Most airlines lack EFB cyber-security plan: report

Rotation

Most airlines do not have a cyber-security plan for the tablet-based electronic flight bags (EFBs) used by their pilots, a groundbreaking new report suggests.

The folks at AirInsight have conducted a survey of airlines and found that 57% of respondents are operating without such a plan, leaving them wide open to potential cyber attacks.

“Among those that do [have a cyber-security plan], in about half (52%) the cases, this is a part of a larger data security plan. Cyber-security is mostly handled by IT (64%) and flight operations (28%),” says AirInsight, which goes on to divulge how EFB security is specifically handled at airlines.

Significantly, more than two-thirds (69%) of airlines have no EFB anti-virus software and 81% do not use a third party project manager or integrator. “This means dependency on internal resources,” notes AirInsight, adding, “It would seem these data points draw attention to a possible weak link. IT is not as involved in the EFB process as it could be. Expecting sufficient attention from IT at a large airline may be wishful thinking.”

In a forward to the AirInsight study, IATA director, flight operations Jens Bjarnason 
notes that attention to cyber-security has lagged behind the introduction of new technologies, “but has recently become an increasingly debated topic of conversation in civil aviation”.

For instance, he says, “Customer facing web-portals, such as online booking systems, present a persistent target of attack, but disruption to these systems results in a relatively small operational impact. Conversely, while those systems which directly support airline and flight operations are less exposed to cyber risk, they are nonetheless susceptible and their disruption is likely to cause a far greater operational impact.

“Flight data availability and integrity are critical for the safety and security of the aircraft. Given the portable nature of EFB and its ability to connect with public networks, protection of EFB systems a key concerns for airlines today. Airlines will need to identify and understand the risks and threats to their systems, implement organizational structures and processes to manage those risks and ensure that robust protective measures and procedures are implemented and adhered to.”

It’s clear that cyber-security is a growing concern, and should be – as Bjarnason suggests – “at the top of every airline, manufacturer and system providers’ agenda”.

The AirInsight study comes at a time when Runway Girl Network is taking a closer look at the use by pilots of inflight Wi-Fi in the cockpit. Most airlines prohibit pilots from accessing Wi-Fi for their own personal use (such as to check email or to access social media), and indeed pilots can be fired immediately for such activities. But enforcing these rules is another thing altogether.

I reached out to the Air Line Pilots Association to learn if the union is studying pilots’ use of their own personal electronic devices (PEDs) in the cockpit. An ALPA spokesman said, “I don’t think we have any statement about that. Most of our focus is involved around safety issues, and that sounds like more airline specific, so [it’s worth] speaking to the airlines themselves. If it’s not something that’s going to effect safety or the quality of the workplace or quality of flight for passenger, it’s not something we’ve got a statement on at this moment; in the future we may have.”

In 2012 AirInsight noted interest among numerous airlines to exploit passenger cabin Wi-Fi connectivity for EFBs. “In 2013 74% of respondents said they would not exploit shared Wi-Fi. But that means more than a quarter plan to do so,” says the company. But as highlighted in a previous article on Runway Girl Network, some carriers are also eager to install totally separate connectivity systems – for cabin and crew – to alleviate cyber-security concerns.

2 Comments

  1. Erica

    Us white knuckle fliers wonder if we can get aircraft listed under “humanitarian targets” in the new rule book.

    “We should define acceptable targets, and we could even place limits on cyber weapons, just as we did on chemical ones nearly a century ago.”

    “If we can set the parameters of basic human decency in time of cyberwar, then maybe we can ban aspects of such warfare altogether. ”
    http://spectrum.ieee.org/telecom/security/its-time-to-write-the-rules-of-cyberwar

  2. Pingback: Credit Card Fraud Can Happen When You’re in the Sky, Too