Recent events, claims of hacking and an April, 2015 GAO report have highlighted the potential risks of an aircraft to cyberattacks. In response to those warnings the FAA convened a “private meeting” to address the security of these systems. Obviously the sensitivity of this issue is the reason for this non-public review (the group may be empowered by a federal advisory charter). What remains to be seen is the technical scope of their work.
The group is being headed by Jens Hennig, the Vice President of Operations for the General Aviation Manufacturers, demonstrating the breadth of this group’s “charter.” With a degree in Aerospace Engineering, he is a highly regarded expert on the FAA certification standards. The GAO report on this issue recommended that someone from the FAA’s Aviation Safety organization should co-chair such a panel, but The Wall Street Journal article did not mention either the specific federal participation or the terms of the charter.
The group includes experts from aircraft manufacturing, pilot and others involved in the systems on board aircraft. Their immediate agenda is to “identify the seven or eight most important risk areas” and then try to develop immediate solutions. “The industry needs a set of graduated requirements,” he said in an interview, “based on the types of software and various aircraft models.”
The FAA in 2008 issued a Handbook for Networked Local Area Networks in Aircraft, but that report, sponsored by the FAA Air Traffic Organization, is clearly outdated. Computer, wireless and cybersecurity (and the ability to break through firewalls) have grown dramatically in the intervening seven years. The inclusion of onboard WiFi systems, the use of wireless systems to control (instead of hard wiring) and monitor almost every aspect of flight makes this exercise even more complex.
The FAA has been involved recently in both assuring that electro mechanic interference does not degrade safety and its study of / decision about the use of Personal Electronic Devices should provide good bases for this cybersecurity study. However, the existence of the PEDs on aircraft clearly complicates this process. Is it within the purview of Mr. Hennig’s group to recommend any changes to the PED and/or EMI policies?
Balancing security against the extremely strong demand for individual use of laptops and smart phones will be politically very dicey, witness the strength of Congressional and popular opinion on the unlimited permission to carry these devices on board. Hopefully technical and security considerations will prevail.
Cybersecurity is not a static discipline. The future paths pose many as-of-yet to be created technologies which also may allow threats:
- the functionality of the PEDs continues to add features,
- the availability and strength of aircraft connectivity for passengers to the internet increases,
- manufacturers add onboard communications of the planes’ system status,
- the links between aircraft and the NextGen air traffic systems are made stronger.
Airplanes’ susceptibility to hacking will continue to be challenged. The point is that Mr. Hennig’s group may have to continue or set a permanent organization to assume their task of protecting aircraft from hackers.
It is good, no actually quite comforting, that Mr. Hennig and team are addressing the threat of cybersecurity to aircraft. It is also appreciated that this exercise appears to be conducted in private. Hopefully the team will have
- full rein to survey the threats,
- to assure that all relevant policies (EMI, OED, etc.) are adjusted appropriately to reduce the threat,
- that the permanent certification standards include their recommendations and
- that some permanent group is established to continue to design defenses to cyberattacks.
We trust that this group can and will do their difficult tasks without interference.