Latest rule from the FAA poses challenge for the air travel industry

A new front in the battle for cybersecurity has opened. New rules proposed by the Federal Aviation Administration would mandate better cybersecurity for airplanes. For what this means in practice, RunSafe Security CEO Joe Saunders joined the Federal Drive with Tom Temin to discuss.

Interview transcript: 

Tom Temin: What is cybersecurity with respect to airplanes? I guess the obvious answer is all of the communication between the airplane and ground radar and the towers and all of that. But there’s more to it than that. Isn’t there?

Joe Saunders: There is more to it to that. And I think it gets to airworthiness, it gets to safety. It’s not just technology, it’s not just cybersecurity, but it’s ensuring safety and airworthiness of aircraft. And so as you say, all those components and all those you know systems communicate, and even there’s you know communication within an aircraft, and it’s the extension of all that communication that puts aviation systems at risk of cyberattack.

        Learn about several AI initiatives taking place in government in our new ebook, sponsored by Carahsoft. | Download today!

Tom Temin: Now, I flew about a two-hour flight just last week, and we were delayed on the tarmac because of a rerouting that was issued to that plane because of weather, and the pilot said, ‘We just need to get that loaded into our computers.’ And then a few minutes later, they said, ‘Well, we’re back on the original route, so we’re reloading those into the computers.’ Once the plane is up, it’s not communicating. I don’t think the computer. It’s with the ground, or is it, and is the vulnerability maybe in that step of loading, say a flight plan, into an airplane?

Joe Saunders: Well, there’s multiple points of vulnerability and exposure. It does get to communications. So if you think about mobility, you think about communications within an aircraft. You think about knowing the location of an aircraft and that signal, there are dozens of signals that result in some kind of form of communication, whether within an aircraft or between ground systems and airplanes in general. So whether it’s through the software supply chain or through the communications ports, if you will, all of those create attack surface and give an access point. And once there’s access, even if it’s not an ongoing communication, such as reloading the route, or what have you. If there’s already access and there’s some kind of exploit inside the system, then it doesn’t matter if it’s you know, currently communicating or not, that exploit could execute at some point in the future as a result of that. And so I think that’s why, in part, the FAA is so concerned is the software supply chains have gotten more complex, and also the connectivity of aircraft and communication systems in the whole ecosystem have gotten more robust, but also makes systems available for compromise in the first place.

Tom Temin: Yeah, a modern airliner has all of these busses right there. The wiring is almost unbelievably complex. Is it fair, accurate to say that because all of those signals operating the plane in every detail throughout its flight and before and after its flight, I guess on the ground, for that matter where there’s a lot of danger then, because it’s ultimately on one network, even though they have multiple networks doing separate functions, in effect, one could get to the other with a good hacking.

Joe Saunders: Yeah, and specifically the data bus. So picking up on exactly what you say, the data bus itself is what communicates between systems, and that’s a particularly interesting place for hackers to look because you cannot only see signals between devices within an aircraft, but you can also intercept them and do things with them. And so, you know, I think the data bus is a particularly exposed and important critical piece for airworthiness. But then, as you suggest, all those devices connected could become vulnerable as well because you can go from one system to the next with a few hop skips and jumps in the cyber world.

Tom Temin: We’re speaking with Joe Saunders. He’s CEO of RunSafe Security. And having looked at this proposed rules, which are just out now, does this get to that issue? And what is it asking of whom? Is it the operators of planes? Is it manufacturers of planes, all the above to ensure air worthiness from a cyber sense?

Joe Saunders: Exactly right. It’s all the above. But it begins with the manufacturers, and the manufacturers need to produce systems that are airworthy from a cyber perspective, and that’s what’s changed with this announcement. Prior to it, cybersecurity issues were treated as special issues. And there wasn’t no necessarily a standard way to approach this, and deem something is ready for flight. And yes, there were other standards, but they tend to overlap. They tend to get confusing. And the goal here was not only to harmonize it, but to also elevate cybersecurity for airworthiness. And we were just talking in some discussions last week internally at our company about what does this mean, airworthiness. And if you think about a loose bolt or something else that might cause an aircraft to be grounded, cybersecurity, certainly it should be on equal footing as a loose bolt that could disrupt the flight of an aircraft. And we all can imagine because this connectivity, not only is it on par with the loose bolt, but you could imagine an attacker, a hacker, a nation state, could ground an entire fleet with access to software across all planes. And so cybersecurity is a critical aspect. It is worthy of airworthiness. And certainly, I think this is a great move by the Biden administration and the FAA to add cybersecurity as airworthiness.

