Early End-to-End Cybersecurity Testing Urged for Commercial/Business Aircraft

Civil aviation agencies in the U.S. and Europe are working on streamlining cybersecurity regulatory requirements that new aircraft systems must meet.

As wireless next-generation communications systems become the standard for commercial and business aviation, early end-to-end cybersecurity testing may become more normalized, as aircraft OEMs and owners seek to prevent the backdoor vulnerabilities of connected aircraft, including the introduction of malicious code and the hacking of aircraft communication data links.

The European Union Aviation Safety Agency (EASA) and the Federal Aviation Administration (FAA) now consider cybersecurity a sine qua non [essential] for commercial aircraft.

For the FAA, cybersecurity became an area of interest in 2004 with the launch of the Boeing 787 Dreamliner.

“Since we didn’t have any rules concerning malicious intent, we decided that we could do it under special conditions,” Varun Khanna, the FAA cybersecurity subject matter expert for large transports and the designated federal official/government authorized representative (DFO/GAR) for the RTCA SC-216 Aeronautical Systems Security Committee, said during an Apr. 22 webinar hosted by RTCA.

“We created two special conditions during that process, which were completed around 2007-2008, about the time RTCA launched the SC-216 activity, as well as [the European Organization for Civil Aviation Equipment—EUROCAE] WG-72 [committee],” he said. “These two committees ran concurrently. It was a sincere desire from both sides to make sure that all the guidance that came out of these two committees was harmonized and acceptable to both sides of the pond, including some other regulators.”

In October 2020, the U.S. Government Accountability Office (GAO) published a report urging the FAA to reconsider its regulation of aircraft cybersecurity which included this overview of some of the aircraft systems they have the most concern for.Government Accountability Office (GAO)

In concurrence with the broad cybersecurity rule effort instituted in 2019 by EASA, the FAA is now looking to devise a 12-rule package for Part 25 large transport aircraft, Part 33 engines, and Part 35 propellers.

The FAA has finished a first draft of the Part 25 rule, which “will essentially mimic the rule EASA has put out” with a final rule likely by the end of next year or early 2023, Khanna said.

The agency’s cybersecurity rulemaking has had delays, as the “last four years were not conducive to rulemaking,” Khanna said. The former Trump administration had mandated the removal of two regulations for every new one that went on the books.

Cyrille Rosay, EASA’s senior expert on cybersecurity in aviation and the chair of the WG-72 committee and the European Cybersecurity Standards Coordination Group (ECSCG), said EASA “plans to rely as much as possible on industry standards” for cybersecurity regulation, including the new rule that went into effect for large aircraft and general aviation on Jan. 1.

Financed by the European Commission, ECSCG is “intended to prevent the duplication of standards so that we don’t spend too much time developing things that already exist,” Rosay said.

Such standards will likely bear some increased costs for OEMs.

“The digital revolution has engineered modern aircraft with many new features that introduce significant complexities and unprecedented connectivity, creating numerous vulnerabilities to cyberattack,” per Olaf Kath, the senior director of research and development at Ansys. “Engineers must identify and address all vulnerabilities across electronics architectures — including every interface, control, and connection — to ensure that aircraft systems are protected from hackers.”

Given the continuous advancement of cybertechnology, the identifying and tracking of cyberthreats, assessing the risks and the likelihood of an attack, and continuous updating of aircraft cybersecurity is part of a cradle to grave process for commercial and business aircraft.

“One issue with new or further developed avionics is that the penetration testing usually takes place at a very late point in development,” Olaf said. “That can drastically stall development and slows the aircraft’s path to market. There must be a structured approach from the very beginning of the development lifecycle to the very end of lifetime. Additionally, often inadequate tools are being used for this process.”

Ansys’ “medina analyze” is a model-based security analysis tool that provides such penetration testing early in the development process, according to Kath.

An engineer uses the Ansys medina analyze system. Ansys

By using “medina analyse,” engineers can systematically identify and address system vulnerabilities across the electronics architecture early in the design phase, Kath said.

“By deciphering every possible means of cyberattack — and estimating both their impact and their level of threat — systems engineers can minimize the risk of attack to an acceptable level,” he said. “Leveraging a threat analysis tool to perform systematic and repeatable risk analyses with a catalog that records vulnerabilities — and known threats — reduces the development time of new systems and keeps in-service aircraft flying safe. As the catalog collects and stores market intelligence, engineers will understand the different domains that experienced attacks, flow that data back into the cybersecurity assessment, update the catalogs, and precisely reassess the risk.”

Artificial intelligence may also aid in the rapid identification of cyber vulnerabilities and cyber intrusions.

Rolls-Royce, Purdue University, and Carnegie Mellon University have launched a cybersecurity research network to strengthen the security of Rolls-Royce propulsion and power systems via the AI-enabled detection of cyber intrusions.

“Artificial Intelligence is one of the most effective methods to detect undesired or anomalous behaviors within systems,” Rolls Royce said. “However, traditional AI requires significant computing resources. This new research is focused on developing AI approaches that can be utilized in resource-constrained embedded systems that are prevalent in many of our products.”

