The Federal Aviation Administration has decided the time has come to take a close look at the security of its data systems. These systems, which include networks that help the agency run the air traffic control system, send radar images to flight controllers and control connections to the radios that keep flight controllers in touch with pilots in the air.
The FAA has convened a committee of aircraft manufacturers, airline executives and pilots to look into ways to boost the security of these critical systems.
The concern about data security is a fairly new thing for the aviation business. While airlines and aircraft manufacturers have the same exposure to hackers, malware and nation state spies as any other business, until recently little thought had been given to the data systems that support airline flight systems.
But that was before things started to break. In April, American Airlines grounded several flights because their onboard flight planning software crashed as flights were leaving the gate in a number of cities.
Some flights were cancelled and others were delayed. Social media lit up with word that the iPads that pilots were using for flight planning and terminal navigation had crashed and the software they were using had stopped working.
As it turned out, the problem with the airline’s iPads wasn’t due to hackers or malware, but rather a bug in the mapping program provided by Jeppesen, an aviation and marine navigation software company owned by Boeing. The problem was fixed in a few days when the software was updated. In the meantime, the airline’s pilots flew using paper charts, just as they’d learned to do in flight school.
However, the American Airlines flight groundings demonstrated clearly just how vulnerable aviation safety might be if something even more serious goes wrong.
The potential vulnerability was underscored when the FCC admitted that the agency had been penetrated by a cyber-attack shortly before that and was hiring one of its existing consultants, SRA International of Fairfax, Va. on a sole-source contract to help deal with it.
If you don’t recall hearing any news about an FAA cyber-attack, that’s because the FAA, unlike most businesses, isn’t required to disclose such attacks. But because it’s a government agency, it still has to make its procurement actions public and that’s how the information came to light.
Fortunately, Washington is overrun with journalists who scour obscure reports for such things and it was Nextgov.com, which is part of Government Executive magazine that published the first reports about the cyber-attack that hit the FAA.
The attack on the FAA is actually part of a much bigger and more difficult problem. How will the airline industry secure the global web of networks that aviation authorities use to provide data and flight clearances to planes, to update flight plans, and that pilots use to send flight plans and other data to the FAA and to their employers. Those networks, which have slowly evolved since they were first put in place in the 1960s, basically just grew. At first, they were never part of any overall plan.
FAA Panel to Study Ways to Defend Flight Systems From Hackers
Now, of course, things have changed. The FAA, like its partner agencies in Europe and Asia, is updating its data systems. But those updates are part of a very ambitious, very long-term, plan. That plan needs to be able to meet the challenge of automating the ground-based flight management systems to keep up with advances in technology, and to allow aircraft of all types to stay safe in increasingly crowded skies.
Commercial aircraft, meanwhile, are growing dramatically more sophisticated. Flight controls, navigation and other systems from fuel management to air conditioning are now automated. Flight crews may be communicating with their airlines by digital satellite links and of course passengers want WiFi and movies.
This means that the FAA, which has already been hit by at least one cyber-attack, is trying hard to make sure its networks stay secure enough to keep hackers out.
You may also recall another news report from a few weeks ago about a hacker who claimed to have taken over the engine management systems on board an airliner while he was a passenger. While it’s possible that this did indeed happen, it’s not necessarily the most critical problem faced by international airlines regulators. The fact is that even if such a thing is possible, the risk is very low because very few people can pull it off, and even fewer can do it without anyone noticing.
But other types of cyber-threats are very real. Earlier in June, for example, the operations of LOT Polish Airlines at Warsaw Chopin Airport were disrupted by a cyber-attack on LOT’s flight planning computers. The result was similar to what happened to American Airlines through a software bug, which is to say nearly a dozen flights were grounded and others delayed.
While the attacks on flight planning and management systems don’t necessarily put passengers at risk, because the flights affected are on the ground at the time, they are very expensive. Worse, they have the potential to affect the safety of such flights if the hackers tamper with the wrong data. A good example of this might be in aircraft refueling orders. Order the wrong amount and a flight might not have enough to reach its destination.
The FAA is right to start worrying about these issues today. Until now, the airlines have been out of reach for cyber-criminals and hackers. But that only means that they’ll try harder and it’s a pretty safe bet that one way or another they’ll be able to penetrate the networks. The question then becomes how to protect the data on the networks and how to protect the data that goes to the aircraft.
Ultimately, the FAA needs to consider how to make sure the information that travels over those networks is safe and is delivered accurately, not on whether it’s possible penetrate the network, because it will be penetrated. The problem to address is how to keep that from making a difference.