The Federal Aviation Administration has begun shaping cybersecurity regulations for airplane manufacturers, amid warnings that the criss-crossing of onboard networks poses risks to flight safety.
Researchers have been invited to build upon an FAA-developed framework for testing a plane’s susceptibility to hacks, agency officials announced on a federal contracting site.
The new FAA initiative is geared toward informing federal policies for aircraft suppliers.
Over the past two years, verified network intrusions at FAA and airports worldwide, along with claims of in-flight hacks, have intensified public and government attention to aviation cybersecurity.
The framework will be tested on an air-to-ground data communications network, called the Aircraft Communications Addressing and Reporting System, that airlines use to communicate with air traffic control, national aviation authorities and their own operations centers.
The potentially 5-year study will weigh steps for spotting bugs in plane systems and reducing the chances those weaknesses will cause harm, as part of "FAA’s eventual development of aviation policies, regulation and training requirements to ensure the resilience of aircraft network systems from cyberattacks," a March 1 contracting notice states.
An initial 9-month, $900,000 phase will flesh out the agency’s so-called safety risk-assessment framework and gauge whether it is practical to use.
The framework consists of a vulnerability assessment, threat analysis, "asset valuation" and an overall risk assessment that measures the likelihood a cyberincident will occur and its impact on flight safety, FAA says.
If funding and time allow, other systems will be assessed and the framework will be refined.
The initiative is part of larger research into avionics weaknesses across the U.S. national airspace system “to assist decision-making by the FAA’s Aviation Safety (AVS) organization to establish appropriate safety policies and regulations,” the agency says.
Separately, last June, an industry working group organized by FAA began developing cybersecurity standards for commercial aircraft, ranging in size from the largest commercial jetliners to small private planes, according to The Wall Street Journal.
On June 21, 2015, operations were disrupted at Warsaw Chopin Airport by what LOT Polish Airlines described as a cyberattack on flight-planning computers, the Journal noted. Ten flights were canceled and others were grounded for several hours.
Stateside airports also have been targeted in recent years.
In 2013, a prolonged operation to spy on aviation systems at 75 U.S. airports was caught by the cooperation of government and industry, according to the Center for Internet Security, a nonprofit group that works closely with state and local governments. Systems at two unnamed airports were compromised by the attackers, who had sent targeted spear-phishing emails to aviation personnel.
Just last month, FAA said it needs urgent help to protect its systems from looming cyberthreats.
"Due to evolving and potential cyber events, the FAA requires critical and immediate cybersecurity methodology support to protect FAA infrastructure from malicious activities," states a Feb. 9 presolicitation notice. At the time, an FAA spokeswoman said the notice refers to potential security incidents, adding the agency is not currently experiencing a network attack.
The ramp-up in aviation cybersecurity precautions comes a year after attackers infected an FAA administrative computer network with a virus through an email.
Shortly afterward, auditors at the Government Accountability Office warned mission-critical air traffic control systems are susceptible to cyberattacks because the networks are closely intertwined with nonairspace systems.
FAA officials say the new policymaking effort is a result of GAO’s finding that interconnected networks in future generations of aircraft aimed at enhancing safety could actually jeopardize safety.
"The increased connectivity, particularly to external networks and systems without sufficient security controls could introduce information security vulnerabilities, which, if exploited, might impact the safety of aircraft operations and continued airworthiness,” the announcement states. The specific systems that could present a problem include airline operation centers, airport gate links, flight information databases, and aircraft software uploads and maintenance.
Already, a commercial aircraft passenger claims to have forced a thrust management computer to climb by hacking into an in-flight entertainment system, according to an FBI affidavit. Chris Roberts, the flier and a security expert, told authorities last spring he has manipulated networks mid-flight on multiple occasions and, in that one instance, he caused a plane to briefly move sideways.