New, tougher rules on cybersecurity for e-enabled aircraft are hitting airlines across the world, and carriers such as Southwest Airlines are now facing “a tremendous task, but one that we take seriously,” according to a spokesperson for the airline.
The challenges of maintaining cybersecurity constantly increase as the digital revolution continues its forward momentum. The average enterprise-size corporation now uses almost 80 cybersecurity products, according to Infosecurity Magazine. Airlines must be especially concerned with cyber protection because lives as well as money are at stake. Government agency Eurocontrol reported a 61% increase in cyberattacks against airlines in 2020.
The new e-enabled aircraft have much more digital power. Legacy aircraft used an architecture for data flowing over wires, which only allowed transmitters to send data to receivers rather than the other way around. New generation aircraft, such as the Boeing 737 MAX, 787 and Airbus A350, use an Ethernet data network for safety-critical applications that allows devices to communicate with each other.
The new technology removes wires, reduces weight and increases capabilities—but it also opens up cyber vulnerabilities. This matters because many cockpit modifications today are basically software updates, not hardware swaps.
In the U.S., airlines flying new Boeing aircraft are governed by several regulatory guides, including the FAA’s Advisory Circular 119; Boeing’s Aircraft Network Security Operator Guidance (ANSOG), which was revised in 2021; and, by reference, RTCA DO-355A, Information Security Guidance for Continued Airworthiness, issued in 2020.
The upshot of all this is that carriers must now meet much tougher cybersecurity requirements and have a limited time in which to do so, according to John Schramm, a former Delta Air Lines pilot and electrical engineer who is now a managing partner with the consultancy Seatec.
Schramm compares the breadth and difficulty of the new rules to a safety management system. They touch all aspects of airline operations: software and components, network access points, ground support equipment and its information systems, digital certificates, log file analytics, security incident management, an organizational risk assessment, personnel roles, responsibilities and training.
One especially tough new requirement is conducting the organizational risk assessment (ORA). There are two kinds of ORAs, one done under the National Institute of Standards 800-30 guide and another done under ARINC 811. Schramm says the FAA prefers the former approach.
In either case, Schramm says an ORA is hard for an airline to perform because it involves so many departments—most prominently maintenance and IT—that do not usually collaborate with one another.
Another tough new requirement is digital signing for new parts or software. “This requires the tech ops group to implement an entire public key infrastructure, which is again a big lift and not in their typical skill sets,” Schramm notes.
The FAA is giving carriers about three years each to meet the new requirements, with an emphasis on getting that ORA done sooner rather than later, says Schramm.
With its huge MAX fleet coming online, Southwest Airlines is now in the process of meeting the new requirements. Noting that the new requirements were contained in a late-2021 revision of Boeing’s ANSOG, a Southwest spokesperson says the carrier is working toward complying with these new requirements by an estimated completion date of January 2025. It is working with Airlines for America and other industry partners to address technical issues raised by compliance.
The spokesperson emphasizes that Southwest is already in complete compliance with the old cybersecurity requirements, which had been set by a Boeing ANSOG revision in 2019.
Other carriers contacted declined to state the status of their compliance, and the FAA also refused to summarize how carriers are doing. Schramm thinks several airlines may be waiting too long to get started on their ORAs.
The European Union Aviation Safety Agency (EASA) has been in some ways more aggressive on cybersecurity than the FAA, according to Chase Richardson, cybersecurity and data privacy lead principal at consultancy Bridewell. For example, the European regulator insists that cybersecurity standards be set at the outset of certifying a new aircraft, while the FAA waits until the middle of the certification process to negotiate these standards with the OEM.
EASA calls its cybersecurity requirements for operators an information security management system, not an aircraft network security program like the FAA, but the rules are similar.
Organizational risks are dealt with under Part-IS, which was published in February 2023. An EASA spokesperson says Part-IS will be mandatory by February 2026 and “airlines are encouraged to anticipate compliance with such requirements.”
Beyond the aviation regulators, more cyber requirements are coming. Richardson points out that the U.S. Transportation Security Administration issued new rules on cybersecurity for airports and aircraft operators in March, including rules on data transmission between airports and airlines. Hopefully, airline risks here are already being addressed under the cyber rules being set by the FAA and EASA.