State and prospects of aircraft cybersecurity
In the course of recent developments in the world of aviation, where cybersecurity experts ( example ) opened up the possibility of gaining access to onboard aircraft systems, industry experts (and not only) thought.
What are we doing to ensure safety?
And we do quite a lot. There are many existing guidelines that contain recommendations and practices, for example: RTCA DO-178 "Software Considerations in Airborne Systems and Equipment Certification" contains recommendations for evaluating safety and software quality assurance. There is a separation of access, since all systems are somehow tied to each other through the onboard network (take at least maintenance to determine failures):
As can be seen from the picture, the degree of integration of systems is high in the development of such an architecture. No one could have imagined that some personalities (let's say) would want to get into the onboard network and fly away to the wrong destination. Is it time to change the statistics on disasters and incidents?
')
Recently, I received a letter from Congressional Research Service (CRS; Research Service of the US Congress) from 2015. The letter contains quite interesting statements, for example:
In this connection, the GAO strongly recommended the FAA:
Is this enough? Not. The FAA still considers the RTCA guidelines acceptable for software certification, although they recognize that guidelines do not fully cover all areas of software development and life-cycle processes, and can sometimes be misinterpreted.
Retreat. To correctly interpret the requirements of ARP4754A, more than 2 years were spent and bring them in our Russian Guide 4754A, and the indicated DO-178C was consistent with the Qualification Requirements of Part 178 (-178) from 2012 and will be adopted soon.
Needless to say, the problem is finally recognized. She is, she exists. Some people thought about it while watching the movie discovery “Inside A Plane Crash” - a remote test crash test by Boeing. Some began to breed panic and exposure. Nevertheless, at present there is no single integrated approach to cyber security in the field of civil aviation. The American Institute of Aeronautics and Astronautics (AIAA) has published a general framework on aviation cybersecurity. The International Air Transport Association (IATA) has developed a cybersecurity toolkit. However, the FAA did not endorse them and set a goal to develop their own strategy defining cybersecurity approaches to the entire aviation system. Actually, work is being carried out in aviation slowly, but with the deepest control and analysis of everything, so that you can be calm and confident that you will fly safely.
PS After the letter was published, Congress should have defined the role and responsibility of the FAA in the field of onboard equipment certification, as well as the rules for NextGen, but no information on these issues has yet appeared.
PPS There are standards for, for example, encryption, cryptography recommended for use in aviation (one of these: ISO / IEC 27002 - which has never been met in Russian practice).
What are we doing to ensure safety?
And we do quite a lot. There are many existing guidelines that contain recommendations and practices, for example: RTCA DO-178 "Software Considerations in Airborne Systems and Equipment Certification" contains recommendations for evaluating safety and software quality assurance. There is a separation of access, since all systems are somehow tied to each other through the onboard network (take at least maintenance to determine failures):
As can be seen from the picture, the degree of integration of systems is high in the development of such an architecture. No one could have imagined that some personalities (let's say) would want to get into the onboard network and fly away to the wrong destination. Is it time to change the statistics on disasters and incidents?
')
Recently, I received a letter from Congressional Research Service (CRS; Research Service of the US Congress) from 2015. The letter contains quite interesting statements, for example:
- The high degree of integration of the onboard equipment (what we are all so eager for) creates security vulnerabilities;
- FAA (US Federal Aviation Administration) did not properly implement the requirements for the Next Generation Air Transportation System (NextGen) (air traffic control system);
- An integrated information management network called SWIM based on satellite navigation of aircraft, tracking and digital voice and data creates significant and unresolved cybersecurity issues;
- Technology ADS-B , the introduction of which is planned as a replacement for traditional radar, is inherently vulnerable to hacking due to its open architecture and the use of unencrypted signals.
In this connection, the GAO strongly recommended the FAA:
- Apply the full “Information Security Recommendations over the life cycle of systems” developed by NIST (National Institute of Standards and Technology, also maintains a database of vulnerabilities);
- To place greater emphasis on the quality assurance of onboard systems and to consider safety and integrity issues in the airworthiness certification process.
Is this enough? Not. The FAA still considers the RTCA guidelines acceptable for software certification, although they recognize that guidelines do not fully cover all areas of software development and life-cycle processes, and can sometimes be misinterpreted.
Retreat. To correctly interpret the requirements of ARP4754A, more than 2 years were spent and bring them in our Russian Guide 4754A, and the indicated DO-178C was consistent with the Qualification Requirements of Part 178 (-178) from 2012 and will be adopted soon.
Needless to say, the problem is finally recognized. She is, she exists. Some people thought about it while watching the movie discovery “Inside A Plane Crash” - a remote test crash test by Boeing. Some began to breed panic and exposure. Nevertheless, at present there is no single integrated approach to cyber security in the field of civil aviation. The American Institute of Aeronautics and Astronautics (AIAA) has published a general framework on aviation cybersecurity. The International Air Transport Association (IATA) has developed a cybersecurity toolkit. However, the FAA did not endorse them and set a goal to develop their own strategy defining cybersecurity approaches to the entire aviation system. Actually, work is being carried out in aviation slowly, but with the deepest control and analysis of everything, so that you can be calm and confident that you will fly safely.
PS After the letter was published, Congress should have defined the role and responsibility of the FAA in the field of onboard equipment certification, as well as the rules for NextGen, but no information on these issues has yet appeared.
PPS There are standards for, for example, encryption, cryptography recommended for use in aviation (one of these: ISO / IEC 27002 - which has never been met in Russian practice).
Source: https://habr.com/ru/post/357198/
All Articles