Cybersecurity on Aircraft
At the beginning of commercial aviation, the associated risks encountered in flying were mitigated by the knowledge, training, and experience of the professional pilot. As new safety issues were discovered, sometimes through tragedy, regulators and the aviation community became more involved in overcoming these safety deficiencies through such advances as improved air traffic services, airport environment improvements, aircraft design, and increased aeronautical knowledge and training of the flight and cabin crew. The results speak for themselves as evidenced by the fact that airline travel is experiencing unprecedented safety levels.
Now more than ever, commercial airlines utilize highly advanced information technology (IT) systems to optimize their businesses. The airline IT systems of highest concern to ALPA are those that directly interact with or are components of the aircraft.
Aircraft design has also transformed significantly. Onboard networks are used to manage aircraft-operation systems including flight control and navigation systems. The aircraft systems are regularly updated with both software enhancements as well as updates to databases or other information that requires routine updates. Some onboard systems are routinely connected to communications systems for the exchange of information at various times both in-flight and on the ground.
Cybersecurity policies, procedures, and risk mitigations are increasingly needed to ensure aircraft do not become the victims of cyber-related accidents or incidents.
In order to further understand the risks associated with information security onboard aircraft, the FAA established the Aircraft System Information Security/Protection (ASISP) working group within the Aviation Rulemaking Advisory Committee (ARAC). The ARAC sent the ASISP report to the FAA in August 2016, with 30 recommendations that address rulemaking, airworthiness standards, industry consensus standards, and technical standards orders. The ASISP also identified the need to conduct ongoing research to address cybersecurity-related concerns going forward.
It has become clear that a well-coordinated strategy developed by a greater level of stakeholder involvement is needed. The strategy development should result in the use of advanced aircraft cybersecurity systems, procedures, and protocols. Aviation has a strong history of addressing risks and ensuring that they do not lead to accidents, and as a result our system is the safest it has ever been. That is due to the commitments that government and industry have made together. That same commitment must now be equally applied to cybersecurity, as highly advanced technologies continue to enter every aspect of aviation.
While most would agree that the mitigations to maintain aircraft security should address hardware and software systems, ALPA believes that focus and attention is also needed on resilience. A well-trained and qualified professional pilot is a critical element for ensuring that aircraft security and the associated mitigations can be deployed, especially if a cybersecurity threat is identified during flight. In order to maintain a strong cybersecurity posture for safety and security of flight, a comprehensive strategy that includes the roles of pilots is required.
- The FAA should enlist the assistance of other federal agencies and industry stakeholders, including ALPA, to formulate strategies that mitigate the risks of harmful cyber-related attacks on airline aircraft.
- Airline pilots should be considered one of the primary mitigation elements when developing resilience planning for events that occur in-flight. Include pilot education and training to meet normal and abnormal system conditions to maintain safety and security of flight.
- Command capabilities and functionalities for monitoring cybersecurity health and the tools needed for the mitigation of real-time cyber events should be located on the flight deck.
- Physical access to any accessible aircraft system, IT hardware, and software must be secured at all times.