The safety of pilots, passengers, aircraft and the airspace is a top priority for all parts of the aviation industry. While the industry is well-known for its commitment to safety, airlines and government authorities are still working on cultivating a similarly robust culture of cybersecurity to protect information and digital assets. However, as a recent presentation on cybersecurity at the Aerospace Industries Association by the Federal Aviation Authority indicates, this is about to change.
“The aviation industry is transitioning from old technology to new IP-based technology to create a more global and connected environment,” Mark Heck, director of cyber programs and corporate business development at Raytheon, told us. “The more connected the industry becomes, the more vulnerabilities arise and the doors to exploit them open.”
Heck, who sits on the AIA Civil Aviation Cybersecurity Committee, said that the threats often are extensive and unknown. “Take for example a new aircraft today,” he said. “It has nearly 100-million lines of code from the software inside the aircraft. We’ve done research that shows a percentage of this code is defective and, therefore, exploitable. And that’s just the aircraft. Now, consider the systems in the air traffic control booth or at the airport. Not to mention insider threats. The vulnerabilities can be extensive.”
Unlike safety issues, which are known and can be predicted and proactively addressed, the cybersecurity risks are less understood. Ever-changing vulnerabilities and the sophistication of bad actors means that threats are dynamic and unpredictable. Without a framework for prevention, remediation and response in place, the industry participants often act independently when addressing risk. One of the most common approaches – the compliance checklist approach – simply isn’t effective against today’s threats, let alone future attacks.
To build security into the current safety culture of the aviation industry, government organizations, including the FAA, are looking to work with industry to collaborate on best practices. Together, they hope to raise awareness about cybersecurity and educate key stakeholders in the aviation ecosystem to develop a stronger risk-based approach to mitigating and managing cyber threats.
This risk-based approach to addressing security vulnerabilities and attacks allows for a structured methodology with repeatable process. This process is consistent with Safety Management Systems, Safety Risk Management, and Risk-Based Decision Making, all of which are principles of the FAA strategic initiative. These principles must be applied to the entire aviation ecosystem, including aircraft, airlines, airports, airline operators and staff, as well as passengers and crew. To offer the best chance at effective risk management, it requires a process that starts with flight planning and runs through every phase of operations before, during and after the landing of the aircraft.
To create a security culture that matches the safety culture of the aviation industry, industry-wide collaboration is imperative.
“Many of us in the industry have been implementing cybersecurity best practices and proven methodology in several industries,” Heck said. “It’s now time that we take that expertise and work hand-in-hand with the FAA to apply this proven risk methodology to the aviation ecosystem, as they have defined it. Together, we will help bolster the cybersecurity culture to prepare for future threats.”