Avionics News September 2014 - 35
Commentary All in theory Cybersecurity specialists have made headlines recently showing, in theory, how avionics can be hacked. A 2013 European security conference presentation focused on hacking a flight management system and taking over a flight deck using ACARS (aircraft communications addressing and reporting system). While it may be technically possible, it isn't likely, according to some experts. "Airlines and GA operators routinely transfer flight plans via ACARS and other similar methods every single day without incident," Barber said. "The flight crew on board the aircraft still has to examine a flight plan before it is loaded into the FMS and made active for navigation. This safety measure has been in place since flight plan transfers first started, and also serves as a security control." Still, the risk is real, according to Chris Roberts, founder and chief technology officer of One World Labs, a cybersecurity firm based in Denver, Colorado. "Several years ago, at the request of a client, we breached a ground-based system that was connected to a rather large airplane - a 190-ton-empty-weightsize plane," Roberts said. "We broke into the ground computer with the passcode of '000000' and then uploaded our own 'crate' to the main avionics and FADEC system; we knew what and how to do this from simple research on the Internet. "We knew how to construct the package, how to deploy it and a multitude of other factors thanks to online manuals, patents and other data elements. The net effect was if the plane had taken off, we could have instructed the FADEC (full authority digital engine control) controllers to shut down once the plane reached a cruising altitude of 35,000 feet, and deploy the flaps. We could have equally asked it to do many other things simply by researching. So yes, you need to protect the systems, protect the environments, and manage and control those key and critical elements that are designed to protect the plane both in flight and on the ground." Balancing security and technology By Clay Barber, principal engineer, Garmin Security as a topic should be taken most seriously when it can affect safety. Many of the safety measures that the aviation industry has been practicing for a long time also help address cybersecurity since these safety measures are also effective security measures. For example, we already maintain configuration control of aircraft and systems. We already show that aircraft and systems perform their intended functions and don't have unintended functions. Systems already perform validation of data inputs from other connected devices, databases and more. Members of the aviation industry can and should take common-sense steps to maintain both safety and security while striving to provide a good experience for our customers. The rate of change in consumer technology will always outpace that of aviation. This can work to aviation's benefit, as we can observe the issues created in the consumer technology space and create designs that avoid those issues. Lawmakers and certification authorities must concentrate on creating fact-based policy and guidance that is not driven by sensational anecdotes. Industry and certification authorities should cooperate to identify realistic threats and address those that pose realistic risk to aviation. Policy and guidance should be sized relative to the risk. The Federal Aviation Administration is already moving in this direction with changes to the Part 23 small aircraft certification regulations. q Continued on following page avionics news * september 2014 35
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.