The Rolls Royce/Purdue University/Carnegie Mellon University technology research network is expected to conduct two to three Rolls Royce-funded projects at each school annually.

“Three major projects have already launched by the two universities with additional projects expected to begin later in the year,” Rolls Royce said in April.

On the regulatory front, EASA has been leading the charge on cybersecurity standards. EASA working groups, including RTCA SC-216 and EUROCAE WG-72, have published standards DO-326A, ED-202A, DO-355, ED-205, DO-356A, ED-203A for avionics cybersecurity certifications. EASA has mandated the use of these standards, and industry leaders expect the FAA to follow suit with the 12 proposed, new rules.

An April 2021 report by the World Economic Forum (WEF) and Deloitte for the International Civil Aviation Authority noted comprehensive underinvestment in cyber resilience and said that organizations should consider cyber risks “in the broader context of corporate and the ecosystem’s resilience, looking at both the cyber and physical elements of operational risks to their business as they become increasingly dependent on the internet and digital channels.” The report also advised organizations to adopt “a resilience mindset to govern how they would respond to and recover from any major cyber event as an extension to their robust emergency response practices for safety and physical security incidents.”

Senior cybersecurity leaders from the aviation industry, government agencies, and international organizations created the new report to highlight key systemic cyber risks and alleviate the impact “from future digital shocks,” per the report.

Regulators appear to be working closely with industry to ensure that cybersecurity is baked into new avionics.

The FAA has contracted with Astronautics to research the Aircraft Systems Information Security/Protection (ASISP) cyber risks and mitigations for avionics systems.

“Astronautics, working with MIT Lincoln Laboratory, developed and tested an advanced cyber Risk Management Framework—RMF--methodology that is currently being used to certify avionics systems,” per David Jones, Astronautics’ avionics security assurance manager.

The FAA said that it requires manufacturers to protect critical systems on newly designed aircraft and those receiving in-service modifications, such as internet protocol systems, from cyber threats.

“As part of the FAA Safety Management System, organizations, including airlines, actively monitor their fleet for safety and cyber risks, and work to reduce the risk,” the agency said. “The FAA monitors the U.S. fleet for emerging issues and takes swift action should an issue effect operations.”

The agency also said that it collaborates on cybersecurity with the Department of Homeland Security, the Department of Defense, airports, and airlines. “Through the Aviation Cyber Initiative taskforce, the FAA and its partners identify cyber risks, measures to address them, and ways to increase cybersecurity,” per the FAA.

While cybersecurity is not a new topic for the aviation industry, it appears that regulatory agencies are moving to a more holistic approach, as previous efforts over the last decade dealt mainly with protecting given products, not on protecting the aircraft as a system.

Last year, EASA established a cybersecurity regulatory framework via EASA decision 2020/006/R that updated certification specifications and Acceptable Means of Compliance (AMCs) covering a broad range of aircraft types. Transport Canada said that it recognizes these initiatives and is aligning with them.

“Left alone, secure products offer a certain level of protection,” according to EASA. “However, the adoption of cybersecurity risk management at organization level creates the proper environment to operate these products and to maintain their level of protection during the whole operational life.”

EASA recently published Opinion 03/2021, the management of information security risks, which proposes the introduction of provisions for the management of information security risks related to civil aviation information systems.

“These provisions shall apply to competent authorities and organizations in all aviation domains (i.e. design, production, management of continuing airworthiness, maintenance, air operations, aircrew, air traffic management/air navigation services (ATM/ANS), and aerodromes), include high-level, performance-based requirements, and shall be supported by acceptable means of compliance (AMC), guidance material (GM), and industry standards,” according to EASA.

“These requirements will be proportional to the complexity and risks associated to each organization,” EASA said. “As a consequence, they will be simpler for less complex organizations, such as is the case for business aviation.”

In July last year, EASA published amendments to the product certification regulations in order to mitigate the potential effects of cybersecurity threats on safety and to consolidate those provisions that were previously introduced with special conditions.

Transport Canada, for its part, requires that applicants for the approval of aeronautical products demonstrate that the product design ensures electronic system security protection from intentional unauthorized electronic interactions, including malware unintentionally installed through maintenance activity or inadvertent bypassing of normal authentication procedures. In addition, product designs must ensure that electronic security threats to systems from unauthorized sources are identified and assessed and that “effective electronic system security protection strategies are implemented to protect the engine from all adverse impacts on safety, functionality, and continued airworthiness,” per Transport Canada.

The agency said that it has applied cybersecurity requirements to many new programs.

“Cyber security is an evolving science, and common with most new regulatory issues, requirements often begin life as Special Conditions,” Transport Canada said. “As is the department’s practice, once our international airworthiness partners have published harmonized requirements, we will adopt these requirements into the Airworthiness Manual. Until that time, Transport Canada will continue to apply the requirements via Special Condition – Airworthiness on each program.”

previousHow Are Industry and Regulators Working Together on Mandates for Drone Integration?nextWhat’s Next for ADS-B in the US Air Traffic System?