The FAA, ADS-B, and the ISO Folly

The FAA, ADS-B, and the ISO Folly

There’s a quick little blurb over on AIN Online about the “disagreement” between the FAA and “hackers”. Well, specifically a hacker, RenderMan, who gave a talk at Defcon 20 on potential vulnerabilities in the ADS-B air traffic system. More on this at NPR. Check out the slides from the presentation at RenderLab. Anyway, after reading this I was reminded of a major peeve of mine when it comes to projects, project management, and getting to the point.

RTFA: “The system has received the FAA information security certification and accreditation.”

Because, uh, sure, nothing that has a certification has ever failed. Nothing like signing a piece of paper to make something perfect. It’s kind of like any ID with a hologram must be real.

TFA is just MBA speak (I recognize that stuff cuz I r one) for “we had procedures and plans and followed them”. It’s the ISO folly, the idea that if you have “quality policy, plans, and procedures” that you will turn out quality product. These .gov procedures are just like the .com ISO procedures. GIGO. If your security plan says “we will think about it” and somepony says “hey, I thought about it”, and somepony else signs a document that says “somepony thought about”, you’ve met your plan. It doesn’t mean “since our organization is immune to Godel’s theorem and we are omniscient and inerrant, we have considered every possible means of attack and have created a totally secure system that will never fail.”.

ISO

Yeah. What.The.Fuck.Ever. This folly is a bane across the board. Ok, some disclosure. I’ve written ISO procedures. I like them. Some of my favorite product development procedures come from NASA. Excellent stuff there. And yes, I’m beating up on ISO because they are the poster child of this. So what? Big deal.

Policies and procedures are just tools. And like any tool, they can be wonderful; amazing time and pain savers. If used carelessly they can just totally fuck everything up. Cluster fuck level. And not in the phun way when you take a couple of special friends out for dinner and drinks, and uh, what ever that leads to. Not that I would ever do anything like that. Did you know the contrast of blondes and brunettes together is very nice? Anyway, I digress… No, I mean “cluster fuck” in the most horrible way because it leads the management team to think they’re doing it right. “We have a quality management policy, we must be quality!”. Yeah, again WTFE. Poorly done quality management systems are often in place because management is in love with the idea of having a QMS, not because they want to make the best product.

Check this out. The FAA got their ISO registration in 2006. Nice to know that they’ve got so many years of experience doing this. (Note: I am most emphatically not saying “the FAA sucks”. I’m saying that just having policies and procedures doesn’t mean that you don’t suck.)

Anypony who has been involved with the creation of ISO policies and procedures knows that it all boils down to documenting, saying what you’re going to do, and doing what you say. A poorly conceived, written, or executed quality management system is worse than pointless, it’s wasteful because it creates a bunch of busy busy work that doesn’t add to the bottom line of creating a good product…pay no attention to Rarity’s, um, position…pic is about the plot, meant to illustrate the paperwork cluster fuck of a bad quality management system…

Too Much Paperwork!

I’ve been there and done that. Worked some for one of those companies that had no clue how procedures should be written, and viewed the whole ISO registration as a trophy to get business, not a tool to make the business better. A lot of wasted motion with books and paperwork. I bet that sort of thing never happens in government…

Back to ADS-B and TFA:

“A spokeswoman for key ADS-B contractor ITT Exelis explained, “The system has received the FAA information security certification and accreditation. The accreditation recognizes that the system has substantial information security features built in, including features to protect against…spoofing attacks. [This] is provided through multiple means of independent validation that a target is where it is reported to be.””

Multiple independent means of target validation. Sounds good, but to me at least, this means one of two things:

A) if, let’s say, one ADS-B reception stream is right, a plane is there, but the other “means of independent validation” aren’t, then the ATC won’t see that plane. Sucks to be them.

or

B) Since A sounds bad, so let’s say we get a single source of data on the plane, we will assume the plane is there until the other means prove it’s not. Yeah, that’s when the country goes on alert and jet fighters are scrambled to protect the White House from a phantom plane. But hey, after some delta-T, our system said the plane wasn’t really there (you know, after we independently validated it by the pilot’s Mk1 eyebones). Excellent scenario! All that jet fuel and panic presents no economic burden to the system. Win! Or not.

I know, yet again I’m blah blah blahing about two things. Well, the world is complicated, try to keep up.

The points. First, just because you have procedures and follow them doesn’t mean you considered everything and created a flawless product. Second, if somepony steps up and says “hey, isn’t this a flaw in your product?” maybe you should actually explain why that isn’t a flaw, instead of falling back on “If you don’t eat yer meat, you can’t have any pudding. How can you have any pudding if you don’t eat yer meat?”

“We have policies and procedures to address security issues. How can we have security issues if we have policies and procedures to address them?”



« | »

Leave a Reply