[Avionics Today 10-26-2015] Safety critical Air Traffic Management (ATM) systems are at risk of "system-damaging" cyber attacks, according to Civil Air Navigation Services Organization (CANSO) Director General Jeff Poole. During a speech at the Aviation Security (AVSEC) World Conference in Dublin, Ireland on Monday, Poole outlined the risks to air traffic automation systems and how CANSO and other aviation organizations are overcoming that risk.
CANSO Director General Jeff Poole at last month's Global Sustainable Aviation Summit. Photo: CANSO.
Poole outlined a twin-track approach to defending air traffic technology. First, working with industry partners to agree on an overall approach and strategy to counter the threat, and secondly ensuring that stakeholders implement and tailor an approach that applies to that specific part of the industry.
"The traditional Communications, Navigation, and Surveillance (CNS) and Air Traffic Management (ATM) systems were not designed to counter the threat of cyber-attacks," said Poole. "For example, Automatic Dependent Surveillance-Broadcast (ADS-B) is an open, unencrypted technology whereby data, including aircraft ID, altitude, position, bearing, and speed, can be received by any airborne or ground-based receiver. This makes it vulnerable to spoofing and jamming. As it is unencrypted and lacks authentication, a cyber-attacker could inject false position data into the system, causing problems for air traffic control."
The CANSO chief also noted the risks within ATM modernization programs such as Single European Sky ATM Research (SESAR) in Europe, NextGen in the U.S. and Collaborative Action for Renovation of Air Traffic Systems (CARATS) in Japan supporting net-centric information environments reliant upon the exchange of air traffic information and aircraft data to support Collaborative Decision-Making (CDM).
But much like other industries that are vulnerable to cyber attacks and have already suffered massive ones, aviation leaders are not letting the fear and risk of cyber attacks stifle modernization, innovation, and the introduction of Internet Protocol (IP)-based information sharing. CANSO, for example, published its Cyber Security and Risk Assessment Guide last year to provide guidance for Air Navigation Service Providers (ANSPs) to improve their cyber-security.
On the aircraft side, RTCA Special Committee 216 (SC-216) has a team of experts from Boeing, Honeywell and the FAA working on recommendations and guidance to ensure safe, secure and efficient flight operations amid the growing use of integrated electronic systems and network technologies used onboard aircraft, for CNS/ATM systems and air carrier operations and maintenance. In September 2014, SC-2016 published DO-356, to address type certification considerations during the first three life cycle stages of an aircraft type. The Aviation Information Sharing and Analysis Center (A-ISAC) is also working closely with the U.S. Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center (NCCIC), a 24/7 cyber situational awareness, incident response and management center considered by DHS as the "national nexus of cyber and communications integration." The NCCIC shares information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations.
Still, there is more work to do. According to Poole, the Civil Aviation Cyber Security Action Plan is a good first step.
"The Civil Aviation Cyber Security Action Plan and accompanying roadmap, signed by [Airports Council International] ACI, CANSO, [International Air Transport Association] IATA, [International Civil Aviation Organization] ICAO and [International Coordinating Council of Aerospace Industries Associations] ICCAIA, was an important step. The goal of the action plan is to ensure that all industry stakeholders promote a coherent and consistent approach to cyber security; and we are making good progress with implementing it," said Poole.
CANSO's industry high-level group is working with ICAO to develop collaborative approaches to addressing cyber security in aviation and will present a progress report to the 39th Session of the ICAO Assembly in September 2016 with a set of recommendations for industry, states and ICAO in the form of a "declaration on cyber security" for aviation, Poole said.
“Protecting our industry from cyber-threats is hard, probably one of the hardest things we have to tackle as an industry, because we do not know what we are facing or for what we need to prepare,” said Poole. “We need to find new ways to overcome the very real challenges that exist to sharing information: by building trust and recognizing that sharing of information is a collective responsibility; and through a holistic, common and system-wide approach to cyber security in aviation that is consistent with global best practice in cyber security in other fields and that precludes inappropriate, fragmented and reactive approaches to standard-setting and regulation.”