Software Integrity

 

Fault Injection Podcast .003: Top Gun

Fault Injection Podcast .003: Aerospace Software Security

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about a new report produced with VDC Research entitled “Skyrocketing Costs of Aerospace & Defense Systems Failure Fuel Security-Focused Design Practices.”

You can always join the discussion by sending us an email at faultinjection@synopsys.com.

Fault Injection, Episode .003: “Top Gun”

Robert Vamosi: I’m Robert Vamosi, CISSP and Security Strategist at Synopsys.

Chris Clark: Hello again. I’m Chris Clark, Principal Security Engineer at Synopsys.

Robert: Welcome to Fault Injection. Today we’re going to be talking about military and government software security, in particular. We are doing so on the occasion of a new report that’s coming out from Synopsys and VDC Research, where we look into the aerospace and defense industries in particular, in terms of how they handle software security.

Before we do that, we’ll talk a little bit more generally about what types of uses for software we are really talking about today.

Chris: There’s a wide range of different components when we talk about the aerospace industry. It’s not just embedded devices. We are looking at very complex systems of systems, as well as those small sub-components that make up different pieces and parts of our aerospace and defense.

When we talk about aircraft, it’s not just anything that’s in the aircraft. We have traffic control systems, guidance systems, and everything else that goes along with that product, so it’s very wide ranging.

Robert: To some degree, it’s similar to industrial control systems, where you’ve got a lot of remote sensors out in the field that you’re relying upon for instrumentation feedback.

Chris: And protection of life.

Robert: And protection of life. Safety and the human element is very strong here. You want to make sure that the software, that’s going into these devices that are going into the aircraft, functions properly. Failure here could result in loss of life.

Chris: There are a lot of misconceptions about this. It is an expensive process to test as thoroughly as we would need to, due to the criticality of these systems. But that doesn’t always mean that it is only destined for aerospace deployment.

We may very well see these systems trickle down into more consumer level type devices. There’s a lot of development that takes place that is far reaching and long reaching. There are specific implications, both from a safety and a security standpoint.

Robert: Certainly anything military aerospace is going to trickle into civilian aerospace at some point in time. Some of the statistics that are in the report were very interesting because it drilled down specifically on aerospace and defense.

That’s a sub-sector that doesn’t get a lot of attention. But we felt there was a need for it. One of the things was the importance of security in current projects.

Chris: We should probably clarify, when we talk about security, we’re talking about software development security. We’re not necessarily talking about infrastructure protection, even though that is a component of it.

Robert: One of the statistics that stood out in my mind was the fact that 16 percent viewed security as a critical element of what they do, as compared with the average in the software industry of 13 percent.

Chris: Which is pretty telling. That really gives you an idea that all organizations view security as important. But there are still those components that are underlying that are ignored.

Robert: Important is one of the sub-categories here. We called out the critical. That stood out, that in aerospace and defense, you saw 16 percent feeling that it was part of their job to be on top of the security element.

Chris: Was the number higher for aerospace industry compared to normal industry?

Robert: The biggest difference came on the other end of the spectrum. This is where the respondents said that security was not as important. In the aerospace industry, that was 24 percent, whereas, in the average, it was 16 percent.

There are a couple of factors here that come into play. You have to understand that, as you mentioned, a lot of these elements are not just in the aircraft.

It’s on land. It’s out in the field somewhere. They might view that there’s no sensitive information being captured by the sensors or the devices that are out in the field, therefore security falls to a lower rung on their priorities.

Chris: But connectivity seems to be so much more prevalent in the aerospace industry currently. When we look at aircraft and tanks, even soldiers on the battlefield, there’s a high level of connectivity. One of the old premises, or at least I thought it was an old premise, was that it’s not on the network, so it’s not important.

Does that still hold true, or are we seeing some changes in that area?

Robert: We are seeing some changes in that. There’s a term called “brownfield,” where you’re talking about older legacy technology that’s out in the field and that’s getting retrofitted.

Again, there are similarities with what’s going on in the industrial control space. You have older devices that are being retrofit with protocols that allow it to communicate, but the design may not have anticipated that.

