Avionics News September 2014 - 35

Commentary

All in theory
Cybersecurity specialists have made headlines recently
showing, in theory, how avionics can be hacked. A 2013
European security conference presentation focused on
hacking a flight management system and taking over
a flight deck using ACARS (aircraft communications
addressing and reporting system). While it may be
technically possible, it isn't likely, according to some
experts.
"Airlines and GA operators routinely transfer flight
plans via ACARS and other similar methods every single
day without incident," Barber said. "The flight crew on
board the aircraft still has to examine a flight plan before
it is loaded into the FMS and made active for navigation.
This safety measure has been in place since flight plan
transfers first started, and also serves as a security
control."
Still, the risk is real, according to Chris Roberts, founder
and chief technology officer of One World Labs, a
cybersecurity firm based in Denver, Colorado.
"Several years ago, at the request of a client, we
breached a ground-based system that was connected
to a rather large airplane - a 190-ton-empty-weightsize plane," Roberts said. "We broke into the ground
computer with the passcode of '000000' and then
uploaded our own 'crate' to the main avionics and FADEC
system; we knew what and how to do this from simple
research on the Internet.
"We knew how to construct the package, how to
deploy it and a multitude of other factors thanks to
online manuals, patents and other data elements.
The net effect was if the plane had taken off, we could
have instructed the FADEC (full authority digital engine
control) controllers to shut down once the plane reached
a cruising altitude of 35,000 feet, and deploy the flaps.
We could have equally asked it to do many other things
simply by researching. So yes, you need to protect the
systems, protect the environments, and manage and
control those key and critical elements that are designed
to protect the plane both in flight and on the ground."

Balancing security
and technology
By Clay Barber, principal engineer, Garmin

Security as a topic should be taken most
seriously when it can affect safety. Many of
the safety measures that the aviation industry
has been practicing for a long time also help
address cybersecurity since these safety
measures are also effective security measures.
For example, we already maintain configuration
control of aircraft and systems. We already
show that aircraft and systems perform their
intended functions and don't have unintended
functions. Systems already perform validation
of data inputs from other connected devices,
databases and more.
Members of the aviation industry can
and should take common-sense steps to
maintain both safety and security while
striving to provide a good experience for our
customers. The rate of change in consumer
technology will always outpace that of
aviation. This can work to aviation's benefit,
as we can observe the issues created in
the consumer technology space and create
designs that avoid those issues.
Lawmakers and certification authorities
must concentrate on creating fact-based
policy and guidance that is not driven
by sensational anecdotes. Industry and
certification authorities should cooperate to
identify realistic threats and address those
that pose realistic risk to aviation. Policy
and guidance should be sized relative to the
risk. The Federal Aviation Administration
is already moving in this direction with
changes to the Part 23 small aircraft
certification regulations. q

Continued on following page

avionics news

september

2014

Table of Contents for the Digital Edition of Avionics News September 2014