As the Advanced Air Mobility (AAM) era approaches, cybersecurity is critical, just as important as ensuring the eVTOL aircraft itself is safe to fly. Cyber-attack threats to aviation and other critical infrastructure can come from any source, domestic or international.
In the United States, the importance of cybersecurity has been greatly recognized since the 2021 cyber attack on Colonial Pipeline, one of the country's largest oil pipelines. The hack (ransomware) was considered a national security threat and “the federal government responded quickly,” said Gaëlle Le Bris, vice president and senior technical principal of aviation programs at global engineering firm WSP. Told. He also chairs the Transportation Research Board's Standing Committee on Aviation Safety, Security, and Emergency Management.
Le Bris explained that by 2023, a National Cybersecurity Strategy will be published and translated into mode-specific requirements by the Transportation Security Administration (TSA).
“Additionally, the U.S. General Accounting Office also released a report on cybersecurity in the airline industry. [with one on aircraft systems released in 2020]Key findings and recommendations are included. ”
These conclusions have potential implications for “the development of future certification requirements for highly connected and automated aircraft,” which will inform the coming AAM era, he said.
But while it's very positive that the U.S. government is recognizing the cybersecurity challenges as AAM approaches, Le Bris said, “We need to make sure these systems are hardened and resilient.” said.
building resilience
Le Bris reports that the Federal Aviation Administration (FAA) and other aviation authorities recently announced concepts for operations related to AAM, and how stakeholders will interact with altitude in lower airspace. It was reported that it has defined what enables connected and collaborative air traffic management.
Le Bris said the proposed architecture would involve third-party service suppliers working with the air traffic services provided by the FAA to provide services between aircraft, operators, and “traditional” air traffic management systems. said that it includes the role of exchanging real-time information. He added: “The FAA is considering applying such a vision, broadly referred to as scalable traffic management.” [xTM], which equally applies to high-altitude operations. ”
Meanwhile, Aharon David, aviation cybersecurity expert at consulting firm AFuzion, said comprehensive cybersecurity standards for aviation and other industries are highly siled, and as the AAM cybersecurity standard is developed, We said it would be beneficial to harmonize all these standards.
“There is some harmonization going on, but it's hard to do, and things like AAM haven't stood up yet, so it's hard to apply new standards,” he said. “The automotive sector uses SAE/ISO 21434. Industrial control systems use IEC 62443. Healthcare uses its own standards. Aerospace uses the US and European ED- 202A, which uses the same but different IDs. There has been some discussion about AAM cybersecurity standards in Europe, but this is the first attempt to discuss general cybersecurity for all cyber-physical systems. is SAE's G-32, and I'm a part of it.”
But while the regulatory aspects are important, there are potential vulnerabilities across the AAM value chain, from physical equipment that can be jammed to communications and cloud-based systems that can be hacked. Le Bris pointed out that there remains.
difference in scale
David also believes that cybersecurity threats in the eVTOL space are widespread. In fact, they are much wider than the area of commercial aircraft for a simple reason.
“In commercial aviation, we don't know everything about cybersecurity threats, but we do know a lot. There are very few channels of communication. We have a well-established digital infrastructure. We have a high level of security in system development and a controlled environment on the ground at the airport,” David said. “Typical environments are what we call sterile, among aircraft operations and maintenance personnel, airport personnel, and even aircraft developers. Therefore, the threat from people is quite limited. ”
But in the eVTOL era, “there's going to be at least an order of magnitude more people involved. There's going to be so many vertiports, there's going to be so many aircraft in operation. Do we exclude everyone? We have to do that, but we can't apply the same thinking.”
He also pointed out that in the field of commercial airliners, aircraft systems can be resistant to cyberattacks if they are manufactured correctly. There is a significant risk of loss of life even if a commercial aircraft is compromised by a cyber attack, so investments in cybersecurity will be correspondingly high.
“But with eVTOL, companies are smaller and don't have the deep pockets to invest heavily in cybersecurity. There aren't even requirements for this yet.”
In this context, David also pointed out that there is a temptation to cut corners on eVTOL cybersecurity standards since the aircraft itself is also small in comparison.
“Airliners have hundreds of computing systems on board, all of which are protected from cyberattacks. “There is a protective envelope,” he said. “But I think there's a huge temptation with eVTOL to want to combine the protection of critical and non-critical systems and use only one system. This is unwise.”
physical security
Physical security is also obviously a concern, and what this will look like is still to be determined when it comes to eVTOL. However, we do know something about how the physical security level of future vertiports will be affected by location and type of operation.
Le Bris first pointed out that until now, U.S. general aviation (GA) airports, especially helipads, have not been subject to the same TSA security requirements as commercial airport facilities. However, TSA is mandated to develop a standardized threat and vulnerability assessment program for all GA airports and implement the program on a risk management basis.
However, some AAM operations at smaller airports will require airlines to develop a TSA security plan under 49 CFR §1544.101(a). For example, flights to and from commercial airports with sterile areas. This means that if AAM operations are housed in the same terminal as scheduled commercial flights, these AAM flights and their passengers may be subject to higher security standards to ensure consistent threat mitigation, Le Bris said. he explained.
However, this may not be the case if another “landside” vertiport is developed near the commercial passenger terminal. Additionally, even a typical airport passenger screening process is not always guaranteed at Georgia's smaller airports, depending on the destination, aircraft size, and operational requirements.
At the same time, Le Bris believes regulations could evolve to suit the specific characteristics of AAM. However, even if this is not the case, AAM providers may choose to implement security layers beyond those required for individual flights. “This creates consistency in the passenger experience and simplifies several aspects of vertiport design and operations,” he said.
I'm looking forward to
According to Le Bris, malicious attackers in the security field often follow patterns, but they also know how to get creative with new approaches.
“Therefore, adapting your strategy to an ever-changing world requires being smarter and more agile in developing security processes and managing resources, rather than applying rigid, one-size-fits-all standards,” he said. Ta. and respond to evolving threats. ”
David said it is still very early days to determine how AAM cybersecurity can and should differ compared to traditional aviation cybersecurity. “These questions are cutting edge and we don't have answers yet,” he said.
