The US Federal Aviation Administration is establishing a new industry working group to provide guidance on how to bolster aircraft cyber security as concerns mount over the potential for e-enabled aircraft to be hacked.
In a notice published in the Federal Register the FAA says it has tasked the Aviation Rulemaking Advisory Committee (ARAC) to provide recommendations regarding aircraft systems information security and protection (ASISP) policy, plus guidance on best practices for airplanes and rotorcraft, covering “both certification and continued airworthiness”.
Though there currently exists many industry standards addressing various security topics, including from ARINC, the International Standards Organization and others, federal regulations do not specifically define how the FAA should address cyber security vulnerabilities for aircraft operating in the US National Airspace System. Without fresh guidance to address concerns, says the FAA, vulnerabilities “may not be identified and mitigated, thus increasing exposure times to security threats”.
These threats include hackers gaining unauthorized access to aircraft systems and networks which “could result in the malicious use of networks, and loss or corruption of data (e.g., software applications, databases, and configuration files) brought about by software worms, viruses, or other malicious entities”.
Additionally, notes the FAA, a lack of cyber security regulations, policy, and guidance “could result in security related certification criteria that are not standardized and harmonized between domestic and international regulatory authorities”.
The FAA is now soliciting industry stakeholders to participate in a new, so-called ASISP Working Group, which will deliver recommendations to the ARAC. In turn, the ARAC is responsible for reviewing and approving the recommendation report for submission to the FAA.
The agency’s notice comes at a time when industry stakeholders are growing increasingly vocal about cyber security concerns. In October of last year, Boeing’s chief engineer cabin and network solutions, John Craig, warned airline bosses that they ignore these concerns at their peril.
With inflight connectivity suppliers “coming out of the woodwork” offering various different solutions and “talking about bringing operational data over Ku and Ka pipes”, an airline chief executive “has to understand the risk to their company” posed by cyber security threats, said Craig.
Pointing to the high-profile hacking incidents at US-based retail giants Home Depot and Target, Craig warned that “people are starting to look at aviation now”.
Indeed they are. For the last few years, a variety of security specialists have claimed that hacking an aircraft is an app away, and that modern aircraft with inflight connectivity are particularly susceptible. However, their demonstrations were of the virtual variety, and plagued with flaws, some industry stakeholders noted.
A recent survey of airlines by consultancy AirInsight found that less than half of respondents were familiar with their airline’s cyber security policies as they pertain to pilots’ electronic flight bags. “It is hard to imagine that among airlines fewer people [than in 2013] would be aware of their company’s cyber security policies. Even so, it should be fairly alarming that so many people involved with EFBs that can be impacted by cyber threats are not aware of policies. While it is reasonable to assume cyber security policies are created and managed by IT departments, flight operations need to be more aware of these policies,” said AirInsight in its report.
The FAA hasn’t sat on its hands on the issue of cyber threats to aircraft. The agency has published special conditions for particular make and model aircraft designs, like the e-enabled Boeing 787 and 747-8, when it became apparent that current airworthiness regulations did not contain adequate safety standards for novel features. But even though the FAA published special conditions for specific types, “an update to the current regulations should be considered”, it says, noting that international civil aviation authorities are also considering rulemaking for ASISP and that the ASISP Working Group could be used as input into harmonization of these activities.
The group will be comprised of technical experts, says the FAA. “A working group member need not be a member representative of the ARAC. The FAA would like a wide range of members to ensure all aspects of the tasks are considered in development of the recommendations.”