Friday, August 16, 2013

Just Before the Crash: Locked on Cyber-Free Auto Pilot Too Long, American Aviation Finally Launches Cybersecurity Initiative

Driven by advances in communications and cyber technology, global aviation is on the precipice of momentous change. But what will it mean for air travelers?

Many of aviation’s operational procedures (radio communications, radar and human controllers, to name a few) have not substantially changed for 70 years. With increasing air traffic pushing this system to its physical limits, the industry is turning to Internet-based technologies like eEnabled aircraft and highly connected air traffic control systems.

But it appears there’s a glaring disconnect between the industry’s embrace of Internet technologies and its awareness of cybersecurity threats. The American Institute of Aeronautics and Astronautics recently stated:

“Cyber adversaries are numerous, adaptive, attack from multiple fronts, and are far-reaching. It is not a question of if there will be an attack, but rather when, and what the outcome will be.”

With the potential for a cyber-fueled aviation disaster looming, I set out to the annual aviation industry gathering in Los Angeles, where the aviation industry was set to unveil its “Framework for Cybersecurity” decision paper.

And what I found is unsettling for air travelers.

“Cyber-Free Autopilot” Steering the Plane

I checked the AIAA website to see how much attention the association has devoted to cybersecurity. Here’s the result:
  • 42 prior major AIAA meetings: zero cyber topics.
  • 96 standards issued by the Association: zero cyber standards.
  • 16 published journal articles: zero on cybersecurity.
  • Spot checks of the last 18 months of Momentum, the Association’s monthly newsletter: out of hundreds of articles, there were three mentions of cybersecurity, all conference announcements. 
“Cyber-free autopilot” indeed.

Former White House cybersecurity czar Richard Clarke’s keynote address started with the oft-stated warning that in regard to cybersecurity, the U.S. is in a “pre-9/11 position”. He proceeded to give aviation a slap in the face by characterizing its readiness in cybersecurity as “where the utilities and finance industries were several years ago.”

…which would be close to nowhere, to be exact. Unfortunately, the conference left me thinking Clarke is pretty close to right.

This conclusion was both troubling and perplexing. It’s troubling because commercial aviation’s major product is safe air travel, something the industry needs to uphold if it continues to be viable. It is perplexing, however, that even today, in the second decade of serious cyberattack threats, an industry with such an excellent safety record could let these cyber threats loom without taking substantive action to mitigate the risks to their operations.

It’s also perplexing because I spoke with aviation professionals from Boeing, Raytheon and others, all of whom clearly indicated an awareness of cyber threats. These companies seemed to take cyber threats and vulnerabilities seriously in both product development and organization protection.

So what was I missing?

Interoperable Means Vulnerable

The answer comes when we look at the bigger picture. While marvelous creations in themselves, airplanes are part of a much larger ecosystem comprised of manufacturers, suppliers, carriers, traffic control, reservations systems and international regulations. All of these pieces are becoming increasingly dependent on information and communications technology for their operations.

The aviation industry’s increased reliance on interconnected and interdependent systems increases the vulnerability of aircraft and, really, the entire ecosystem. In an interconnected system, someone else’s problem is also your problem. It becomes clear that standards for their architecture is required to enable these interconnected systems to operate seamlessly and safely.

And thus the “Framework for Cybersecurity” which was unveiled at the conference.

A key question, however, remains: With cyberattack risks accelerating rapidly around the world and the industry in cyber transition, who will get to this increasingly interconnected aviation system first? The attackers? Or the industry, with its newly planned cybersecurity standards?

The answer will have an impact on the safety of air travel over the next two to three years. For my money, I anticipate the attackers will cross the finish line first.

And we all know what that means. Enjoy your flights, everyone.

("Plane Landing" image: James Barker/

No comments:

Post a Comment