As commercial aircraft increasingly become connected to the larger Internet of Things, the potential for safety risks also rise, the head of Thales’ business operations in the U.S. said Wednesday.
There have already been hacks of aircraft and aviation-related systems, including in-flight entertainment systems, data communications between pilots and ground-based controllers, and airline operations systems that in one case in Europe caused flight cancellations, Alan Pellegrini, president and CEO of Thales USA, said. Thales USA is part of France's Thales Group.
“I’m not trying to scare anybody but these things are happening,” Pellegrini said at the Aero Club of Washington, D.C., monthly luncheon. “As the aircraft become connected, there are real hacks.”
Historically, the changes to commercial aircraft have been incremental, but the aviation industry is beginning to see “exponential” changes in the way aircraft and their systems are connected to ground-based systems and eventually to satellites for navigation with the next-generation air traffic control system, Pellegrini said.
Pellegrini said that “as we reach this exponential part of the curve and as aircraft do become connected and their systems become connected and now millions of devices effectively now added to the internet that are all points of vulnerability in one form or another I think the safety risks do increase.”
Thales designs, develops and manufactures electronic systems used in satellites, aircraft cockpits and cabins, transportation systems and weapons systems. The company also provides cybersecurity capabilities to its customers.
The aviation industry has a strong foundation and culture of safety, Pellegrini said. A culture of cybersecurity can be built on this foundation, he said.
Pellegrini also pointed out that there are firewalls among the systems that are used to control the flight of aircraft and other communications and in-flight entertainment systems. The safety features around the flight control systems are “robust,” he said.
But there are shortcomings, Pellegrini said.
“I will submit to you there are many specifications that we get for systems to put on aircraft that don’t have well-established security requirements and now we as a company (I know others do to) want to try and head that off and address them, but I think as an industry we could collectively do more,” he said.
There is a growing awareness within the industry of cyber hacking and potential vulnerabilities and more information is being shared but it’s still not enough, Pellegrini said. Efforts to combat cyber threats and hacking remain “stovepiped,” he said, pointing to the need for industry and government to work together to mitigate potential threats.
The aviation industry could learn from the lessons learned and best practices applied by other private sector groups such as financial services and retail to combat cyber threats, Pellegrini said.
“Awareness is great, action is better,” he said. “And we have good models to work on.”
Last year, a team led by the Science and Technology Directorate at the U.S. Department of Homeland Security (DHS) demonstrated that it could remotely hack a parked commercial aircraft. DHS acquired a used Boeing 757 that it parked at the airport in Atlantic City, New Jersey, and conducted a “non-cooperative penetration” of systems aboard the aircraft.
The work DHS is doing is classified and the information of the hack was provided by Robert Hickey, who at the time was the aviation program manager for S&T’s Cybersecurity Division. The disclosure of the hacking ultimately cost Hickey his job.
In a later statement, DHS said that “While certain details of the assessment remain classified,” Hickey’s comments “lack important context, including an artificial testing environment and risk reduction measures already in place. Along with our federal and industry partners, DHS takes aviation cybersecurity seriously and works with both researchers and vendors to identify and mitigate vulnerabilities in the aviation sector. The aviation industry, including manufacturers and airlines, has invested heavily in cybersecurity and built robust testing and maintenance procedures to manage risks.”