The cyber attack comes as the FAA is asking for feedback on a draft advisory circular setting out requirements for operators of “e-enabled” aircraft on the creation of aircraft network security programmes (ANSP). The FAA described the AC as “essential” because technologies in modern aircraft “may be vulnerable to threats common to IT platforms”.
“New aircraft designs use transmission control protocol (TCP) and internet protocol (IP) technology in a manner that virtually makes the aircraft an airborne interconnected network domain server,” it states.
“As with other TCP/IP applications, a real threat exists that may be intentional or unintentional with a detrimental effect on system performance. These effects may range from reduced performance, denial of service, or criminal activity.”
The AC concludes that: “The transmission of critical data necessitates the need for an ANSP.”
An ANSP covers network security onboard the aircraft, the off-airport supporting infrastructure (corporate offices) and “everything in between”.
The AC draws on requirements that were mandated as “operational specifications” on new generation aircraft, such as the 787 and A350, and highlights that “e-enabled” aircraft covers not only new aircraft but those that have had TCP/IP connectivity retrofitted.
Operators must, according to the AC, develop and maintain an ANSP that:
- ensures security protection is sufficient to prevent access by unauthorised sources external to the aircraft;
- ensures security threats specific to the certificate holder’s operations are identified and assessed, and that risk mitigation strategies are implemented to ensure the continued airworthiness of the aircraft;
- prevents inadvertent or malicious changes to the aircraft network, including those possibly caused by maintenance activity; and
- prevents unauthorised access from sources onboard the aircraft.
The AC, which is out for comment until 6 July, follows on from warnings from the US Government Accountability Office in March, which reported that aircraft could be vulnerable to having their computers hacked and remotely taken over by passengers using in-flight wi-fi.