Shift5 has introduced a new module for commercial air operators that leverages onboard data to automate compliance with Aircraft Network Security Program (ANSP) requirements. (Photo: Shift5)
On Monday, Shift5 introduced a new module for commercial air operators that leverages onboard data to automate compliance with Aircraft Network Security Program (ANSP) requirements. The company’s focus is onboard operational technology (OT) systems, data acquisition, cybersecurity, and automation of maintenance.
The goal, according to Shift5 CTO Egon Rinderer, is to conduct full data acquisition on all of the OT systems and use that data to improve overall platform security. This includes “automating out very human-intensive things that today are very much clipboard-and-pencil exercises,” he told Avionics in a recent interview. They then automate the resulting reporting and compliance. Historically, this has been done with cybersecurity and maintenance in mind.
Egon Rinderer, Shift5's CTO (Photo: Shift5)
“We have a cybersecurity module and a maintenance module,” Rinderer explained. “We're now introducing a new concept which is a compliance module that automates the compliance data acquisition, analysis, [and] also the reporting piece.” This automation saves customers significant amounts of time, from the aviation and rail industries to the Department of Defense.
“Everybody has compliance mandates that they have to meet,” he said, adding that meeting these requirements is extremely resource-intensive.
Although the new module is vertical agnostic, Shift5’s team has initially focused heavily on the commercial aviation industry because of the maturity of the federal government’s mandates and requirements.
The process involves taking data produced onboard an aircraft and running it through deterministic analysis. For this analysis, Rinderer said, “we're focused on things that can be articulated as rules—thousands and thousands of rules—and determining whether or not you're in compliance with those rules, then automating the ability to report not only the compliance with those rules but the collection and retention of that data.”
In the future, they will shift into non-deterministic analysis that involves understanding behavioral attributes of the platform, he noted. To this end, Shift5 is working with partner customers in the commercial and defense industries today.
Bobby Anderson, Vice President/General Manager for Commercial Aviation at Shift5, also participated in an interview with Avionics to discuss the new module. “Modern aircraft are generating a vast amount of data that's occurring on those aircraft. All those systems are communicating to one another,” he said.
Bobby Anderson, Vice President/General Manager for Commercial Aviation at Shift5 (Photo: Shift5)
Two challenges for airlines, Anderson remarked, are “managing the requirements and the guidelines that have been set out by the FAA and understanding the security logs associated with all of that traffic occurring on that aircraft.”
The compliance module enables airlines to automate the difficult process of managing security logs according to the guidelines of the FAA’s Advisory Circular 119-1.
“Our ANSP compliance modules, which is what we're talking about here for aviation specifically, allow the automation of that ingestion and that analysis back to the operators,” Anderson explained. “Most of the airlines have resource constrained teams. They need to find a way to do it much more efficiently.”
“One aspect of it is how the security logs are being managed and visualized,” he added. “We allow them to retain the security logs and to conduct continuous analysis of the logs to detect anomalies. They can verify compliance and focus on the insights that we provide them in our visualization solution instead of trying to focus on sorting through data, which is essentially billions of messages within the security logs across an aircraft fleet.”
As part of the security log analysis, Shift5 is providing its own assessment of rules established by either the manufacturer of the aircraft or the operator. “We've been able to apply the MITRE ATT&CK framework to those established rule sets,” explained Anderson. “It enables the airline to—through our ANSP compliance solution—focus on what is the most important thing, from a security perspective, based off that MITRE ATT&CK framework.”
Rinderer commented that their efforts are designed to leverage the principles of applied data observability to solve a problem with disparate and unique data sources. “From a technical perspective, we have this challenge of being able to understand the data and get it into a curated state where it can be put to work,” he said.
This week, Shift5 also announced a partnership with JetBlue "to bring cybersecurity and data observability of onboard avionics to commercial aircraft," according to the company. JetBlue Ventures is also investing into Shift5 for the development of new platform capabilities to increase efficiency and safety for commercial air transportation.
Josh Lospinoso, CEO and co-founder of Shift5, explained, “We demystify exactly what happens aboard aircraft from before takeoff to after landing, allowing maintenance, repair, operations, and cybersecurity teams the ability to make data-informed decisions."
Steven Taub, Managing Director, Investments at JetBlue Ventures, remarked, “Their technology has the potential to revolutionize aviation cybersecurity.”