May 22, 2020 | International, C4ISR, Security
Opinion: Aviation’s Cybersecurity Imperative
Remzi Seker May 22, 2020 With the expansion across the aviation industry of connectivity and computing services, cybersecurity has become ever more important. Connecting people, processes and assets creates new vulnerabilities and multiple attack points—from flight-critical avionics to passenger inflight entertainment networks and airline backend operations. Information about systems, protocols and technologies such as software-defined radio are now readily available well beyond the industry. Demand for greater efficiency meanwhile continues to increase connectivity and accelerate computerization within aviation infrastructure, including aircraft. Fortunately, ongoing efforts to protect aircraft, airlines and passengers from cybersecurity threats have been largely unaffected by the global pandemic, suggesting an opportunity for the industry to ramp up cybersafety programs and training amid the current slowdown. The comprehensive, coordinated nature of aviation cybersecurity initiatives means committees have long carried out their work primarily through virtual meetings, so those efforts are able to continue in full swing. With slowdowns taking place in other areas, the industry can address cybersafety at a more rapid pace. The aviation industry and its stakeholders have been working hard to tackle cybersecurity challenges comprehensively—from the supply chain and the maintenance of aircraft to operations. Such efforts remain essential so that cyberthreats affecting safety can be mitigated before they materialize, whether that happens during flight through physical access to a bus, by interfering with equipment through Wi-Fi or remotely disrupting operations. The need to weigh cyberthreats according to their safety impact, a practice referred to as “cybersafety,” requires a different perspective than that of IT cybersecurity. Cybersafety differs from traditional IT cybersecurity because of the need for safety certification, which relies on guaranteeing a system's behavior, or “determinism.” This unique characteristic of aviation cybersafety means that solutions widely used across traditional computing systems may pose serious certification challenges. Imagine rolling out security patches for every avionics component on a commercial aircraft. Tackling cybersafety challenges requires a coordinated, comprehensive, global effort. Multiple agencies are cooperating to establish much-needed standards. For example, the U.S. FAA and the European Union Aviation Safety Agency have been working with the RTCA and the European Organization for Civil Aviation Equipment to set harmonized cybersecurity standards. Efforts to secure the aviation ecosystem also include dedicated committees such as the FAA's Aviation Rulemaking Advisory Committee Aircraft System Information Security/Protection working group. Similarly, the Aerospace Industries Association has established the Civil Aviation Cybersecurity Subcommittee. In the U.S., the Aviation Cyber Initiative (ACI) is led by the Defense Department, Department of Homeland Security and FAA. The ACI includes experts representing government, defense, industry and academia who collaborate to tackle aviation cybersecurity threats. The Aviation Information Sharing and Analysis Center shares global threat intelligence among aviation companies. Globally, the International Civil Aviation Organization (ICAO) leads this work. Its Trust Framework Study Group (TFSG) includes experts from the FAA, EASA, commercial industry and academia and has established three important working groups. Academic institutions play a critical role in advancing cybersecurity research and training, too. Embry-Riddle Aeronautical University, for example, develops engineering solutions and provides degree, certification and training programs in aviation cybsersecurity. Faculty researchers contribute expertise to cyberdefense and preparedness efforts by serving on national and international committees and working groups and by organizing the annual Aero-Cybersecurity Symposium. Aviation's impeccable safety culture positions it well to combat and defeat cybersafety risks. In the years ahead, the industry will need to invest in expanded education and training as well as research to secure high-assurance systems that can be updated with minimal impact on certification. Computerization and Cyberphysical Systems As computing becomes ever more affordable, functions that were traditionally implemented through hardware are now being realized through software, and inclusion of software has supported increased customization. Cyberphysical systems are designed to perform a set of functions with limited impact on the physical environment, such as temperature control, welding and parts assembly. One feature of cyberphysical systems is a failsafe property that involves shutting down—an approach that is clearly not desirable midflight. Connectivity Inexpensive and ubiquitously available computing, combined with advancements in networking, have accelerated the networking of devices. The Internet of Things concept does not require any form of certification or service-quality assurance, let alone any safety requirement or oversight. Rather than leveraging the Internet of Things, the aviation industry might consider using “networked wings” to underscore its safety commitment. Remzi Seker is the associate provost for research at Embry-Riddle Aeronautical University. The views expressed are not necessarily those of Aviation Week. https://aviationweek.com/air-transport/safety-ops-regulation/opinion-aviations-cybersecurity-imperative