The design may not have thought that, at some point in time, this information will be shared. Also, we don’t necessarily know if that information being captured could be used at a later date and time for other purposes. Some interesting things come when you add connectivity to any device.

Chris: That data may be ephemeral and it’s not that important at that point in time.

Robert: But later.

Chris: Rather than a later aggregation of that data. Another thing that I found important was that one of the statistics that came out was that 52 percent of non-connected devices really weren’t categorized as important. What do you make out of that?

Robert: Again, we’re not thinking of the future. We’re not anticipating the day when those devices will be connected, so not building in security, not building in the type of quality that you need at that early stage may be a problem in a few years.

Chris: We see the same thing in another space. When we talk about reasons that some devices are important, 31 percent of the devices are not sensitive, because they are embedded devices. We see that everywhere though. It’s not just the aerospace industry. We see that in others. When we talk about Target, that was a prime example.

Robert: Right. The heating and air conditioning system being compromised.

Chris: It wasn’t viewed as a critical system. We see that repeatedly, not only in retail outlets, but we see that in the medical space and automotive space as well. It’s rather challenging.

Robert: True. The report also asked if they were identifying vulnerabilities when they’re doing software development. 23 percent said that they didn’t know if they were doing any sort of testing in the development. That compares with an average of 13.

This was an eye popping statistic that they could have so many people not know whether they were testing the quality.

Chris: What I find very interesting about that is, as you know, we released the Ponemon Report for Medical Device Manufacturers. We found a very similar trend. Many of the health care delivery organizations didn’t know or didn’t have an idea what type of testing was being performed.

It seems like we have a trend across multiple industries here.

Robert: The lack of knowledge, knowing about what’s going on. You had mentioned in the very first podcast the need for more knowledge.

Chris: Transfer of knowledge, open communications. I know, from an A&D perspective, an aerospace and defense perspective, that’s much more challenging. But that can be controlled, especially if it is a closed system.

The reality is there is no real closed system. Anything can be compromised. But if they are communicating internally and sharing that information, maybe there’s a way to trickle that down not only to aerospace and defense, but also other verticals.

Robert: The overarching theme for our early podcasts here is supply chain. Certainly, this is a case where you have the cyber supply chain playing a very important role. You have a lot of contractors who are contributing.

Being able to know what those contracted pieces contain, what the software contains that you’re inheriting from another party, is important. You had mentioned earlier in a podcast about throwing it over the fence to another team and not really communicating back and forth what’s there.

Chris: To be fair, from the aerospace and defense industry, they’ve really moved to purchasing off the shelf components. As soon as you go to that realm, that supply chain expands exponentially. We’re no longer looking at purchasing an individual chip from a manufacturer.

You’re buying a chip. You’re buying intellectual property. You’re buying all the software components that drive that chip. The number of participants in that supply chain grows very quickly and becomes very difficult to manage over time.

Robert: Also, you have a lot of regulations and standards in this space. It’s not a free for all.

Chris: True.

Robert: They do have to adhere. Do we find that those standards are keeping up to date with the technology changes?

Chris: That is one of the challenges we face in those industries. As you know, I work quite a bit in the automotive space. We face this very same problem.

As we’re developing standards, we are thinking not only next year but the next five to seven years, potentially 10 years, of how we are going to be able to manage the cybersecurity process over time. We’ve quickly realized it’s very difficult.

The aerospace and defense industry has an added challenge that, when a component goes into production or to release, those lifespans are very long compared to any industry. Really, probably the closest is going to be to the aerospace industry when we talk about an aircraft that’s going to be in service not for 10, but most likely 20 years, maybe even 30 years. How do we manage that?The requirements are much more stringent in that respect.

Robert: I think we’ve both flown airplanes that were over 20 years old.

Chris: At least.

[laughter]

Robert: At least.

Check out the report. It’s available on synopsys.com. It talks about the software quality and security found in the aerospace and defense industries today.

Chris: As always, we look forward to seeing you at our next podcast. We hope you have a great time. Be safe out there.