With a layered approach, commercial off-the-shelf (COTS) products can be used while ensuring overall product security. “To use (a COTS device) in the system, you need layers of security outside of that device to make sure what's coming from it hasn't been tampered with,” says Zogg.
Along with design, systems must be tested for vulnerabilities, and work underway in an RTCA special committee will help. “We're trying to establish how to assess the risk and when you have the right mitigation in place,” says Daniel Johnson, an engineer fellow with Honeywell Aerospace and co-chairman of RTCA Special Committee 216, aeronautical systems security. RTCA is among a large number of standards groups internationally that are addressing cybersecurity concerns. Committee 216 published its first process standard in 2010, and plans to update the document early next year with more guidance for security risk assessments.
“The assessment will look at forms of connectivity, the interconnection between systems and the “population that threatens you,” Johnson says. On the topic of connected aircraft, he says wireless and broadband satellite communications systems are a “big” concern. “We now have onboard systems that are reachable from ground systems that are not under FAA control,” says Johnson. “If you have an aircraft with a wireless system for maintenance reasons, if you don't encrypt properly, then anyone else with a Wi-Fi might be able to talk to the aircraft itself. It's an extra exposure we did not have previously.”
On the ATM side, Thales is making plans to bid on a request for proposals for a two-year security project under the Single European Sky program. The RFP, expected to be issued by year-end, will ask companies to define specific requirements, prototypes and definitions for how to test cybersecurity requirements for ATM. Those requirements today are not well defined, says Lionnel Wonneberger, Thales's strategy and marketing director for ATM activities. “Modern air traffic control concepts, including system-wide information management, connect a number of non-ATM systems,” he says. “In doing so, we may increase the risk of intrusion externally, but we may also have interference from the inside.”