Over the last five years, central aviation authorities and aviation industry experts have been warning of the danger of cyber-attacks on airliners and other aircraft with wireless, next generation communications systems.
While industry has stepped forward to meet the challenge, industry officials have been unsure of what they must do under recent cybersecurity guidance issued by the Federal Aviation Administration (FAA) and the European Aviation Safety Agency (EASA).
Such guidance comes at a pivotal time for aviation cybersecurity. Last May, a tri-agency Aviation Cyber Initiative (ACI) began — an effort by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense, and the Department of Transportation to reduce cyber security risks and improve cyber resilience. Yet, Avionics International has learned that CISA decided to end its cyber vulnerability testing in March of a Boeing 757-200 that the agency bought in 2016 and had conducted limited testing on at the FAA William J. Hughes Technical Center in Atlantic City, N.J. Before pausing such testing in June, 2018. CISA told Avionics that it is continuing “broader resilience efforts” with industry partners, but it remains uncertain whether CISA will conduct future cybersecurity testing on operational aircraft.
The Pacific Northwest National Laboratory, which had been involved with cyber vulnerability testing of the FAA 757-200’s Wi-Fi and In-Flight Entertainment systems, said in a January 10, 2018 briefing that it is a “matter of time before a cyber security breach on an airline occurs.”
Avionics experts have said that aircraft Global Positioning System (GPS) capabilities are the most prone to successful attacks.
In written responses provided to questions by Avionics, the FAA and EASA tried to clarify their agencies’ current and upcoming avionics mandates to provide aircraft with the resilience needed to withstand cyber attacks.
“The FAA published two Special Conditions (SCs) for transport aircraft systems and information security protection (ASISP) since the first e-enabled aircraft, the Boeing 787, in 2005,” according to the FAA. “A SC is issued for an individual model aircraft when the existing regulations do not contain adequate or appropriate safety standards for an aircraft, aircraft engine, or propeller because of novel or unusual design features. In March 2014, the FAA issued a Policy Statement (PS-AIR-21.16-02), which describes the SCs and when they should be applied. The FAA updated the PS with revision 2 in February 2017. This is the FAA’s key policy to address the safety concerns associated with e-enabled aircraft and their avionics system equipment.”
In terms of future mandates, the FAA said that “in addition to the SCs and ASISP policy memo, there is a transport airplane (Title 14, Code of Federal Regulation, Part 25) rulemaking planned that will codify the two SCs.”
“Also, the FAA is developing an advisory circular that would describe a means of compliance to the codified SCs and would replace issue papers used today,” according to the FAA. “Codifying the two SCs will allow manufacturers to design their products in a manner that builds compliance into their design from the start, instead of when they submit their design for certification.”
The FAA certification requires avionics manufacturers to address and comply with the two SCs, when imposed, for new transport airplane designs and in-service airplanes installing new avionics equipment.
Over the last year, a number of civil aviation regulatory policy updates and industry standards have established new requirements for addressing cybersecurity within connected avionics systems.
The FAA said that it recently worked with RTCA Special Committee (SC-216), EUROCAE (WG-72), and other certification authorities to establish three industry standards to address ASISP: DO-326A, dealing with airworthiness security requirements; DO-356A, describing the DO-326A airworthiness security process; and DO-355, delineating required performance tasks to counter information security threats related to aircraft operation and maintenance.
For its part, EASA said that its cybersecurity regulatory and policy efforts are Rulemaking Task RMT 0648 and Rulemaking Task RMT.0720.
For RMT 0648, “a Notice of Proposed Amendment (NPA 2019-01) was published in February 2019, and a final decision is expected to be published before summer 2020,” EASA said. “This task is focused on product certification and its objective is to ensure a robust product design to avoid cybersecurity risks. This task will result in the transfer of certain Special Conditions to the applicable certification specifications, and it has been performed in coordination with the FAA.”
