One of the most important improvements in the aviation industry is the updating of the Internet of Things (IoT). And this inevitably affects the way airlines approach aviation safety. Safety has been a priority from the outset, particularly in the aviation industry. Although this is a long-awaited innovation, the integration of IoT equipment in aircraft raises related issues that are not related to cybersecurity risks. Aircraft safety no longer depends on physical safety. It is now also about providing connectivity between aircraft components in the network, including avionics systems.
Aviation, connectivity and cybersecurity risks
In 2015, security researcher Chris Roberts was punished for exploiting vulnerabilities in United Airlines aircraft and briefly flying sideways. According to a widespread FBI report, Roberts hacked the in-flight entertainment system (IFE) on board the aircraft and rigged the crew. Three years later, researcher Reuben Santamarta hijacked overflying aircraft and exploited weaknesses in the satellite communication infrastructure. These shortcomings allowed him to remotely access hundreds of aircraft and spy on them from the ground.
These two events highlighted the new reality of aviation and showed why a high level of flight safety is necessary. In-flight communication is a vehicle for the flow of information from sensors and analysis data. Any digital device can be hacked, especially if it is connected to the Internet. The ability to connect aircraft increases efficiency, but can also create loopholes for unauthorised remote access. And since the connection is based on a network, it is impossible to imagine the significant damage a hacker can do by exploiting even a small error.
For example, the level of safety without consequences according to the design support specified in the avionics certification documents would be a failure that does not affect more than the IFE system. If we remember what Roberts was able to do with the WEI vulnerabilities, are there major risks, even with these low-level security vulnerabilities?
Aviation Cyber Security Certification
How can we guarantee the safety of avionics systems now that the aviation industry is adapting to the new standard for connected aircraft? Over the years, certain certification documents have been introduced to regulate information security and ensure safety on board aircraft. These include DO-326A/ED-202A, DO-355 and DO-356.
TO 326A/ED-202A
The primary certification document for aircraft cybersecurity is DO-326A/ED-202A. Title A specification of the process for ensuring aviation security in spoken language is called Introduction to Cyber Aviation Security. It is also known as the cyber version of the DO-178, the most important certification document for avionics software systems. The preparation of a separate document on aviation information security, other than DO-178, rightly underlines the priority to be given to cybersecurity in the field of avionics.
The instructions in these documents are intended to be carried out throughout the development lifecycle, from design to implementation. The seven steps it comprises look like this: Plan for the safety aspects of certification, definition of safety scope, safety risk assessment, risk acceptance, safety development, assurance of safety effectiveness and transfer of evidence
DO-355
The full name of the DO-355 is the Continuing Airworthiness Information Security Manual. It was published in June 2014 as a compendium of additional operational and maintenance requirements. It differs from DP-326A in that the latter is intended to be carried out on a development scale and not to meet the maintenance needs arising from threats to the safety of aeronautical information.
DO-356
Full name DP-356 – Methods and considerations for flight safety. It was published in September 2014, immediately after the introduction of DO-355. It is an accompanying document to DO-326A/ED-202A that demonstrates compliance with safety requirements at all stages of development.
It should be noted that DO-326A/ED-202A, DO-355 and DO-356 do not contain instructions relating to physical attacks. Instead, they focus on intentional unauthorized electronic interactions, including malware installations and system manipulation.
Airlines should endeavour to fully accept the requirements of these documents for the development and maintenance of their avionics systems. Attention should be focused on identifying compliance gaps. The sooner the gaps in the development phase are identified, the easier it is to address them.
In addition, information and physical security must be constantly monitored, as threats are constantly being detected. Malicious cops look for any weakness they find. It is therefore necessary to check safety, even and especially when the system is in order.
The provisions of DO-326A/ED-202A and other documents are not yet mandatory. At the moment, they mainly serve as a guide. However, airlines that recognise its necessity have integrated its rules into their avionics development processes. In any case, some time was spent negotiating to make the requirements of DO-326A/ED-202A mandatory for all aircraft on board.
About the Author : Michael Usyagvu is entrepreneur, Tech Pr expert and CEO of Visible Links Pro. It helps various organizations to keep abreast of the latest technologies. Some of the useful documents can be found in Readwrite, InfoSecurity Magazine, Hackernoon and many others. She is very open to the idea of helping organizations develop their latest technologies.
Editor’s note : The opinions expressed in this guest post are those of the author alone and do not necessarily reflect the views of Tripwire, Inc.
Related Tags:
do-355/ed-204,asisp,rtca,do-178b,faa,do-326a,rtca do-355,rtca do-356,eurocae ed-203a,amc 20-42,do-254,design assurance level,do-254 dal levels,development assurance level b,arp4754,eurocae ed-80,avionics hardware design,rtca do-326a pdf,do-326a download,do-356a pdf,faa cybersecurity regulations,ed-202a