The Federal Aviation Administration has decided the time has come to take a close look at the security of its data systems. These systems, which include networks that help the agency run the air traffic control system, send radar images to flight controllers and control connections to the radios that keep flight controllers in touch with pilots in the air.
The FAA has convened a committee of aircraft manufacturers, airline executives and pilots to look into ways to boost the security of these critical systems.
The concern about data security is a fairly new thing for the aviation business. While airlines and aircraft manufacturers have the same exposure to hackers, malware and nation state spies as any other business, until recently little thought had been given to the data systems that support airline flight systems.
But that was before things started to break. In April, American Airlines grounded several flights because their onboard flight planning software crashed as flights were leaving the gate in a number of cities.
Some flights were cancelled and others were delayed. Social media lit up with word that the iPads that pilots were using for flight planning and terminal navigation had crashed and the software they were using had stopped working.
As it turned out, the problem with the airline's iPads wasn’t due to hackers or malware, but rather a bug in the mapping program provided by Jeppesen, an aviation and marine navigation software company owned by Boeing. The problem was fixed in a few days when the software was updated. In the meantime, the airline's pilots flew using paper charts, just as they'd learned to do in flight school.
However, the American Airlines flight groundings demonstrated clearly just how vulnerable aviation safety might be if something even more serious goes wrong.
The potential vulnerability was underscored when the FCC admitted that the agency had been penetrated by a cyber-attack shortly before that and was hiring one of its existing consultants, SRA International of Fairfax, Va. on a sole-source contract to help deal with it.
If you don't recall hearing any news about an FAA cyber-attack, that's because the FAA, unlike most businesses, isn't required to disclose such attacks. But because it's a government agency, it still has to make its procurement actions public and that's how the information came to light.
Fortunately, Washington is overrun with journalists who scour obscure reports for such things and it was Nextgov.com, which is part of Government Executive magazine that published the first reports about the cyber-attack that hit the FAA.
The attack on the FAA is actually part of a much bigger and more difficult problem. How will the airline industry secure the global web of networks that aviation authorities use to provide data and flight clearances to planes, to update flight plans, and that pilots use to send flight plans and other data to the FAA and to their employers. Those networks, which have slowly evolved since they were first put in place in the 1960s, basically just grew. At first, they were never part of any overall plan.