2020 will usher in a new mandate that will require all avionics suppliers to prove that their commercial avionics systems and processes are cybersecure. All aviation stakeholders now must comply with the emerging aviation cybersecurity standards known as “Airworthiness Security Process Specification,” identified and first introduced as DO-326A in the US and ED-202A in Europe.
These documents, published in 2018 but in the works for almost a decade, are today widely regarded as the de-facto mandatory standard, according to AFuzion, a 45-person software systems and safety development consulting company that has trained more than 1,500 engineers on how to implement cybersecurity and software systems standards for FAA/military and EASA compliance.
Questions remain on how seriously the industry will get behind the measures, especially if they don’t see any bite to enforcement from non-compliance. In an industry that has leaned heavily on industry-led voluntary compliance, the new regulations concede the need for specific, well-defined regulations to ensure that vulnerability gaps are quickly identified and mitigated on aircraft systems.
Compared to the commercial IT world, the aviation sector has been slower to respond to the cyberthreat.
According to AFuzion, that’s because of the inaccurate perception that complex attacks on industrial infrastructure could only be carried out by state-level “actors.” Today’s wide adoption of COTS hardware and software and the connected aircraft has changed everything.
Vance Hilderman, founder and CEO of AFuzion, says the level of commitment and innovation required to fight the avionics cyber threat will require a new collaborative approach across the aviation industry.
“Unlike static hardware and software design, the cyber threat is continually changing. We have to show as part of the new standard that we have an evolving process in place – a strategy – that will evolve to meet that need both during development and during operational deployment,” he explains. “That means it’s not just a one-time rubber stamp but rather a continuous involvement by IT, security, quality assurance and hardware and software engineers and that’s something that’s never been done before.”
Steve Edwards, director of secure embedded solutions with Curtiss Wright, agrees that there will need to a new level of vigilance.
“Once you have developed new validation [or other security measures], your job isn’t done. Security updates apply to both hardware and software,” he says, adding, “If you have a system and you are not being vigilant updating and maintaining it, your security posture is going to decline over time as new vulnerabilities are found.”
As an example, he points to the Meltdown and Spectre vulnerabilities found in 2018 in modern Intel processors that Intel had to develop a microcode to fix.
Bryant Henson, president of mission avionics for L3Harris Space & Airborne Systems, believes that the security threat for embedded systems designs are always evolving.
“As demand for connectivity and desire for integration increases, there will be more security requirements levied on avionics manufacturers,” notes Henson. “Suppliers will have to develop systems to a higher level of integration with other systems while also ensuring isolation that has been met historically via physical separation.”
Vulnerabilities Differ Between Avionics Hardware and Software
So, what are the biggest security concerns facing avionics suppliers at the systems level and how are the risks different for hardware and software?
Lorne Graves, CTO, Abaco Systems, observes that the first concern is usually “root of trust: do you trust that you’re actually booting the correct image and not something that has been corrupted or tampered with?”
Graves notes that concerns usually exist at both the board and system/box level. From a hardware perspective, anti-tamper, or the ability to affect or change the operation of an item, is a concern,” he says. This vulnerability can be mitigated both physically such as through “volume protection,” or the ability to encapsulate by some means the critical components, and electrically by detecting circuit probing or potential changes in planned functionality.
“Procedures for updating code in the field are required to ensure that only valid new code gets loaded into the aircraft. These are managed throughout the supply chain but administered at an aircraft level,” he adds.
“As communication between aircraft and ground increases, for example in-flight Internet access, the threat surface increases, and a comprehensive cybersecurity strategy is needed to prevent unwanted intrusion to aircraft systems,” says Graves.
Mitigating this issue is possible with encryption/decryption mechanisms on the data links, gateway hardware, and good system design to protect the internal network of the aircraft.
Graves says storage of critical programs and/or data is another key concern. Use of protection algorithms (AES for example) is a “means of protecting data at rest,” he observes.
Securing the Avionics Supply Chain
The avionics supply chain represents a key area of vulnerability and concern within the aviation sector.
Sending parts to the lowest bidder to be repaired is a risky proposition since they may not offer the same level of assurance that no malware will be inserted into an avionics part that could find its way onto the aircraft.
According to Abaco Systems, a supplier of modular embedded computing serving defense, avionics and other industries, there are several best practices that can be followed to secure the supply chain. Among them, are the following:
- Maintaining design authority by ensuring that subcontractors comply with company security procedures and assuring that incoming boards precisely meet original design.
- Abaco also purchases only from original manufacturers, authorized distributors or intensively vetted distributors and requires compliance with standards and routinely performs audits.
According to Henson, L3Harris is seeing several security requirements becoming more common for embedded systems, many of them centered around avionics supply chain concerns. These include requiring known and controlled sources of software and firmware supply and ensuring all programmable elements are properly developed and authenticated at power-up.
“From a customer requirements perspective, suppliers must ensure adequate accessibility to customers (i.e. data loading, maintenance reporting, etc.) while also providing security against bad actors who might wish to access the systems,” Henson says.
In addition, L3Harris looks at the level of trust/processing segregation of COTS software where a large quantity of code is developed and maintained outside the U.S. and is moving towards trusted hypervisors and multicore processors to isolate firewall applications from each other.
Blockchain: The Next Level of Aviation System Protection
Blockchain is a data structure that has the ability to establish a digital archive or record blocks of data such as transactions that can be shared and easily accessed by users across networks of different computers.
Security experts believe that Blockchain has the potential to secure multiple processes and transactions across multiple processes across the aviation ecosystem.
This digital ledger of transactions can record each time a part is installed or removed from an airplane. It can also readily capture each part’s pedigree and how long the part being replaced was in service and the identity, location and credentials of the technician performing the repair. By design, a blockchain is resistant to modification of this historical data. Along with Artificial Intelligence (AI) and Internet of Things (IoT), it’s been called the “holy trinity of disruptive technology.”
Because it can be de-centralized, blockchain’s feature of storing information on a digital ledger makes it appealing to avionics players involved in design as well as the industry as it looks for smarter, more secure says to store flight records, maintenance statuses, and other data.
“Blockchain will provide a safe harbor for design – we’ll always be able to revert to a safe design, plus we would theoretically have the ability to track all changes and the authors of those changes,” says AFuzion’s Hilderman.
Hilderman says that blockchain’s user anonymity that is so prized in financial transactions would need to be made visible for aviation applications. Using it to design avionics systems would require revising it so every supplier, developer and user along the chain is identified along with the version and their contributions.
David Sheets, security architect for Curtiss Wright, sees the blockchain being a future security strategy to fight cyber intrusions from quantum computers, especially in the area of encryption.
“As more quantum computers come online, they can potentially break asymmetric encryption, which is used for signing and verification. Blockchain is an alternate strategy that relies on hashing instead of asymmetric encryption, so it’s resistant to those quantum computer attacks that asymmetric encryption fall to,” says Sheets.