When we think of cybersecurity, we think of applying protection measures to our desktop computers such as installing antivirus programs and using passcodes and pin numbers. Just like our computers, aircraft systems are vulnerable and are not exempt from a cyber-attack.
Advancements in technologies are growing at an unprecedented speed and the Air Force has been able to become more innovative and agile using those new technologies. Yet at the same time the risks of being exposed to computer bugs or hacking is increasing and adversaries are becoming more inventive and clever in attacking those systems.
“Aircraft are not immune to being hacked and if they are, it can be detrimental,” said Dr. Raju Patel, AFLCMC technical advisor for embedded computer and software systems and authorizing official for aircraft systems assessing cybersecurity risks for Air Force aircraft.
Patel said most aircraft systems are now controlled by software and over the years there has been a significant increase of how much is controlled by that software. In the 1980s, approximately 25 percent of the aircraft’s capabilities were operated by software. Presently, 85 percent of aircraft capabilities are now being ran by software.
If hacked, some examples of possible cyber effects on aircraft systems can be anything from breakdowns in communication and navigation systems to the more critical systems such as collision avoidance and life support systems.
When Patel conducts risk assessments on aircraft systems, he assesses by judging the confidentiality, integrity and availability of the system. Patel said that confidentiality assures that the information is not being disclosed to unauthorized personnel. The integrity of the system is ensuring that the material is what was expected and has not been altered, and that availability insures the user timely and reliable access to data and information services.
Patel said the most important action in protecting aircraft systems as well as other computer systems from a cyber-attack is practicing cyber hygiene.
“Cyber hygiene in avionics needs to begin with ensuring the appropriate training is being provided and the training is tailored to that specific job,” Patel said. “Operators also need to ensure that routine maintenance is conducted on the systems by running up-to-date antivirus software and to run the antivirus on any software before it is loaded on the aircraft. It is also crucial that operators follow the technical order as most errors occur when procedures are not followed.”
Looking ahead, Patel said additional steps are being implemented to protect aircraft avionic systems from cyberattacks.
Patel created a cybersecurity technical working group collaborating with industry to come to agreeable requirements for the systems. One requirement is to ensure that when contractors provide software, they are vigilant of supply chain issues for any re-used, non-developmental or sub-contracted software, that is who or where the software is coming from.
Another action is installing cybersecurity on the front end of developing weapon systems. The KC-46 is the first aircraft to address cybersecurity measures during initial system design, and throughout the system development, to protect the aircraft from potential cyber-attacks.
“Adversaries are always looking for ways to hack a system and even if only one small change is made to a system, it can affect the entire weapon system,” Patel said.
Patel said that a next generation antivirus program is currently being developed and will have the capabilities to detect and identify malware in real time.