Cyber-security has been in the news lately with the recent cyber attack on South Korea, thought to be the work of the North Koreans. This follows issues in the US pointing fingers at the Chinese PLA Unit 61398. Before these news items there was a lot of coverage about Stuxnet, and cyber attacks date back to 2007.
Cyber attacks are attracting more attention because they demonstrate how vulnerable everyone is. The South Korean economy is sophisticated. Whereas about 28% of Asia’s population has Internet access, about 83% of South Korea’s population has Internet access. This means that South Korea is vulnerable to a cyber attack – undoubtedly much more so than North Korea. Consequently we should be expecting much more news about cyber attacks because it is a weapon offering massive damage on a very small budget.
Cyber security is something aviation needs to constantly think about. The next generation of aircraft is increasingly reliant on becoming e-Enabled. New aircraft are connected via secure IP communications allowing digital traffic to and from the aircraft. Providing an aircraft with IT network access seems an irresistible attraction.  Currently the A380 and 787 are the only e-Enabled commercial aircraft, while the coming CSeries and A350 are also adopting this feature. Even the 737MAX and A320neo will be more e-Enabled than their predecessors. This means that when an airplane is deemed “airworthy” it will also be required to pass an IT test. Despite intensive testing we have seen cyber attacks on terrestrial networks, reinforcing the fact that every network is only as strong as its weakest link.
To get an idea of the complexities of the e-Enablement of an airplane, take a look at this link from Boeing detailing the 787. Of course airlines desire real-time or near real-time data from their aircraft. This means they will have the ability to monitor systems on board and better predict MRO activity. Airlines can send updated weather information to the crew to optimize tailwinds or reduce the impact of headwinds; moves that directly lower fuel burn and reduce flight times. These features alone present significant benefits. There are also benefits from other less attention grabbing issues like e-commerce; enabling the clearing of credit card transactions instantaneously, allowing an airline to reduce risks of credit card fraud. This is a not insignificant issue for long haul airlines.
There is an item that could impact aviation security even outside the e-Enabled airplane. As you will have noticed in the link to the 787 article, there is an item known as Electronic Flight Bag (EFB). The A380 and 787 have the EFB built in, but there are literally thousands of EFBs in service using mobile devices. In North America it is estimated that 30,000 pilots are flying with mobile EFBs, typically these EFBs are on laptops or tablets (like iPad).
The EFB is a series of software tools that allow pilots to automate tasks such as weight and balance, along with allowing pilots to track routes with weather overlays. The main benefit of an EFB is to lesson the burden on pilots, who currently each carry a 40 pound briefcase filled with charts and other paperwork, by allowing all of the data in the paperwork to be operable on an iPad. Having two pilots carrying an iPad each and not carrying 80 pounds of paperwork on board could potentially save an airline a lot of money. Take a look at this Alaska Airlines EFB briefing. The transition from 80 pounds of paper to tablet EFBs is thought to have saved up to 325,000 gallons of fuel per year. This is serious money.
Pilots carrying tablets with EFB apps run the risk of their devices being compromised. This could happen when pilots go online to download emails or from web browsing. The airline industry is aware of the challenges. Leading airline industry cyber-security consultancy AvIntel has been tracking EFBs for the past four years. Their fourth annual EFB Report is about to be published. In a prequel of their report they shared that over 80% of the airlines surveyed reported they have an active EFB program, but 40% of these airlines do not have an active EFB cyber-security plan.
Consequently we see that the next generation of aircraft needs to be made secure from cyber attacks, but airlines also need to ensure EFBs are secure. Ubiquitous connectivity for EFBs means these devices are “sniffing” for signals wherever they are. The Aircraft Electronics Association has taken a look at this issue. The various firms providing software apps for EFBs are aware of this security issue. It is not the aviation side of the industry one needs to worry about. It’s the other side, especially for pilots who carry tablets like the iPad. Pilots who go online in hotels or other public places to download information for their EFBs prior to heading to the airport could (potentially) be exposed to malware. Emails are the typical source of how a device gets infected and if these tablets are used for personal emails, the devices can be compromised.
Some airlines have a policy that tablet EFBs are unable to download anything but airline approved data. As one can imagine this does not sit well with pilots, who need to carry an additional digital item for their personal use. Airlines that do not provide their pilots with tablets are no safer. Because pilots are buying these devices for personal use,  the downloaded EFB apps could be exposed to malware already on the system. This creates something of a “wild west” with EFB technology. There are cases where pilots are using personal tablets as EFBs, regardless of airline policies.
This is not to scare readers. But it is important that the issue of cyber-security continues to be highlighted. There have not yet to be any security compromises due to an EFB being “infected” that we are aware of. The only known issue has been flight delays due to inoperative EFBs. The growing e-Enablement of aircraft is an issue that needs to attract more attention. If terrestrial networks are so easily compromised, the aviation industry needs to pay close attention to aircraft that have network connectivity.