasingly dominated by their software complexity. For example, the experiences of system development efforts for the Social Security Administration, the IRS Tax Systems Modernization effort, and law enforcement merely reinforce the conclusion that the development of large systems can be a risky business. Another example is provided by the C-17 software and hardware problems; this case was cited by a GAO report as ``a good example of how not to approach software development when procuring a major weapons system.'' Unfortunately, we have too many such horrible ``good'' examples of what not to do, and very few examples of how systems can be developed successfully. In general, efforts to develop and operate complex computer-based systems and networks that must meet critical requirements have been monumentally unsuccessful -- particularly with respect to security, reliability, and survivability. We desperately need the ability to develop complex systems -- within budget, on schedule, and with high assurance compliant with their stated requirements. (References 2 and 3 provide numerous examples of development fiascos.)
In some aircraft incidents, system design and implementation were problematic; in other cases, the human-computer interface design was implicated; in further cases, human error was involved. In some cases, there were multiple causes and the blame can be distributed. Unfortunately, catastrophes are often attributed to ``human error'' (on the part of pilots or traffic controllers) for problems that really originated within the systems or that can be attributed to poor interface design (which, ultimately, should be attributed to human problems -- on the part of designers, system developers, maintainers, operators, and users!).
Possible Future Incidents
If accidental outages and unintended computer-related problems can cause this much trouble, just think what maliciously conceived coordinated attacks could do -- particularly, well conceived attacks striking at weak links in the critical infrastructure! On one hand, attacks need not be very high-tech -- under various scenarios, bribes, blackmail, explosives, and other strong-arm techniques may be sufficient; well-aimed backhoes can evidently have devastating effects. On the other hand, once a high-tech attack is conceived, its very sophisticated attack methods can be posted on underground bulletin boards and may then be exploited by others without extensive knowledge or understanding. Thus, a high level of expertise is no longer a prerequisite. It is perhaps unwise in this written statement to be too explicit about scenarios for bringing down major components of the aviation infrastructure. There are always people who might want to try those scenarios, and one incident can rapidly be replicated; the copycat has at least nine lives (virtually). Instead, we consider here some of the factors that must be considered in assessing future risks to security, in assessing the safety and reliability that in turn depend upon adequate security, and in efforts to avoid future disasters.
Targets. The air-traffic-control system is itself a huge target. Physical and logical attacks on computers, communications, and radars are all possible. Any use of the Internet for intercommunications could create further risks. Many airports represent vital targets, and the disruptions caused by outages in any major airport are typically felt worldwide. Individual aircraft of course also present highly vulnerable targets. In principle, sectoring of the en-route air-traffic facility provides some redundancy in the event only a single ATC center is affected; however, that is not a sufficient defense against coordinated simultaneous attacks. Overall, the entire gamut of security threats noted above is potentially relevant.
Attack modes. We must anticipate misuse by insiders and attacks by outsiders, including privacy violations, Trojan horses and other integrity attacks, extensive denials of service, physical attacks such as cable cuts and bombs, and electromagnetic and other forms of interference -- to name just a few. There are also more benign attacks, such as wiretaps and electronic eavesdropping -- perhaps gathering information useful for subsequent attacks.
Weak links. Many of the illustrative-risks cases cited in Reference 2 required a confluence of several causes rather than just a single-point failure. The 1980 ARPAnet collapse resulted from bits dropped in a memory that did not have any error checking, combined with an overly lazy garbage collection algorithm. The 1986 separation of New England from the rest of the ARPAnet resulted because seven trunk lines all went through the same cable, which was cut in White Plains, NY. Security is a weak-link problem, but compromises of security often involve exploitation of multiple vulnerabilities, and in many instances multiple exploitations are not significantly more difficult to perpetrate than single-point exploitations. Consequently, trying to avoid single weak links is not enough to ensure the absence of security risks. The basic difficulty is that there are too many weak links, and in some cases -- it would seem -- nothing but weak links. Indeed, the situation is not generally improving, and we can expect systems in the future to continue to have many vulnerabilities -- although some defenses may be locally stronger. Terrorism and sabotage. Incentives seem to be on the rise for increased terrorist and other information-warfare activities. The potential for massive widespread disruption or for intense local disruption is ever greater -- especially including denial-of-service attacks. Increasingly, the widespread availability of system-cracking software tools suggests that certain types of attacks may become more frequent as the attack techniques become widely known and adequate defenses fail to materialize. For example, the SYN-flooding denial-of-service attack on the Internet service provider PANIX recently inspired an even more aggressive and more damaging attack on WebCom that affected 3000 websites, over an outage period of about 40 hours on a very busy pre-Christmas business weekend.
Kesimpulan
Total integration. Keamanan, keselamatan, dan keandalan infrastruktur penerbangan harus benar-benar terintegrasi di seluruh seluruh infrastruktur, menangani sistem komputer, jaringan komputer, public-switched jaringan, kekuasaan-transmisi dan distribusi fasilitas, infrastruktur lalu lintas udara kontrol, dan semua interaksi dan saling ketergantungan satu sama lain.
Teknologi. Teknologi berpotensi berguna yang muncul dari komunitas R & D, tetapi biasanya kurang dalam ketahanan. Fungsi yang diinginkan sulit untuk mencapai menggunakan sistem hanya tersedia secara komersial. Penelitian lebih lanjut dan diperlukan pengembangan prototipe secara fundamental, khususnya yang berkaitan dengan penyusunan sistem diandalkan dari komponen kurang bisa diandalkan dengan cara yang mengarah pada hasil yang diprediksi. Namun, insentif yang lebih besar diperlukan untuk merangsang perkembangan infrastruktur kuat banyak lagi. Produk. Pemerintah dan seluruh infrastruktur publik adalah amat sangat tergantung pada perkembangan teknologi komersial untuk keandalan infrastruktur. Sangat tergantung pada sistem komputer. Pemerintah harus mendorong pengembang untuk menyediakan keamanan yang lebih baik sebagai bagian dari lini produk normal mereka, dan untuk mengatasi keamanan dan keandalan yang lebih konsisten. Sistem operasi, jaringan, dan kebijakan kriptografi semua berperan.
( International Conference on Aviation Safety and Security in the 21st Century, 13-15 January 1997; White House Commission on Safety and Security, and George Washington University )
Peter G. Neumann Principal Scientist, Computer Science Laboratory, SRI International, Menlo Park CA 94025-3493 Telephone 1-415-859-2375, valid until March 1998 (1-650-859-2375 after 1 Aug 1997) E-mail Neumann@CSL.SRI.com ; WorldWideWeb http://www.csl.sri.com/neumann.html
Langganan:
Posting Komentar (Atom)
Tidak ada komentar:
Posting Komentar