Aviation Cybersecurity Vulnerability
One attribute or value which most Americans hold dear is the openness of our society—the ease with which we move about our nation, the flowing of our commerce within our borders and beyond, and the transparency of our government, to name a few. That strength is also an open window through which terrorists can gain access to so much information which they can use to harm this country so despised by our enemies.
Aviation Cybersecurity appears to be one area of vulnerability. Airplanes communicate with the ATC system, with other aircraft, with their on board control systems, with their companies, with their passengers and even with the manufacturers of their major systems. Each of those links provides a potential portal for malevolent persons to attack our aviation system.
Below are two FAA documents—one asking for industry, through an ARC, help to defend against bad actors and one involving experts to establish certification standards to protect future aircraft from such attacks. Also, there is a link to a trade press review of the threat.
The Nextgov article recites the past claims of hackability, risks and alleged incidents. The author explains that the study will begin by identifying the gaps in the system’s walls of security and then try to design fixes thereto. Those results will become part of a safety risk assessment (vulnerability assessment, threat analysis, “asset valuation” and an overall risk) and from the conclusions begin to define/design “FAA’s eventual development of aviation policies, regulation and training requirements to ensure the resilience of aircraft network systems from cyberattack.”
That sounds like a sound engineering design on how to develop the security of all of the systems. It appears that the end product, however, will be published in the Federal Register and thus, under our rule of transparency, likely available to those intending to harm us.
Maybe one of the lessons of the battle between the FBI and Apple over unlocking an iPhone’s security is that the abilities of the private sector to deny access may be adequate without government supervision? In any event, the FAA must be wary of the double-edged sword of being an open society.