Avionics are the electronic systems used on aircraft. Aircraft avionics is the most crucial component of aircraft systems and helps in providing various operational and virtual information in-flight and on the ground. The avionics system receives data from the air traffic management system and feeds this information to the pilot to select an approach path to the destination.
Aerospace avionics include navigation, communication, and surveillance systems along with other electrical systems and in-flight entertainment system. Air navigation is the determination of position and direction on or above the surface of the Earth. Avionics can use satellite navigation systems (such as GPS and WAAS), INS( inertial navigation system), ground-based radio navigation systems (such as VOR or LORAN), or any combination thereof.
Traditional avionics architectures are inherently designed to be separate from any data-related interactions with the outside world, greatly reducing the opportunities to introduce malware. Aircraft systems are generally isolated from the Internet, and so in the past have implemented an “air gap” approach to security.
The aviation industry is quickly moving towards digitalization, introducing new technologies and concepts especially through non-aviation means (e.g. Cloud, 5G, WiFi, satellite communications and Machine Learning). This, in turn, further exposes the hazard of the current trend of cyber-attacks. E-enabled aircraft are turning airplanes into flying data centers. This rapid development towards fully digital aircraft with widespread connectivity capabilities opens the aviation industry to new challenges and vulnerabilities with unprecedented risks.
For example, one of these vulnerabilities is the increased use of COTS (commercial off-the-shelf) software. For example, one of these vulnerabilities is the increased use of COTS (commercial off-the-shelf) software. This opens aviation systems to more hard-to-predict attacks and to attacks that do not require aviation-specific knowledge (aviation specific software and hardware).
This technology can enable pilots and maintenance crew to use Electronic Flight Bag (EFB) tablets, iPads, or a simple laptop, and, through WiFi, access and obtain critical flight data. Attackers could (as they already have) exploit this interconnectivity to not only have access to this data but manipulate it, thereby compromising the safety of a flight. It is important to keep in mind that these vulnerabilities do not only affect onboard systems. There are also major attempts to modernize Air Traffic Control Systems. Similar to vulnerabilities mentioned above, the digitalisation of ATC systems will open new avenues of attack to which the aviation industry must prepare for.
The aviation industry has been the target of cyberattacks. The airline Cathay Pacific was the target of a data breach attack in November 2018 that caused the leak of over 9 million people’s personal data. EUROCONTROL reported more than 30 cyber-attacks on aviation the first semester of 2019. Not to mention, the cyber domain particularly appeals to terrorists due to being low-cost, anonymous and accessible—terrorists can attack from virtually anywhere in the world.
But as the demand for value-added services increases, and the sophistication of security threats likewise increases, this approach needs to be updated in order to maintain aircraft security, and ultimately safety. However, the increased use connectivity and the growth of system hardware/software complexity has increased the threat surface for modern aircraft systems.
Several cyber risks to avionics systems are highlighted in the GAO report including flight data spoofing attacks and outdated systems on legacy aircraft. Other risks include software vulnerabilities and the long update cycles that are common for in-service avionics systems. Malware or malicious software is also referenced because of its ability to be inserted into installed on an Electronic Flight Bag (EFB) application, which are increasingly becoming more connected to flight management computers.
“[Aircraft Communications Addressing and Reporting System] ACARS transmissions are unauthenticated and, thus, could be intercepted and altered or replaced by false transmissions. For example, unprotected ACARS communications could be spoofed and manipulated to send false or erroneous messages to an airplane, such as incorrect positioning information or bogus flight plans,” the report says.
Regulatory Cyber Security Measures
In response to connected avionics systems on modern civilian and military airplanes, civil aviation regulators all over the globe have been responding by introducing new policies, regulations and guidance for companies that are developing the next generation of communication, navigation and surveillance technologies.
At the regulatory level, two of the most notable cybersecurity developments of 2019 came from the European Aviation Safety Agency (EASA), which published two notices of proposed amendments on the topic – including NPA 2019-01 ‘Aircraft Cybersecurity’ and NPA 2019-07 ‘Management of Information Risks.’ While NPA 2019-01 introduces an acceptable means of compliance for cybersecurity certification requirements, NPA 2019-07 focuses on addressing cyber events that have the potential to impact the normal functioning of Europe’s air traffic system.
