Saturday, October 15, 2016

Aviation Officials Step Up Cybersecurity Checks of Older Messaging System: Concerns that decades-old data-transmission network is vulnerable to hacking fuel movement to modernize

The Wall Street Journal
Oct. 15, 2016 2:36 p.m. ET

U.S. and European aviation authorities are focused on cybersecurity threats that could affect a basic data-transmission system widely used by airlines around the world.

Such concerns about the decades-old system, called Acars and primarily used for air-traffic purposes and to provide information about the status of various aircraft components during flights, have surfaced in the past few months on both sides of the Atlantic. The issue has been raised in U.S. government contracting documents, as well as in comments by industry officials and high-level European safety regulators.

The information sent by the Acars network from planes to the ground isn’t considered safety critical, nor does the system handle any data that could immediately imperil safe operation of flights. No specific hacking attempts or intrusions have been detected, government and industry officials said.

But as the industry moves to revise 1980s-vintage transmission protocols and methods, including use of new frequencies and expanded messaging formats, experts have expressed heightened worries about the vulnerabilities of Acars to hackers or other types of outside intrusions. Because of its age, the system lacks some of the safeguards embedded in newer onboard messaging networks.

Disruptions of Acars could result in major problems for airline scheduling, maintenance or other operational functions, experts interviewed over the past few months said. Acars stands for Aircraft Communications Addressing and Reporting System, originally designed to send short air-to-ground messages. Future uses envision dramatically greater capacity and a wider range of messages.

In September, the Federal Aviation Administration awarded a first-of-a-kind contract to Milwaukee-based Astronautics Corp. to develop comprehensive risk-assessment tools to pinpoint cybersecurity vulnerabilities of aircraft electronics. Acars is slated to be the first onboard system that will be examined using those tools.

At the time, Astronautics said it planned to devise an “efficient, timely and repeatable process” to identify cyberthreats and risk-mitigation strategies.

FAA officials have declined to comment specifically about Acars or details of the contract. In an email on Thursday, the agency said it “will continue to further strengthen its capabilities to defend against new and evolving” cyberthreats.

Earlier, a top official of the European Aviation Safety Agency singled out Acars as a prime example of the need for stepped-up cybersecurity reviews of onboard data systems. Luc Tytgat told an FAA-EASA conference in Washington in June that work was under way “to see if we should not go back to certification” studies of Acars vulnerabilities.

Mr. Tytgat indicated Acars was at the top of the list for cybersecurity reviews, but added that EASA also planned to screen newer air-traffic-control technologies ready for deployment as part of a “total systems approach” that is “not something which is easy to implement.”

Since then, several industry officials familiar with the details confirmed that the agency is specifically delving into such matters.

An EASA spokesman this month said the Acars studies are part of a broader effort to update certification requirements for new aircraft, anticipated to take effect starting next year. He said the agency also is looking at possible enhanced safeguards for Acars and other existing systems on today’s fleet of commercial aircraft.

The activity comes amid escalating worries about cyberthreats to commercial aviation in general. Those threats have prompted a variety of government and industry responses, including devising future standards to ensure that any successful hacks will be detected and neutralized.

In addition, the FAA’s top outside technical advisory group in September agreed to pay greater attention to cybersecurity threats across the full range of onboard equipment, internet connections and air-traffic-control communications. The updated guidelines are intended to affect areas including aircraft design, flight operations and maintenance practices, among others.

As airlines, business jets and even small private aircraft become more connected to more ground and satellite links, the FAA also is considering separate recommendations from a joint industry-government panel to tighten federal oversight of cyber-related protections.

Original article can be found here:

No comments: