August 19, 2013
A demonstration at a computer hacking conference in Amsterdam in April 2013 brought aviation cybersecurity into the public eye. At the so-called “Hack in the Box” annual conference, security consultant Hugo Teso described how an Android application for a smartphone could in theory be used to remotely control an aircraft's flight path by exploiting weaknesses in the onboard aircraft communications addressing and reporting system (Acars) data link and the flight management system.
While the industry has largely dismissed as unrealistic Teso's experiment, which was conducted in a laboratory environment using publicly available software simulations of the flight management computer, it has not discounted the growing threat from intruders as aircraft and air traffic management systems become more interconnected and software grows increasingly generic. The concerns are fueling calls for global action, with experts saying information security has not kept pace with connectivity advances.
“Currently, there is no common vision, or common strategy, goals, standards, implementation models or international policies defining cybersecurity for commercial aviation,” say the authors of an American Institute of Aeronautics and Astronautics decision paper published Aug. 13. The authors present six recommendations, including building road maps for near-, mid-term and long-term actions and establishing a method of coordinating national aviation cybersecurity strategies, policies and plans.
While there may be gaps in the high-level plans, much of the groundwork for safeguarding information and communications technology in avionics and air traffic management (ATM) systems is underway.
Rockwell Collins in the past year formed a security group within its commercial systems division, leveraging experience it has gained from its government business but specifically for its civil aviation products.
Scott Zogg, senior director of engineering for commercial systems, says the group has an internal charter to make sure proper processes, procedures and training are in place for avionics development and certification efforts. In part, that means helping the product development team perform vulnerability testing. Zogg says the group has also developed a security road map that is “complementary” with its product road map to make sure the systems “stay ahead” of potential threats. He says the security team will study the architectures of the systems from early development stages through the entire life cycle, including disposal.
Zogg says data security at an interface involves knowing where data is coming from; knowing who sent it; making sure it wasn't changed (and if the system is wireless, making sure it is not overheard), and making sure that it will not cause a denial of service preventing important data from getting through. “It's no different in avionics than in any other environment, just the details are changed,” says Zogg.