In October 2019, during the 40th Session of the General Assembly, ICAO adopted the Assembly Resolution A40-10 addressing cybersecurity in civil aviation and explaining the need for a more coordinated and proactive approach; ICAO urged member states to implement the ICAO Cybersecurity Strategy. By the end of 2019, aircraft and systems electronic networks and systems certification are expected to comply with the recently updated DO-326 and ED-202. These new updates seek to provide a more detailed and complete approach to the management of cybersecurity risks.
To handle the threat of unintentional unauthorized electronic interaction to aircraft safety, RTCA DO-326 (EUROCAE ED-202A) provides guidance for the process of aircraft certification. From DO-326A: “The purpose of the Airworthiness Security Process (AWSP) is to establish that, when subjected to unauthorized interaction, the aircraft will remain in a condition for safe operation (using the regulatory irworthiness criteria). To accomplish this purpose, the Airworthiness Security Process:
• Establishes that the security risk to the aircraft and its systems are acceptable per the criteria established by the AWSP, and
• Establishes that the Airworthiness Security Risk Assessment is complete and correct.”
Avionics Cyber Security Risk Assesment
Avionics cyber security demands that an appropriate level of security needs to be established—one that is relevant to aircraft safety. Securing a device is a continuous effort that spans the entire lifecycle of the aircraft, from architectural design through deployment and endof-life. Planning and budgeting for safety and security updates throughout the entire aircraft lifecycle, along with future threat protections, are essential for any e-enabled aircraft.
The first step in any security project is to define the scope of the security problem. This involves identifying the particular assets in the system, identifying the security perimeter, and documenting the security environment—in other words, a fairly straightforward review of what is in the system, where it touches the outside world, and the environment in which the system operates.
For example, assets can be broken down into hardware and software; these can be broken down further into particular data assets, such as navigation databases or software updates, and the value and impact of these assets can then be analyzed. To identify the security perimeter, all touch points of the system to the outside world must be considered, including maintenance interfaces, digital interfaces such as passenger devices, crew systems, and connections between avionics systems; and existing security mechanisms within systems must also be identified.
Finally, the environment needs to be defined and analyzed, including other systems that the system under evaluation may come into contact with, such as air traffic systems or passenger booking systems. These outside systems must be identified, and the security threat analysis must cover potential threats from these sources.
In addition, this is a continually evolving system, so although the security scope may be identified at the start of the project, provision
must also be made to update it throughout the lifecycle of the system. This could involve introduction of new technology such as 4G or cloud computing, or new systems within the environment.
After the security scope of the system is identified, the threats to that system need to be considered, and the conditions under which these threats might emerge identified. For example, a passenger may be allowed to connect his or her device to the IFE in order to stream information, but this condition could now lead to threat injection into the IFE system.
Part of this analysis includes documenting security requirements for outside sources and identifying whom you can trust and to what level. RTCA DO-356 (EUROCAE ED-203, out for consultation at time of print) defines “trust levels” you can use to measure these outside environments. These trust levels are mapped directly to DO-178C safety levels such as “No Safety Effect” and “Catastrophic,” so level twE is “Not trustworthy to use or manage assets with any safety impact above No Effect” and level twA is “Trustworthy to use and manage assets of Catastrophic safety impact.”
Once the security scope and threat analysis are in place, a security risk assessment can be performed that maps threat scenarios onto the security system to identify potential vulnerabilities that may need to be mitigated. This assessment is used to map these vulnerabilities onto failure conditions as defined in CFR 25.1209 and EASA CS-25 35.1309, allowing definition of the impact in well understood terms, such as those already used in safety analysis, from “No Effect” through to “Catastrophic.”
This analysis also identifies the risk associated with each threat identified, so that a value judgment can be made on the protection required. This is the same analysis as currently performed in safety systems engineering.
The security architecture can now be implemented to mitigate the risks identified and to protect the assets within the security scope. Concepts such as defense in depth and layered assurance ensure that any particular threat has to penetrate multiple security measures in order to succeed, and this “chain of protection” provides greater security than just a single protection mechanism.
This layered protection should, for each system, cover system design, boot, run time (data in transit), and power down (data at rest). For each of these, the systems should align the security architecture to the identified threats that need to be mitigated. As with DO-178C, design involves the process through which the code itself is developed. As with safety, the higher the required protection, the more investment needed in the code development process. One way of reducing risk for code development is to use commercial off-the-shelf (COTS) components wherever it makes sense; so, for example, the operating system itself would be a COTS component.
