July 31, 2019
The Department of Homeland Security (DHS) recently issued a security alert (ICS-ALERT-19-211-01 CAN Bus Network Implementation in Avionics) warning of cyber vulnerability in general aviation aircraft that could allow nefarious entities to alter an aircraft’s altitude, airspeed and angle of attack by manipulating the aircraft’s Controller Area Network (CAN) bus system.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) recommended aircraft owners restrict access to aircraft and manufacturers review implementation of CAN bus networks to compensate for the potential of attack. The alert is the result of research by an IT consulting firm whose report is announced in a promotional blog post about an upcoming hacker convention.
“The DHS alert correctly points to the mitigations that are used to manage security in the aviation industry,” said Jens Hennig, vice present of operations at the General Aviation Manufacturers Association and co-chair of the FAA’s Aircraft System Information Security/Protection (ASISP) working group. “In evaluating such risk, however, it is important to consider actual real-world scenarios, especially by providing recognition of the protections our overall systems approach provides to managing aviation safety and security.”
The ASISP presented the FAA with 30 recommendations to harden aircraft systems to ensure cybersecurity. The FAA has already implemented a number of those recommendations and is expected to issue proposed regulation in 2020 to address applicable airworthiness standards. Additionally, NBAA recently released the association’s Best Practices for Business Aviation Security, which provides additional guidance, with particular emphasis on physical security.
“It is worth noting that in the past few years, leading up to the late-summer hacker conferences, we’ve seen different IT consulting firms take the opportunity to promote their businesses through blogs and press releases,” said Hennig. “Most of these consultants have undertaken their work in lab conditions, as opposed to in operational conditions or on certified systems.”
Hennig also noted tampering with an aircraft, including electronic interference with an aircraft and its systems, is a federal offense.
Further, while it may be technically possible to manipulate aircraft controls for malicious purposes, is has been determined hacking a CAN bus network or other busses requires physical attachment of a device to the CAN bus itself, which requires access to cockpit avionics. Common – and often simple – physical security policies and procedures mitigate this threat.
“The business aviation community takes stock in its commitment to safe and secure practices and operations and will continue to focus on reducing security risks for our operations through mitigation measures appropriate to the threat,” said Doug Carr, NBAA’s vice president of international and regulatory affairs.
Other NBAA member resources include Professional Development Program courses, podcasts and an annual conference dedicated to business aviation security, to help aircraft operators and other organizations develop and implement cybersecurity plans.
Learn more from the recent NBAA podcast, “Cybersecurity: Tips for Protecting Your Data While Flying.”