DHS Issues Warning On Cybersecurity In Light Aircraft

The threat is mitigated by general airport and aircraft security measures already in place.

airplane cockpit avionics
“The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot.”Unsplash/Rodrigo Soares

If you’ve ever been involved in a panel upgrade and looked behind the scenes—or maybe you’ve performed some of the work yourself as a technician or homebuilder—you understand that there are connectors that allow data to flow between the avionics and instruments in the cockpit, whether they’re ARINC 429 or CAN bus cables. These create a local network of sorts, permitting the data to transfer without a host computer.

A report was made recently to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) relating an experiment performed on a light airplane that allowed for a presumably hostile party to "attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment," according to an alert issued by CISA. "The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot."

The alert goes on to advise mitigations against the threat, including ensuring “aircraft owners restrict access to planes to the best of their abilities.” Most airports and aircraft owners already make such precautions, such as secure fencing, restricted-access gates, and locked hangars and/or aircraft on the flight line—and these generally suffice because the components in question are not easily accessible without time, tools, and specific knowledge.

The FAA and industry have recognized the potential for this threat for roughly 20 years—and during that same timeframe, for one example, the standards group at GAMA (General Aviation Manufacturers Association) began specific safety work towards the concerns. The FAA issues a Special Conditions rulemaking when the current regulations for an aircraft do not contain adequate or appropriate safety standards for certain novel or unusual design features—and they did so to cover the Aircraft Systems Information Security/Protection (ASISP) in 2014. FAA convened an Aviation Rulemaking Advisory Committee (ARAC) in 2015 and 2016 to recommend updates to regulations, policy, and guidance to address ASISP, and incubate cooperation across agencies and internationally to ensure the recommendations would be put into play. In fact, EASA was represented on the ARAC, and the agency has already published regulations and guidance covering the issue.

GAMA’s Vice President of Operations, Jens Hennig, gave us a summary: “The DHS alert correctly points to the mitigations that are used to manage security in the aviation industry. In evaluating such risk, it is important to consider actual real-world scenarios, especially by providing recognition of the protections our overall system of systems approach provides to managing aviation safety and security.”

So what can you do, as a concerned pilot and/or aircraft owner? First, check up on the security measures in place at your local airport, and the effectiveness of the way you secure your airplane—whether it’s in a hangar or parked outside. Also, when your airplane goes in for maintenance, ask what procedures are followed to ensure that no unauthorized personnel have access to your airplane while its guts are open—probably the most likely time for your airplane to be exposed to a real threat.