For RMT 0720, “a Notice of Proposed Amendment (NPA 2019-07) was published in May 2019 and a final Opinion to the European Commission is expected to be issued by EASA after summer 2020,” according to EASA. “Afterwards, it still has to follow the applicable adoption process at the European Commission. This task focuses on introducing organizational requirements for the management of information security risks, and will affect organizations in all aviation domains (manufacturers, airlines, aerodromes, air navigation and air traffic service providers, maintenance organizations, training organizations, etc). In particular, it will introduce requirements for an Information Security Management System and reporting of information security incidents.”
During the initial airworthiness evaluation of a new or a modified aircraft, EASA requires the design organization approval holder (DOAH) “to perform a cybersecurity risk assessment on the connected systems and if necessary to mitigate the risk and to implement instructions for the operators to maintain the mitigation’s effectiveness.” The standards to meet the cybersecurity risk assessment are included in standards EUROCAE ED-202A, EUROCAE ED-203A and EUROCAE ED-204, and their respective RTCA standards in the United States.
When developing and introducing new connected aircraft technology, avionics companies should rely on the DOAH, which installs the equipment or systems provided by the avionics suppliers, EASA said.
“The avionics supplier can nevertheless prepare the security risk assessment to be conducted by the DOAH by allocating a “to-be-demonstrated” Security Assurance Level to its systems and equipment,” according to EASA. “The DOAH will need to verify that the assurance provided by the supplier is commensurate with the way the system will be installed, connected and operated.”
Larry Stefonic, the CEO of wolfSSL, said that all new avionics systems being delivered should have secure boot capability; a secure update method for new firmware deliveries, a method that usually means a service technician using the Secure Shell (SSH) cryptographic network protocol; and high value target systems in which engine controllers, navigation systems, and fly-by-wire systems are retrofitted with secure boot and secure firmware updates.
“Once you get the above done, you start thinking about securing communications between systems,” Stefonic said. “Most people are thinking about using Datagram Transport Layer Security (DTLS) to solve this issue.”
Stefonic said that these steps “will plug a lot of the obvious holes.”
“We are seeing the airframe manufacturers and airlines begin to demand cybersecurity from their avionics suppliers,” he said. “It is too risky to leave holes in cybersecurity, and the tools and standards are readily available so it make sense for avionics companies to get ahead of the curve.”
Stefonic said that “the big challenge for everyone is getting security software code, in our case cryptography and secure boot tools, brought in line with DO-178 and subsequently implemented within avionics.”
Despite the recent cybersecurity guidance from the FAA and EASA, industry questions remain.
“There is a set of high-level specifications for airborne security, including DO-326A, DO-355, and DO-356,” Richard Jaenicke, the director of marketing for safety and security-critical products at Green Hills Software, wrote in an email to Avionics. “Those specifications contain security objectives at the system and aircraft level. DO-326A does not specify how to implement the required security objectives but only provides guidance on the process to identify threat vectors and to make sure adequate mitigation measures are in place. Processes in DO-326A parallel DO-178C, such as requiring a plan for security aspects of certification (PSecAC) similar to the plan for software aspects of certification (PSAC).”
“Software products that are certified to Common Criteria at EAL5 [Evaluation Assurance Level 5] or higher have a head start on meeting DO-326A because there is a significant overlap in the processes and the rigor of the evaluation,” he said. “For operating systems in particular, the SKPP [Separation Kernel Protection Profile] has much more stringent security requirements and testing than is required for DO-326A.”
The generic Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408), which allows suppliers to define their own security requirements for the Common Criteria evaluations, is the international standard for computer hardware and software security assurance, and the EALs vary from EAL1 to the most rigorous level, EAL7.
“A Common Criteria evaluation has much more value when it is done against a government-defined protection profile,” according to Jaenicke. “In the U.S., the National Information Assurance Partnership (NIAP) defines protection profiles and manages the Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. When the evaluation is at EAL5 or higher, the NSA [National Security Agency] participates in the evaluation.”
