Page 23 - 2018-Issue3
P. 23

PAGE 22  CYBERSECURITY IN AVIATION                                                                          PAGE 23

                   “To mitigate threats in

                   the realm of Informa-
 IFALPA has been advocating coordination   In civil aviation, we tend to look at chang-  tion Security, we need
 of Cybersecurity efforts at a global level for some  es to our system design with a level of suspicion.
 years now.  The Federation has been strongly  For safety critical systems,  every  change,  how-  to adapt the way we
 supporting the work initiated by ICAO and is an  ever  minor,  must  be  certified.  This  is  true  not
 active participant in its Secretariat Study Group  only for the aircraft and its components, but also   look at Aviation Safety.”
 on Cybersecurity.  for the systems used by air traffic control. From
 So why are we concerned about this rela-  a safety perspective, this certainly makes sense.
 tively new threat?  The answer  is  twofold.  First,  Every change in a single component could im-
 and  most evidently;  the  systems ensuring  the  pact the safety of the system as a whole.
 safety  of  flights,  including  air  traffic  manage-  When we look at this procedure from an
 ment,  airline  operations,  and  the  aircraft  itself,  information security perspective, however, it be-
 rely more and more heavily on electronic data.  gins to make less sense.  We end up with a situa-
 Much of the data that is transferred is essential  tion in which systems remain vulnerable because
 to  ensure  flight  safety.  However,  the  protec-  they may not be updated without certification,
 tion of this data is not currently at the level one  and the requirements to certify are far too ex-
 might expect. Much of the technology used to-  tensive to perform every update cycle. Bi-yearly
 day was developed at a time when aircraft were  updates are not uncommon in air traffic man-
 relatively unconnected to the outside world, and  agement systems, and looking at many aircraft
 therefore was not designed to properly protect  systems, update frequencies are even worse.
 the information carried. In many cases, a system   To mitigate threats in the realm of Infor-
 receiving information is unable to determine the  mation Security, we need to adapt the way we
 sender,  or  whether  the information was tam-  look at Aviation Safety. We may have to accept
 pered with between the moment it was sent and  certain changes more readily than we are used
 when it was received.   to. We must search for ways to compare the risks
 The second reason we are concerned with  involved. In one situation, the risk of changing
 Cybersecurity is because it is an area where the  the  system could  be  greater  than  the  risk the
 aviation community lacks specialized expertise.  update  is trying to prevent,  but in the next, it
 It is at the convergence of three disciplines: Avi-  may well be the other way around. Ultimately,
 ation Safety, Aviation Security, and Information  we need a new combined and comprehensive
 Security.  While  there  are  many  experts  with  a  view  on  aviation  risk, where  all disciplines  are
 background in one or two of the three, there are  combined into an overall system.
 very few who oversee them all. Each of the dis-  Of  course,  this change  will not  happen
 ciplines has its own vocabulary, its own point of  overnight.  It  will  take  a  lot  of  effort  to  reach
 view, and its own management methods. For ex-  this goal and in the meantime, we should take
 ample, Risk Management is a concept employed  smaller steps to mitigate the risks we face today.
 by all three disciplines,  but its meaning differs  One of the resources that is often forgotten in
 completely depending on the background con-  this respect is the human being. IFALPA strongly
 text.  believes that the users of safety critical systems
  The challenge we face is to bring these  should be trained properly, e.g. air traffic con-
 worlds together. As an example, consider a key  trollers and pilots. They should be aware of the
 aspect of how you keep your computer safe and  potential that information presented to them   CAPTAIN JEROEN KRUSE holds a Master of Science
 secure. Every day, new vulnerabilities are discov-  should be questioned  as it could be compro-  in  Artificial  Intelligence.  He  obtained  his  pilot’s
 ered in the software used to run your computer.  mised, of which systems are more susceptible to
 These are discovered by breaches that are de-  interference, and of how to detect such an inter-  licence in 2002, and for the past fourteen years he
 tected in systems  using the same  software,  or  ference. Last, but certainly not least, they should   has been piloting aircraft for the flag carrier of the
 by  ethical  hackers  who  have  shared  this infor-  be aware of how to respond. In many cases  a   Netherlands, first on the Fokker 70 and 100, and
 mation with the producer. Regularly, every two  fall-back scenario is available, but it will not be   currently on the Boeing 777 and 787. On behalf
 weeks on average, you will receive updates of  helpful if it is not used due to lack of awareness.
 the software you need to install to fix these vul-  In conclusion, it is encouraging to see the   of the pilot community he has been involved in
 nerabilities. Once the fix is available, information  subject of Cybersecurity getting the attention   Aviation Security since 2008, and he currently chairs
 about the vulnerability is usually published. As  it deserves. Regional initiatives are taking place   the Cybersecurity WG of the European Cockpit
 a result, every hacker now knows about the vul-  around the globe to work on an optimum solu-  Association. On behalf of IFALPA he is a member of
 nerability, and can exploit it on systems that did  tion to provide a safe and secure civil aviation
 not install the updates. So, keeping your system  environment. IFALPA is looking forward to con-  ICAO’s Secretariat Study Group on Cybersecurity.
 up-to-date is an essential aspect of keeping your  tributing to help align these efforts at a global
 computer secure.  level.
   18   19   20   21   22   23   24   25   26   27