Aviation Authorities on Both Sides of the Pond Clash in Cybersecurity Disagreement
European and American aviation decision makers are at an impasse over the fundamental idea of figuring out cybersecurity measures to safeguard aircraft from cyberattacks.
Aviation regulators on both sides of the pond have generally agreed on basic practices of updating software and ensuring the implementation of future cybersecurity measures for large commercial planes. They’ve also agreed on building a gap between the cabin entertainment and internet access systems of passengers & the safety systems of the plane. Connected systems are among the most vulnerable targets for hackers to exploit automobiles or planes. Just ask Chrysler. Or United Airlines, when veteran white-hat hacker Chris Roberts hacked the inf-flight entertainment system by simply plugging into it via USB.
The Wall Street Journal reports the disagreement, citing sources involved in the discussions who say that the two sides are not yet convinced over “the best approach and [the] extent of testing necessary to ensure the integrity of software and hardware of electronics on smaller models.”
The two sides are currently divided on the best way to proceed and if left unresolved, aviation industry officials are worried that U.S. plane manufacturers would likely face major challenges in their production cycles. This includes selling flight-management systems, aviation systems and more for conventional aviation and business-standard aircraft in Europe.
Other disagreements, a WSJ cites, says a fundamental disagreement between the Federal Aviation Authority (FAA) and the European Aviation Safety Agency (EASA) about protocols concerning aircraft with fewer than 19 seats. EASA and other advisory groups in Europe want the cybersecurity standard to be regulated over all aircraft, no matter what the size. However, the FAA and the statistically larger private aircraft industry in the U.S. believe that the strictest cybersecurity requirements should only be imposed on commercial jet aircraft that carry hundreds of passengers, as opposed to a propeller-driven private plane that carries a few.
In an interview, Jens Hennig, co-chairman of a panel tasked to make recommendations for new rules, a panel created by the FAA said:
[The United States adheres to] different standards based on the threat and magnitude of a potential nefarious actor.
Having differences between U.S. and European standards is never good for manufacturers.
Meanwhile, an EASA spokesman commented to note the differences in standards and the approach to cyber-threats between the two realms were based on “slightly different philosophies.” More importantly, a joint effort to proceed with newer and required cybersecurity measures is underway, although an agreement hasn’t been reached.
The immediate concern is a controversy in internal European Commission politics throwing a spanner in the works of any proposed agreement. The EASA is demanding more authority and funding, claiming that the area of cybersecurity now falls under its purview. As revealed by the publication, EASA documents has supposedly stated:
All recently designed large airplanes are known to be sensitive [to cyberthreats due to the] interconnectivity features of their avionics systems.
On the other side of the pond, a milestone is reported to have occurred recently, with the FAA-tasked working group agreeing on the goals for their duties last week. In a document, the panel proactively deemed that safeguarding aircraft equipment and on-board software has to be ensured. They plan on doing this by “showing that the security risks have been identified, assessed, and mitigated as necessary.”
The document also sees the working group mandating equipment suppliers to “provide procedures for the [airline] operator”. The group also insists that maintenance instructions have to be passed on, in order to “ensure the aircraft equipment, systems, and network security protection are maintained.”
Images from Shutterstock.