Better to be Safe than Sorry

I’m always nervous about connecting safety-critical systems to other networks. I’ve seen far too many unnecessary security exposures introduced to SCADA systems by engineers who should have known better. Fortunately SCADA systems are supervisory systems and are one layer removed from the systems that directly control industrial process. But they still have an impact on safety, so connections have to be strictly controlled. Firewalls are a start, but software security measures are not foolproof. They are a calculated risk. As is every design decision for a safety-critical system. And unfortunately the risk profile of a software control tends to increase with time, as new vulnerabilities and attack vectors come to light.

I was therefore more than a little surprised to read that Boeing’s new 787 Dreamliner passenger jet allows a network connection between the passenger’s in-flight Internet access network and the plane’s control, navigation and communication systems. It’s hard to imagine any functional or business requirements that might justify this. No doubt the designers will have carried out all the necessary safety-critical calculations to ensure the system has adequate safeguards against failures and accidents. That’s a major challenge given the nature of software which generally requires more than the estimated lifetime of the Universe to test the full input/output space or to traverse every permutation of path. But the real risks are from deliberate security threats, which don’t fit the neat safety calculations used by engineers. A qualitative assessment is needed, and that’s a leap of faith against the background of a changing threat landscape.

I was once asked by a safety authority to design a security control that would guarantee that a hacker would not access the system more than once every hundred years. Impossible of course, but it illustrates the challenge of designing effective safety-critical security controls. None are perfect and there’s a high degree of uncertainty, so it’s generally better to be safe rather than sorry and say no to unnecessary network connections.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hi David, The following article about a boy in Poland hacking into a tram system, ( is another closely related example of a transportation operational systems being compromised by a hacker. Like the potential with a Dreamliner incident, this had a consequent people injury outcome. I imagine the relevant Critical National Infrastructure people are reviewing these incidents, & potential scenarios. Regards, Shane.
David, V amused about the 777 stories, its not the 787 we should be worried about! PG