Page 23 - 2018-Issue3
P. 23
PAGE 22 CYBERSECURITY IN AVIATION PAGE 23
“To mitigate threats in
the realm of Informa-
IFALPA has been advocating coordination In civil aviation, we tend to look at chang- tion Security, we need
of Cybersecurity efforts at a global level for some es to our system design with a level of suspicion.
years now. The Federation has been strongly For safety critical systems, every change, how- to adapt the way we
supporting the work initiated by ICAO and is an ever minor, must be certified. This is true not
active participant in its Secretariat Study Group only for the aircraft and its components, but also look at Aviation Safety.”
on Cybersecurity. for the systems used by air traffic control. From
So why are we concerned about this rela- a safety perspective, this certainly makes sense.
tively new threat? The answer is twofold. First, Every change in a single component could im-
and most evidently; the systems ensuring the pact the safety of the system as a whole.
safety of flights, including air traffic manage- When we look at this procedure from an
ment, airline operations, and the aircraft itself, information security perspective, however, it be-
rely more and more heavily on electronic data. gins to make less sense. We end up with a situa-
Much of the data that is transferred is essential tion in which systems remain vulnerable because
to ensure flight safety. However, the protec- they may not be updated without certification,
tion of this data is not currently at the level one and the requirements to certify are far too ex-
might expect. Much of the technology used to- tensive to perform every update cycle. Bi-yearly
day was developed at a time when aircraft were updates are not uncommon in air traffic man-
relatively unconnected to the outside world, and agement systems, and looking at many aircraft
therefore was not designed to properly protect systems, update frequencies are even worse.
the information carried. In many cases, a system To mitigate threats in the realm of Infor-
receiving information is unable to determine the mation Security, we need to adapt the way we
sender, or whether the information was tam- look at Aviation Safety. We may have to accept
pered with between the moment it was sent and certain changes more readily than we are used
when it was received. to. We must search for ways to compare the risks
The second reason we are concerned with involved. In one situation, the risk of changing
Cybersecurity is because it is an area where the the system could be greater than the risk the
aviation community lacks specialized expertise. update is trying to prevent, but in the next, it
It is at the convergence of three disciplines: Avi- may well be the other way around. Ultimately,
ation Safety, Aviation Security, and Information we need a new combined and comprehensive
Security. While there are many experts with a view on aviation risk, where all disciplines are
background in one or two of the three, there are combined into an overall system.
very few who oversee them all. Each of the dis- Of course, this change will not happen
ciplines has its own vocabulary, its own point of overnight. It will take a lot of effort to reach
view, and its own management methods. For ex- this goal and in the meantime, we should take
ample, Risk Management is a concept employed smaller steps to mitigate the risks we face today.
by all three disciplines, but its meaning differs One of the resources that is often forgotten in
completely depending on the background con- this respect is the human being. IFALPA strongly
text. believes that the users of safety critical systems
The challenge we face is to bring these should be trained properly, e.g. air traffic con-
worlds together. As an example, consider a key trollers and pilots. They should be aware of the
aspect of how you keep your computer safe and potential that information presented to them CAPTAIN JEROEN KRUSE holds a Master of Science
secure. Every day, new vulnerabilities are discov- should be questioned as it could be compro- in Artificial Intelligence. He obtained his pilot’s
ered in the software used to run your computer. mised, of which systems are more susceptible to
These are discovered by breaches that are de- interference, and of how to detect such an inter- licence in 2002, and for the past fourteen years he
tected in systems using the same software, or ference. Last, but certainly not least, they should has been piloting aircraft for the flag carrier of the
by ethical hackers who have shared this infor- be aware of how to respond. In many cases a Netherlands, first on the Fokker 70 and 100, and
mation with the producer. Regularly, every two fall-back scenario is available, but it will not be currently on the Boeing 777 and 787. On behalf
weeks on average, you will receive updates of helpful if it is not used due to lack of awareness.
the software you need to install to fix these vul- In conclusion, it is encouraging to see the of the pilot community he has been involved in
nerabilities. Once the fix is available, information subject of Cybersecurity getting the attention Aviation Security since 2008, and he currently chairs
about the vulnerability is usually published. As it deserves. Regional initiatives are taking place the Cybersecurity WG of the European Cockpit
a result, every hacker now knows about the vul- around the globe to work on an optimum solu- Association. On behalf of IFALPA he is a member of
nerability, and can exploit it on systems that did tion to provide a safe and secure civil aviation
not install the updates. So, keeping your system environment. IFALPA is looking forward to con- ICAO’s Secretariat Study Group on Cybersecurity.
up-to-date is an essential aspect of keeping your tributing to help align these efforts at a global
computer secure. level.