Thales is accelerating its efforts to improve cybersecurity in avionics with the air transport increasingly recognizing the gravity of the threat computer hackers present. Civil aviation authorities have committed to tackling the problem, too, Bruno Nouzille, head of Thales’s avionics business, said in a recent meeting organized by the French association of aerospace journalists (AJPAE). Thales’ efforts have led the European company to hire more engineers in the field.
So far, no evidence supports last year’s claims by cybersecurity expert Chris Roberts that he hacked the engine controls of a Boeing 737-800, according to Nouzille. However, the FBI continues to investigate the alleged incident. Nevertheless, Thales believes future danger from such cyber attacks cannot be discounted. Nouzille would not specify from where the threat comes but he did predict 70 percent of the global fleet in 2025 will offer in-flight connectivity to passengers. Hacking attempts might also come from the ground.
Even though cockpit avionics suites and cabin in-flight entertainment system share relatively little information, Nouzille acknowledged a connection between the two that cyber attackers can potentially exploit. Even in flight-safe mode (WiFi off, bluetooth off) a laptop computer can be hacked, he pointed out. Thales for years has worked on cybersecurity outside aviation–it employs 1,500 experts. A Thales brochure describes risks such as virus, disinformation, saturation, destabilization, destruction and data theft.
Anti-hacking efforts should involve a three-tiered response. First, engineers should design protection into those systems that have an interface with the “open world” (for communications or maintenance purposes, as well as electronic flight bags). Second, the “deep defense” level should detect that an attack has successfully pierced the first layer of protection. It should then guarantee redundancy.
Finally, a dedicated team should monitor threats and update software programs accordingly. Thales’s 15-person computer emergency response team (CERT) does exactly that in Toulouse, France. The European Aviation Safety Agency has suggested that governments should create CERT at the European level, Nouzille noted.
Last December, the European Commission drafted a cybersecurity roadmap for air transport. ASD, the lobbying association for the aerospace and defense industry, has already commented. The EC is supposed to task EASA to ensure cybersecurity for aviation. At a global level, ICAO has released guidelines. IATA, CANSO (the association of air traffic service providers) and Airports Council International have become involved as well. “Cybersecurity is becoming part of aerospace’s DNA,” Nouzille said.
A pilot representing the SNPL France union expressed concern that connectivity used for air traffic control might contain security loopholes. In an insecure area, a pirate on the ground might fool a crew into believing he is an actual controller, the pilot suggested. Then, the hacker might use controller pilot datalink communication (CPDLC) to send a hazardous rerouting input into the avionics system.