The key challenge of cybersecuring aviation

We are all aware of the very real risks associated with the virtual world that is so much a part of our daily lives. But it is not enough to simply be aware of these cyber dangers; we need to protect ourselves, adopt best practices, and know how to respond in the event of an attack. The aviation sector also has to deal with these threats on a completely different scale.

Digitalisation is one of the main drivers of the aviation sector's post-pandemic recovery, alongside efforts to reduce the climate impact of air transport. But this development has also created new risks. In our interdependent and interconnected ecosystem, cybersecurity involves protecting not only information in the form of digital data, but also the associated networks, websites, services, computers and portals that share and enable access to data.

On the ground, more and more operations require the use of digital technology. At airports, all services are connected to improve the passenger experience and streamline the workload of flight operations. Airline operations centres are becoming increasingly digital, whether in terms of crew management systems, flight operations systems or passenger management systems. Aircraft maintenance centres have become veritable software nodes where system and content updates circulate constantly. Finally, air traffic management depends on evermore networked real-time communication, navigation and surveillance capabilities.

Overhead, aircraft have become hubs for mobile communications and data. Cockpit systems are increasingly connected to open-world sources. Pilots use electronic flight bags that provide a host of useful connected resources and applications. Meanwhile, cabin side, in-flight entertainment and connectivity systems offer passengers not only a way to pass the time, but also a wide range of services that can be customized by airlines according to passenger profile, destination and type of journey, as well as connectivity and communication capabilities!

A regulatory framework in the making

To be able to capitalize on the full potential of digital technologies, particularly with regard to airborne systems, we need to be able to certify and authorize cybersecurity practices, whether encryption methods, flow analysis, recognition of data and its value, or the hardening of the components themselves. Aviation authorities, in particular the International Civil Aviation Organisation (ICAO), the European Aviation Safety Agency (EASA) and the US Federal Aviation Administration (FAA), are the lead players here, with the progress achieved being based on the conclusions of working groups made up of operators and manufacturers.

Going further, the industry as a whole is extremely active in this area to boost buy-in from the agencies, as I recently explained during a panel discussion at the Paris Air Forum. For example, the Aerospace, Security and Defence Industries Association of Europe (ASD) has a cybersecurity working group that aims to develop position papers on cybersecurity strategies for aviation. Organisations such as IATA (International Air Transport Association)? and EUROCAE (European Organisation for Civil Aviation Equipment) coordinate a number of technical advisory committees in areas such as formalizing guidelines for consistent risk management procedures, and identifying security risks, threats, and their impact. Thales plays an important role in all these initiatives.

Cybersecure by design

For industrial players such as Thales, it is already essential to deliver products and systems that are "cybersecure by design", i.e. resistant to the multiple risks of cyber-attacks. Our priority is to ensure the safety and economic resilience of those who use our systems, whether on the ground or in the air.

We have therefore natively integrated cybersecurity into our design and manufacturing processes, anticipating compliance with aviation cybersecurity standards. We also secure our product deliveries against malicious modification by providing proof of authenticity throughout their lifecycle, and by actively working to help our suppliers become cyber resilient.

The FlytX cockpit avionics suite is a prime example. Both the hardware (screens and interfaces) and the software have been designed with cybersecurity in mind, whether for civil or military use. This ensures that these robust systems have no blind spots, especially given that no system impacting air safety currently interacts with open-world applications or data sources – this was another key takeaway I highlighted during the Paris Air Forum. ?

In the face of constantly evolving threats, Thales has also set up dedicated units (PSIRTs, Product Security Incident Response Teams) to respond to customer cybersecurity incidents, which can be complemented by in-flight health monitoring services. A structured offering has also been developed to enable our airline customers to make cybersecurity an integral part of their operations. This ranges from developing a cybersecurity strategy and integrating it into their day-to-day operations, to crisis management, including operator and pilot awareness, and ongoing threat monitoring to ensure that cybersecurity investments are targeted effectively.

Finally, but equally importantly, we are working closely with airlines to respond to the growing threat of malicious GPS signal jamming and spoofing around the world, which affects the geolocation capabilities of commercial aircraft and is therefore a major concern for airlines. The extent of the impact varies according to the age of the onboard systems, so it is important to pinpoint the severity of the phenomena and how to thwart such attacks. Thales has already identified a number of proposed developments, which I look forward to discussing in greater detail in another article.??

By adopting this kind of dynamic and proactive approach across our ecosystem, we can collectively take connected aviation to new heights, while ensuring that flight operations, ground and on-board systems and the passenger experience are cyber-savvy, resilient and secure. Now you can sit back, relax and enjoy your cybersecure flights!