The FAA has selected Astronautics Corp. for a research project that will help establish methods for evaluating cybersecurity threats in aircraft electronics systems, specifically related to aircraft certification and ongoing maintenance.
The research will be done in three stages and involves “the development of an efficient, timely and repeatable process that identifies system security vulnerabilities, threats and safety risks, including risk-mitigation information,” according to Astronautics. The FAA will use the research to support “development of aviation policies, regulations and training requirements to ensure flight safety and the security of aircraft network systems from cyberattacks.”
“We’ve been active in this area,” said Astronautics president Chad Cundiff. “There is a lot more effort going into cybersecurity, and research needs to be prepared to instigate actions that are getting taken. What we’re doing working with the FAA is to try and develop the methodology to come up with the right model to do an analysis of whether something is cyber secure or not. We’ll do a safety risk assessment, then here’s the methodology and let’s apply this to the system. We’re finding out where the vulnerabilities and risks are, and then how to address them.”
Astronautics has a long history of cyber-security development with airborne electronics, including with its own Nexus electronic flight bags and development of a network server for the Airbus A400M. “A lot of cybersecurity went into that,” he said.
The three-stage process includes first developing “a mature safety risk assessment framework,” the company explained. This involves adapting Astronautics’s own cybersecurity processes “to support the implementation of the FAA aircraft system information security/protection and safety risk assessment framework.”
In the second stage, Astronautics will study the application of the safety risk assessment methodology on a model of the aircraft communications addressing and reporting system (ACARS) digital datalink. The FAA will use the results of this to refine the safety risk assessment technology.
The third phase will apply “the refined and approved methodology to a second safety risk assessment model that will be defined at a later time.”
The entire contract is expected to take less than a year, and Astronautics will assign current employees to work on it at its Milwaukee, Wis. headquarters. The work is expected to begin in October.
According to Cundiff, the research will benefit the entire aviation industry. “Astronautics is already involved in areas of cybersecurity,” he said, “and has been for over a decade. This keeps us at the forefront, and the more you do, the smarter you get. We’ll ask some challenging questions, take advantage of our experience and move the ball forward regarding the methodology and safety risk assessments.” Astronautics is also a member of the Aircraft Systems Information Security/Protection working group, which is charged with making recommendations on cybersecurity.
As more people expect to stay connected to the internet while airborne, cybersecurity issues will become more critical in aviation. “The more that happens, the more you open up access for more people to potentially see if they can find vulnerabilities in the system,” Cundiff said. “Aviation is very safe, but as we open up the aperture on connectivity, we need to stay in front of that. We have to have the right rigorous method to assess vulnerabilities.
“This is an opportunity to stay deeply involved,” he concluded.