Tom Temin: Yeah, the possibilities could be to ground a fleet by just rendering planes inoperable because of an attack. That would be worse than a bad update from a known vendor or it could maybe make engines turn off midflight, or that kind of thing.

Joe Saunders: Yeah, imagine any of those malicious things happening in a nefarious action from a bad actor could result in any of that. But the goal of airworthiness is to prevent that. And picking up on your previous question, yes, the manufacturer is responsible for airworthiness, but they’re also responsible for giving the operator instructions to continue to maintain airworthiness, and that’s where I think there could be some room for some improvement in that. Imagine if a software bug is found after the system was turned over to the operator, and after those instructions were already provided, there is an opening there. And as one thing we’ve seen in the software world is software bugs emerge, and bad actors find them, and they find them far after anyone realized that they were out there. And so if a software bug exists and it provides exposure from a cyberattack or to a cyberattack, then who’s responsible if the manufacturer has already turned over those instructions to maintain airworthiness, and that’s where I think there needs to be more clarity between the operator and the manufacturer when a software bug is found after the fact, because that bug could cause the fleet to be grounded, could cause the aircraft to no longer qualify for airworthiness. And as a result of that, there’s a lot of back and forth and the potential for finger pointing and just delays and getting systems fixed.

        Read more: Cybersecurity

Tom Temin: And the supply chain for aircraft, including the software supply chain, is quite complex, isn’t it?

Joe Saunders: It is complex. A typical manufacturer, if you think of Airbus and Boeing and all their suppliers for all these different components, there’s probably hundreds, if not thousands of individual components on aircrafts that may have some sort of software on them. With that, you think about all those systems. And, just on top of that, not only is there proprietary software that some companies might be writing for specialized services, but there are also open-source software components that get included in these software bills and material that get delivered on these aircraft. And I believe open-source software can be very, very secure. But to your point, it means that not only the operator, but you know the manufacturers need to be very mindful of where that software originates and what are the potential risks in that software. And so what’s on the surface as maybe a straightforward thing is this software airworthy does become a greater complex question of you know all these components. So if you look in one individual component, there could be thousands of individual software items that come from the open source community.

Tom Temin: And an aircraft that’s transport that’s going to carry people or cargo that itself exists in an infrastructure of ground crews of the FAA, for that matter, for its own operators and their operation centers, loading bills of lading and balance instructions and all of these things. A lot of people, it’s almost like an airplane is a patient on an operating table with a million tubes coming in and out before it takes off. So there’s a lot of opportunity here for mischief.

Joe Saunders: Well, it is a complex system, for sure. And having a good standard approach to assessing airworthiness for that reason. Clarifying the rules, it’s hard enough to understand all these individual components, but clarifying the rules, harmonizing the rules, making it clear it’s that important for it to qualify as something that affects airworthiness. That’s why I support the move, and hopefully clarifying some of those rules so you can assess all those complex components. That creates certainty and clarity for manufacturers and operators how to operate. And as you say, these are complex systems and so complex software, supply chain, a bunch of components all adds up to complexity.

Tom Temin: And just a detailed question, the rules called for cybersecurity and application to airplanes, aircraft engines and propellers. What’s the cyber question with a propeller?

Joe Saunders: Well, we were getting to it earlier. So obviously propellers vital to an aircraft. If you think about the data bus and communications between systems on an aircraft, it’s vital that those things can’t be controlled. And with that, I think ensuring that those components are all protected as a class of item means that for different class of aircraft, they’re all covered. So I think part of its inclusiveness of aircraft, and part of it is recognizing the complexity involved in those signals transported across the data bus.

Tom Temin: Well, I hope they also include the landing gear because you got to stop when you land.

        Sign up for our daily newsletter so you never miss a beat on all things federal

Joe Saunders: Absolutely, all the systems on the aircraft, in fact, are designated for airworthiness. And as you could say, there’s a lot at stake with these systems, and it just elevates the concern. You talk about landing gear, and a software bug in landing gear could be devastating, and none of us want to really think about that. That’s why I focus on the certainty and the harmonization of standards across systems for airworthiness. But you can imagine any of these systems are vital to the ongoing operations of an aircraft.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.