The Pentagon, The Department of Homeland Security (DHS), and the Department of Transportation (DOT) have been operating since May to implement the cybersecurity purposes of the National Strategy for Aviation Security, published earlier this year, and to coordinate cybersecurity pre-eminence.
“Recently the Aviation Cyber Initiative (ACI) was established as a tri-chaired task team by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of Transportation, and the Department of Defense,” according to a CISA administrator. “The ACI mission is to overcome cybersecurity risks and improve cyber flexibility to support safe, secure, and efficient enforcement of the nation’s aviation ecosystem…Before May, CISA led the inter-agency ACI to recognize and mitigate cyber vulnerabilities influencing the safe operation of commercial airplanes inside the National Airspace System (NAS).”
The National Strategy for Aviation Security “leads a risk-based approach to identify and alleviate aviation cyber vulnerabilities impacting the aviation ecosystem, which incorporates both civil and military aviation,” according to the CISA administrator. “In support of cyber risk-reduction and resiliency purposes, the aviation ecosystem is an extensive multi-layered system of intersecting elements with important roles in the aviation field and involves six primary entities: airports; airlines; aircraft; transit; actors; and aviation management.”
The Wall Street Journal first published in an article last week that concerns about possible terrorist cyberattacks led U.S. officials “to re-energize efforts to identify airliners’ peril to hacking” and that the new program would include limited testing of aircraft.
Sister publication Defense Daily published in 2017 that DHS’s Science and Technology division had purchased a Boeing 757 and conducted a cybersecurity trial of the aircraft at the airport in Atlantic City. Still, the Wall Street Journal article last week announced that such trial ended in the previous year “amid a disagreement with Boeing…over the trial methodology and planned to publish some findings publicly.”
Last April, the International Air Transport Association operated a cybersecurity round table in Singapore to address such threats. “All aspects of aircraft operations are now combined and digitized whether an aircraft is airborne, operating at an airport or in support,” according to an excerpt from a report of the round table. “Additionally, the passenger journey is also frequently digitized not only on the ground but also in the air. From a cybersecurity perspective, this constitutes a complex defensive landscape that has to dispense with everything, from an insider threat to attacks versus space-based assets, such as Global Navigation Satellite System (GNSS).”
“Overlaid on this defensive complexity is an opinion that cybersecurity issues remained potentially siloed beyond regulators and authorities, making oversight and accountability, questioning. Allied to this, as emerging technology recapitulates to shape the landscape, data integrity attacks, such as spoofing, may become more conventional.”
At this year’s Black Hat convention in Las Vegas, Ruben Santamarta, a security consultant, presented his decisions related to possible flaws in the 787’s core network that he said could provide a hacker access to the airliner’s critical operations. The FAA said that all air transport designers “use the notions of fault tolerance, redundancy, graceful degradation of rules, and pilot intervention to ensure the secure operation of the airplane.”
