Aviation policy specialist Bart Elias recently released an article that explores yet another frontier in the realm of cybersecurity: civil aviation.
Only weeks after the FBI and TSA notified airlines to be on alert for passengers who could be hacking into aircraft electronics, there were reports that a computer security researcher had managed to break into aircraft control systems while aboard a commercial jet. Regardless of the ramifications of these reports, the incident undoubtedly sheds new light on cyber security vulnerabilities within the aviation sector.
Elias discusses the many potentially-susceptible systems within an aircraft and evaluates what can be done to maintain security within these systems. One of the most recent technological system advancements in aviation is called NextGen, which allows for greatly increased interconnectivity within the aviation world by using satellite-based aircraft navigation, tracking, digital voice, etc. The main component of the technology, however, has been criticized for being inherently vulnerable to hacking and other breaches. While the Federal Aviation Administration disagrees, the Government Accountability Office (GAO), stated that “FAA’s current approach to cybersecurity does not adequately address the interdependencies between aircraft and air traffic systems.”
Many of the current approaches to aviation cybersecurity rely upon software assurance methods, which seek to “minimize the likelihood and impact of coding errors and omissions that may cause unintended faults or expose systems to hackers.” While these programs are being utilized more and more frequently by aircraft and software manufacturers, they are still in the evolution process.
Additionally, federal laws and regulations leverage some authority, but it is often left to industry working groups to control standards and uphold guidelines for air carriers. As a result, there has been increased discussion concerning whether or not a “federal strategy” with a “more comprehensive framework” should be implemented to deal with the many risks. It is a key question that Elias believes Congress will soon be faced with, specifically, whether or not the FAA should implement “a comprehensive, system-wide policy encompassing systems certification, life-cycle product support requirements, and operational regulations to address the complex cybersecurity needs that will arise under NextGen.”