FAA Advisory Body Recommends Cybersecurity Measures
September 22, 2016
  • Share
  • WASHINGTON—U.S. aviation authorities on Thursday took the strongest formal action yet to combat potential cyberthreats to planes in the air as well as on the ground.

    The Federal Aviation Administration’s top technical advisory group adopted language seeking to ensure that cybersecurity protections will be incorporated into all future industrywide standards—affecting everything from aircraft design to flight operations to maintenance practices.

    The move by RTCA Inc.’s program-management committee at a meeting here stops short of mandating detailed engineering requirements or safeguards. Those are reserved for FAA-created committees of experts focused on drafting specific standards for individual industry segments.

    But by officially elevating cyber issues to such a high priority for the first time, the decision means manufacturers, carriers, maintenance facilities and even airports eventually will be obligated to include cybersecurity factors in routine activities.

    The RTCA committee, among other things, called on manufacturers to rely on “a layered approach to aircraft security risk mitigation,” spanning both software and hardware. That includes consideration of how vulnerabilities “could propagate to existing downstream systems.”

    The move is “undoubtedly very important,” according to veteran RTCA committee member George Liger, because such language goes substantially beyond previous generic cyber-protection guidance. “At a high level,” he added, “it makes sure appropriate considerations will be given” to cyber vulnerabilities across the board. From now on, he noted, “this will apply to everything we do.”

    The guidelines apply to all aviation standards that ultimately end up as regulations, advisories or guidance documents adopted by the FAA.

    Mr. Ligler’s panel piggybacked on more than a year of work by a separate international working group of industry and government officials assembled by the FAA. That earlier panel, among other things, recommended that all airplane systems must be protected from potential hackers or other unauthorized intrusions.

    And the FAA ought to formulate new airworthiness regulations, according to the international advisory panel, requiring that such security risks “have been identified, assessed and mitigated as necessary.”

    Unlike previous, less-rigorous cybersecurity documents, the international advisory report presented to the FAA emphasized keeping safeguards effective during day-to-day operations. The group highlighted the importance of companies and regulators demonstrating that “security protections are maintained.”

    The long-term goal is to “secure the systems up front” by relying on thorough design requirements, Jens Hennig, co-chairman of the international advisory group, said on Thursday. But then “operators have to maintain the same security,” he added.

    The final report prepared by Mr. Hennig and more than 30 other cyber experts was presented to senior FAA officials last week, but it hasn’t been released.

    The FAA official heading up the agency’s dealings with the RTCA panel declined to comment.

    Cybersecurity concerns have escalated lately across the industry, with U.S. and European regulators scrambling to coordinate efforts. “Any cyber attacks should be treated as an accident,” Luc Tygat, a senior official of the European Aviation Safety Agency, said at a conference here in June. He said “contamination can come from any part of the system,” adding that the problem is “quite fluid, and evolving very quickly.”

    The document approved Thursday, called a drafting guide for performance standards, lists “signal detection spoofing capabilities” as one technique to guard against potential cyber attacks. Such features typically relate to new cockpit-warning systems that can alert pilots of unauthorized digital transmissions.

    To protect cabin entertainment systems, the RTCA panel urged use of tamper-proof connectors “that require special tools to remove.”