Avionics News June 2017 - 34

CYBERSECURITY IN THE SKY
Continued from page 33

anyone to exert control over aircraft systems as a crew
member is required to accept, acknowledge and act upon
CPDLC messages," Zban said.
The second category of cockpit connectivity comes
through portable electronic devices. More and more
pilots use portable electronic devices as electronic flight
bags, typically using a common device - the iPad. The
iPad and some other portable equipment are Class 1
EFBs. Use of these EFBs by Part 121, 125, 135, and 91
subpart F and subpart K operators must be authorized
by the FAA, and their use is limited by AC 120-76A.
However, the AC provides good guidance for all aircraft
operators and pilots regarding general security measures.
It's always good to assume the worst in any safetycritical environment, so cabin devices must be, and
are, segregated and protected from standard cabin
connections. Certificated, installed hardware includes
built-in protections, but portable electronic devices
are vulnerable to attacks in the cabin system. An
Ethernet router can be used to create a firewall between
connectivity and the cockpit. Portable electronic devices
used in the cockpit also should have current, reputable
anti-virus/anti-malware software installed.
Train to mitigate cabin and
cockpit vulnerabilities
Wolfe and Zban recommend training to mitigate
cybersecurity vulnerabilities in the cabin and the cockpit.
Both pilots in the cockpit and passengers in the cabin can
benefit from cybersecurity training.
Flight departments and air carriers should provide
their pilots with basic cybersecurity training, including
using strong passwords, safe charging of devices, and
properly logging out of devices. Pilots should be trained
to verify messages inconsistent with expectations and
standard operations by using voice communications.
"One of the primary reasons we have pilots in the
cockpit is to use their human brains and apply critical
thinking," Wolfe said.
Some aircraft operators - especially flight departments,
which tend to have a clear nexus with their passengers
- might consider offering passengers training or at least
ensure passengers are aware of and comply with the
company's security policies when on the company aircraft.
34

avionics news

june

2017

Passenger training should include the same best
practices as those for pilots: basic cybersecurity
awareness and strong password development, plus use of
VPNs or other secure network access.
The increased vulnerability of the cabin system makes
passenger awareness and training even more important.
Regulatory climate
The FAA and the International Civil Aviation
Organization are looking closely at cybersecurity. An
Aviation Rulemaking Advisory Council on Aircraft
Systems Information Security/Protection recently
presented the FAA with 30 recommendations for
improving cybersecurity in the national airspace system.
The goal of the ARAC ASISP working group was to
consider regulation, policy, and/or guidance to identify
aircraft vulnerabilities and mitigate risks in a harmonized
manner with other aviation authorities and regulators.
It remains to be seen what will come of the 30
recommendations, many of which relate to certification
or design, but some include agency or industry best
practices in operations.
The ICAO also has taken on cybersecurity concerns
through the AvSec panel, a group of industry and
government security experts. The ICAO is focused on
information sharing and coordination across civil aviation
safety and security to address aviation cybersecurity on a
global level. In addition, the ICAO Annex 17, Chapter 4
outlines preventive security measures.
For now, certificated, installed cockpit hardware in
U.S.-registered aircraft is standardized through special
conditions issued by the FAA, and portable electronic
devices are standardized for commercial air carriers
through the EFB authorization process. But cabin
connectivity systems and portable electronic devices
for Part 91 operators require industry-driven, voluntary
compliance with best practices. Additional regulation,
standards, and/or best practices are likely to be issued
by national aviation authorities and the ICAO during
the next several years to address the ever-changing
environment of cyberrisks.
To keep your data secure, whether as a passenger
in the cabin or pilot in the cockpit, in most cases, the
basics of cybersecurity are most crucial: Be aware of the
risk, use strong passwords, consider use of a VPN for
passengers, and use effective anti-virus/anti-malware
software on all devices.q

Table of Contents for the Digital Edition of Avionics News June 2017