CNBC reports here on suggestions from several sources on possible targets for cyber attacks. The article is divided into three major categories: services and utilities; financial services; and data integrity.
The Wall Street Journal reports here on the recent Lion Air 737 crash and the existence of an undisclosed feature of the 737 MAX that may have contributed to the crash. Aviation Week reports here on the 737 MAX maneuvering characteristics augmentation system and insufficient documentation of the feature.
I noticed this round connector as part of my AV display on a recent flight. It seems to be a DIN connector but I’m not sure that the arrangement of leads is common. It doesn’t seem to be a PS/2 connector. I have no idea why the aircraft designers thought this connector was a good use of weight on their airplane. Did anyone ever use this thing?
Chip Rebel reports here on a teardown of the Huawei Mate 20. Thanks to AnandTech for the pointer to Chip Rebel.
FireEye reports here on the TRITON framework for industrial attacks.
This photo is from a recent flight on a Delta airplane—a 777 as I recall. That sure looks like an Ethernet receptacle, doesn’t it? Was there a time when people were so obsessed with Internet connectivity that they carried Ethernet cables on board?
I must unfortunately disagree with parts of Bruce Schneier’s recent post. His subject is cyber-physical systems although he doesn’t seem to use that term. His point of view is firmly rooted in information technology (IT). As I have said before, that approach is inadequate to create and maintain safe and secure cyber-physical and IoT systems. He characterizes computational control of physical systems as new; in fact, embedded control was an early application of computers. He also characterizes embedded devices as inexpensive; not so when car engines are operated by vector multiprocessors. And cost is not the causal factor for insecurity—we have plenty of very expensive IT systems that embody security flaws.
As one example, he praises NIST’s cybersecurity guidelines. NIST’s approach can be summarized as treating sensors and actuators as I/O devices attached to a traditional IT system. NIST and Mr. Schneier don’t take into account that these systems are real-time distributed computing systems. Security mechanisms designed for transaction-oriented IT are inadequate for timing-critical control systems.
In order to make CPS and IoT systems safe and secure, we need to consistently apply what we already know and develop new methods. CPS and IoT can no longer treat safety and security as separate concerns. Safety people need to learn more about computer security; security folks need to learn more about safety. Mr. Schneier is firmly planted in the security side. I hope that he continues to expand his knowledge base.