NextGen aircraft cockpit avionics vulnerable to cyber attack from passenger inflight entertainment

Is this your captain speaking?

Is this your captain speaking?

A United States watchdog is warning that NextGen avionics could render the cockpit vulnerable to cyber attack.

A new report by the nation’s Government Accountability Office (GAO) reckons that because modern aircraft are increasingly connected to the Internet, this interconnectedness could allow a terrorist to hack into flight-critical avionics systems from the back of the cabin.

Read More On Cyber Attacks

“Aircraft information systems consist of avionics systems used for flight and in-flight entertainment. Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack,” it noted.

However, according to the FAA itself and several experts the GAO consulted, firewalls which should now protect flight-critical avionics systems from intrusion by passengers using in-flight entertainment could be hacked just like any other software and circumvented as they basically share the same physical wiring harness or router and use the same networking platform.

“According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” it warned.

“the internet must be considered a direct link between the aircraft and the outside world”

Attacks could be waged via onboard wireless broadband systems where a virus or malware embedded maliciously in the websites operating those systems could provide a terrorist with an opportunity.

It found that even a pilot’s personal smart phone and tablet could pose a risk of a system being compromised because these devices have the capability to transmit information to aircraft avionics systems.

Cyber threat is one of the key areas of concern of European pilots who believe that any new technologies or procedures must guarantee safe operations, even under the most demanding scenarios and that involving pilots in ‘reality checks’ of proposed solutions will therefore continue to be crucial. In a new publication released at the 70th Annual Conference of the International Federation of Air Line Pilots’ Associations (IFALPA) in Madrid, the European Cockpit Association (ECA) said that both the Single European Sky in Europe and NextGen in the United States will profoundly change the way flight operations are performed and will provide a much more strategic role for pilots. The possibility of a cyber-attack on airport, control tower and  aircraft shall be envisaged and appropriate counter measures  should be designed to minimise their impact. All aircraft systems  and data transfers between aircraft and ground should be protected  from hacking, data manipulation and viruses.  Separating in-flight entertainment systems from all other aircraft  systems is highly desirable. All pilots should be trained to increase  their awareness about cyber vulnerabilities and to help them  recognize a cyber-attack. Precautionary measures and contingency  procedures should be established to prevent an attack, and to  minimize its consequences. Operators should establish a mandatory  reporting system for cyber-related occurrences, and cyber security  should become an essential part or their security management  system. Cockpit-based solutions that prevent the take-over of aircraft  command by any person on board or by unlawfully interfered  ground stations shall be developed. The significant multiplier-effect  potentially arising from several aircraft being unlawfully controlled  from the ground should be fully taken into account in the overall  design of the system.    ADS-B spoofing is introducing false projections of aircraft on  radar screens. Air traffic controllers could receive inaccurate  or no information from a hacked aircraft ADS-B system which  would consequently lead to a misinterpretation of the information  displayed on their information screen. To address this threat and be  able to cross-check information, primary radar should be available  to confirm ADS-B signals.

Cyber threat is one of the key areas of concern for European pilots who believe that any new technologies or procedures must guarantee safe operations, even under the most demanding scenarios and that involving pilots in ‘reality checks’ of proposed solutions will therefore be crucial.
In a new publication released at the 70th Annual Conference of the International Federation of Air Line Pilots’ Associations (IFALPA), the European Cockpit Association (ECA) said that both the Single European Sky in Europe and NextGen in the United States will profoundly change the way flight operations are performed and will provide a much more strategic role for pilots.
“The possibility of a cyber-attack on airport, control tower and aircraft should be envisaged and appropriate counter measures should be designed to minimise their impact. All aircraft systems and data transfers between aircraft and ground should be protected from hacking, data manipulation and viruses.
Separating in-flight entertainment systems from all other aircraft systems is highly desirable. All pilots should be trained to increase their awareness about cyber vulnerabilities and to help them recognize a cyber-attack. Precautionary measures and contingency procedures should be established to prevent an attack, and to minimize its consequences. Operators should establish a mandatory reporting system for cyber-related occurrences, and cyber security should become an essential part of their security management system.
Cockpit-based solutions that prevent the take-over of aircraft command by any person on board or by unlawfully interfered ground stations shall be developed. The significant multiplier-effect potentially arising from several aircraft being unlawfully controlled from the ground should be fully taken into account in the overall design of the system.
ADS-B spoofing is introducing false projections of aircraft on radar screens. Air traffic controllers could receive inaccurate or no information from a hacked aircraft ADS-B system which would consequently lead to a misinterpretation of the information displayed on their information screen. To address this threat and be able to cross-check information, primary radar should be available to confirm ADS-B signals.” Read: Europe’s pilots set out Single Sky priorities

More worryingly, the rules governing the FAA’s aircraft-airworthiness certification do not currently include safeguards to protect against cyber security. The FAA does however issue rules with limited scope, called Special Conditions, to aircraft manufacturers where  interconnectivity could present cyber security risks.

The GAO said that the aviation agency views these conditions as an integral part of the certification process, with which to address the risks associated with the increased connectivity among aircraft cockpit and cabin systems such as the Boeing 787 and Airbus A350.

FAA officials told the GAO that it would support bringing together all the research supporting cyber security-related Special Conditions to support new rules which would offer more certainty for it as a certification organisation.

Another principal cyber security challenge is protecting air traffic control information systems.

A January report by the Government Accountability Office watchdog noted that even though the aviation agency has taken steps to protect its ATC systems from cyber-based threats, significant security-control weaknesses still threaten the safe and uninterrupted operation of the national airspace system.

While the FAA has agreed to address these weaknesses, the GAO found that, nevertheless, the FAA will continue to be challenged in protecting ATC systems because it has yet to  develop a cyber security threat model.

One solution would be to conduct modeling to identify potential threats to information systems, and as a basis for aligning cyber security efforts and limited resources.

“While the FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so.”

Without such a model, the watchdog said it feared that the FAA may not be allocating resources properly to guard against the most significant cyber security threats.

Read: Moving Targets James Careless assesses the huge challenge of developing a cyber security strategy for European air traffic management

Posted in Avionics, News, NextGen, Safety, Security, SESAR Tagged with: , ,

Comments are closed.