FAA: Always focusing on security
Recently, the Federal Aviation Administration (FAA) contracted with Astronautics, Inc. to identify cyber threats and bolster overall cybersecurity. Finding and addressing vulnerabilities in aviation networks is nothing new to the FAA, but concerns regarding increasing cyber threats are mounting for the industry.
Since its inception, aviation has relied upon independent and closed systems, such as two way analog radios, radar tracking, and stand-alone navigation equipment. With the development of new technology, the aviation industry has been gradually shifting to the use of digital networks for onboard navigation and flight control systems.
Now, ground systems, such as air traffic control facilities, are also moving to highly integrated and interdependent computer systems.
The introduction of NextGen - a new satellite-based aircraft navigation system - by the FAA allows voice and digital communication between pilots and air traffic controllers, along with tracking by a system meant to enhance the safety and capacity of the air traffic control system.
This system is linked through what is called the System Wide Information Management (SWIM) program, which provides for full integration between airspace users (pilots/aircraft) and FAA employees. This integration alone is a potentially high risk prospect due to the inherent vulnerabilities involved with such interconnectedness.
In March 2015, the FAA updated its En Route Host computer - a 40 year-old system - with the new ERAM system (En Route Automation Modernization), effectively laying the foundation for air traffic control to move from a ground-based radar system to a satellite-based surveillance system.
This upgrade touted increased efficiency and improved safety features through conflict detection (planes too close or other possible risks), improved air traffic flows to increase capacity, and better automated navigation meant to help prevent future delays and gridlock as air traffic volume continues to increase.
The new linked systems also provide other benefits directly related to maintenance issues that an aircraft may be experiencing. The new digital systems are designed to troubleshoot aircraft faults and failures and then send that information to ground maintenance personnel.
In many instances, this can speed up the repair process since the parts can be quickly ordered and personnel prepared to address the issue when the plane lands, thus minimizing the aircraft downtime and delays.
"With the advancement of these new technologies, aircraft airworthiness is greatly improved because any issue that occurs while the plane is inflight is relayed to the ground maintenance team via the interlinked system, allowing the maintenance team to assess the issue and in most cases order a new part/parts before the aircraft even lands" ~ David Arsenault, Director of Aircraft Maintenance, Executive Flight, Inc.
Vulnerabilities & weaknesses
Several reports from the Department of Transportation (DOT) Inspector General (IG) have found vulnerabilities and weaknesses in air traffic control and its increased connectivity, including in its access control and intrusion-detection capabilities.
A report issued in 2012 noted that security requirements for the new ERAM system had not been adequately implemented, and in 2014 a new report noted that weaknesses still existed with ERAM, the FAAs traffic flow management system.
Vulnerabilities may also increase with the implementation of the the new ADS-B (Automated Dependent Surveillance-Broadcast) system that will be used to monitor and track planes via satellite, replacing the ground-based radar system. The FAA website states that "ADB-S-Out uses GPS technology to determine an aircraft's location, airspeed, and other data...[and]...operators of aircraft equipped with ADB-S-In can receive weather and traffic position information delivered directly to the cockpit."
Some experts believe, and the Government Accountability Office has maintained that, due to the system's open architecture and its unencrypted signals, it is vulnerable to hackers, jamming, spoofing, and other intrusions, so developing a comprehensive risk assessment method is definitely a positive step in the right direction.