“It is important to note that the level of security does not come directly from the evaluation assurance level but from the security requirements in the protection profile,” Jaenicke said. “It is only when a high EAL is achieved with a very demanding protection profile that the highest assurance is achieved.”
Jaenicke said that Green Hills Software’s INTEGRITY®-178 real-time operating system (RTOS) is “the only operating system certified to the SKPP and the only OS certified at EAL6 or higher.”
“The only other certified RTOS is at EAL3, and that did not use a government-defined protection profile,” he said. “EAL3 is a fairly low bar as several enterprise OSes are certified to EAL4 using government-defined protection profiles.”
Joseph Teixeira, vice president of safety and cybersecurity at Inmarsat Aviation, told Avionics that both the FAA and EASA “work closely with standards organizations, such as EUROCAE and RTCA to develop new technical requirements for aircraft and avionics.”
“Standards for avionics and other aircraft controls are very sophisticated and require absolute separation from other less secure systems, such as internet systems which can introduce vulnerable entry points,” Teixeira wrote. “Aircraft manufacturers and regulators therefore conduct vulnerability assessments with industry to mitigate against identified issues through partitions, firewalls and physical separation, both on the aircraft and the network they connect to on the ground. These requirements are absolutely necessary for the security of the aviation system, but also for protecting the personal data of passengers accessing our onboard Wi-Fi.”
In the future, aviation companies “need to understand the risks around introducing connected aircraft technology and to work with regulators to obtain the necessary certification for their products to ensure they are safe and secure,” according to Teixeira. “Whilst standards and requirements change all the time, the process for gaining design and operational approval always remain the same. Experienced companies in the aviation industry will know that any new product introduced to the market needs to meet both “Type Certification” or “Supplemental Type Certification” to ensure it is compliant with industry-wide standards.”
Inmarsat Aviation has cybersecurity protections for its ground network and, since the introduction of broadband Internet Protocol systems on-board, has implemented “a new set of protections that primarily target passenger use,” according to Teixeira. “Standards and techniques in the cybersecurity world are not static, and we have developed systems that can be upgraded as and when new risks arise.”
Chris Bartlett, the president of CCX Technologies, said that his company sees two main cyber vulnerabilities for aircraft.
“The first is the aviation supply chain,” he said. “Aviation OEMs need to make sure that all the components on an aircraft — avionics, network equipment, IoT devices and sensors etc — meet cybersecurity standards to ensure safe operation today and into the future. For example, the U.S. Department of Defense has developed the CMMC (Cyber Maturity Model Certification) program, which the U.S. Air Force is using. The Federal Aviation Administration could adopt this program in the short term or use it as a baseline and update it to fit the ongoing cybersecurity needs of commercial, business and general aviation. Another important consideration is to make sure the policies are in place to monitor the components. Maintaining a system’s integrity is an ongoing requirement, not a one-time exercise.”
The second vulnerability, he said, is that “although some work has been done by the FAA and EASA in DO-326 and ED-202, there is no existing standard or mandate to monitor the critical elements of onboard networks like ARINC 429.”
Asked whether the ARINC 429 is secure from cyber intrusion, the FAA has said that the ARINC 429 data bus used on most high-end commercial aircraft is “a very simple bus, with only one way of data coming into it and one way for data going out of it.”
“No matter what types of busses are used, the manufacturer must account for them, and any associated shortcomings, in their avionics and systems designs,” according to the FAA. “There are many ways for manufacturers to protect critical systems, but a robust avionics architecture, one with redundancy, fault tolerance, graceful degradation, is the primary means of protection.”
Bartlett said that avionics manufacturers “need to understand many aspects when introducing new connected aircraft technology, but two key elements are the latest in secure technology options that apply to any hardware design—let alone connectivity—such as secure boot and cryptography; and the need for continuous and persistent monitoring of onboard airborne networks and network components.”
“The equipment may have been verified on the day it’s launched and installed, but it could be compromised, based on the ever-changing cybersecurity landscape, without such ongoing monitoring,” Bartlett said.