To support this decision, Wind River® supplies its VxWorks® and Wind River Linux operating environments with full security capabilities defined in security profiles to use in developing the system security architecture. In order to implement layered protection, security measures must start as soon as the hardware powers up. In IT environments, attacks at the early boot and initialization stages are the most difficult
attacks to remove (rootkits for example). As the hardware executes its firmware, the system needs to make sure the firmware has not
been compromised, and that it then boots the expected (and secure) environment. As this is tied to the hardware system, this involves customization as well as COTS secure boot technology.
Using a COTS operating system that supports safety and security mechanisms also makes sense for the run-time architecture. The security threat analysis needs to go deep enough into the system architecture to make sure that the required OS features are enabled and configured accordingly—for example, if password protection is needed, or if any user interaction must be eliminated or limited.
Data-at-rest protection can be very simple, in the form of encrypted storage, or more sophisticated, using Anti-Tamper technology
implemented both in hardware and software
Security testing needs to look for specific vulnerabilities both in OS code and in any middleware such as networking code, as well as in the applications themselves. This testing covers many aspects of security vulnerabilities such as confidentiality, integrity, authentication, availability, authorization, and non-repudiation. This security testing is over and above any functional testing to verify that the system does what it is supposed to do. The level of testing will be as identified in the security scope and threats, and must also include a plan for further testing across the lifecycle of the device, both in terms of testing the existing solution and in terms of testing for new threats as they become apparent.
A new U.S. Government Accountability Office (GAO) report identifies six key recommendations for the Federal Aviation Administration’s (FAA) current regulation of cybersecurity requirements for commercial aircraft avionics systems. The report calls on the agency to hire new staff, standardize its process for assessing the cyber resiliency of connected avionics systems and establish new methods for penetration testing of aircraft networks. Important findings and insights shared by GAO also show some software vulnerabilities and the potential disruption of aircraft network functioning under penetration testing that heavily complicates how the FAA can address the recommendations moving forward.
GAO’s six recommendations include the following:
- Identify the “relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks.”
- Implement new training for agency inspectors “specific to avionics cybersecurity.”
- Include independent testing in new guidance for avionics cybersecurity testing of new airplane designs
- Develop procedures for “safely conducting independent testing” of avionics cybersecurity controls in the deployed fleet
- Coordinate a tracking mechanism for ensuring avionics cybersecurity issues are resolved among “internal stakeholders.”
- Review oversight resources the agency has currently committed to avionics cybersecurity.
In the report the investigators note that the FAA concurred with five out of their six recommendations. “The FAA believes any type of testing conducted on the in-service fleet could result in potential corruption of airplane systems, jeopardizing safety rather than detecting cybersecurity safety issues,” the report says
Cyber security technologies
Some technology suppliers have also developed new methods of monitoring and improving the cyber resiliency of connected avionics systems. CCX, a Canadian avionics manufacturer, makes a computer designed to monitor aircraft network traffic in real time.
“Our perspective is there should be perpetual monitoring of onboard networks all the time, the Ethernet-based activity and proprietary avionics data bus networks such as ARINC 429 traffic should be monitored,” Bartlett told Avionics International. “How do you know what’s going on with your aircraft’s network if you’re not actually monitoring and alerting on certain events that you have pre-established as a risk? I think there needs to be a paradigm shift that happens in the industry that at a baseline there should be active monitoring of all onboard networks.”
Cyber security industry
In August 2021, Officials of the Air Force Research Laboratory at Wright-Patterson Air Force Base, Ohio, awarded contracts to Booz Allen Hamilton Inc. in McLean, Va., and to Ball Aerospace & Technologies Corp. in Boulder, Colo., for the Trusted and Elastic Military Platforms and Electronic Warfare (EW) System Technologies (TEMPEST) program. The companies will share as much as $200 million for a portion of the TEMPEST program called Agile and Resilient Platform Architectures (ARPA). The objective is to develop, prototype, and demonstrate cyber security technologies to protect avionics in Air Force weapon systems.
The companies will develop security technologies that will include assessment and testing tools; vulnerability mitigation and cyber-hardening technologies; malware detection and adaptive response techniques; and technologies to secure open-systems and agile-architecture platforms.
The companies also will develop techniques to develop cyber security and resiliency for next-generation avionics; improve the resiliency of avionics at different stages of the acquisition life cycle from hardening existing legacy systems to designing cutting-edge security technologies with future avionics systems. Ultimately, the companies will develop, demonstrate, and prototype a digital architecture that combines digital engineering, software factories, and current advanced avionics architecture technologies to advance warfighting capability for current and future Air Force weapon systems.