Avionics and cybersecurity: leaving nothing to chance
With all the potential threats to information systems today, anticipating risk is one of the keys to the system’s overall security. OnBoard talks to Nathalie Feyt, Security Design Authority at Thales Avionics.
There could be two kinds of attack. Data could be stolen and altered before it's loaded into the system; or somebody with malicious intent could interact with the aircraft’s communication systems during flight to compromise navigation data or alter the messages transmitted between the aircraft and the ground.
What ways do we have of countering such potential attacks?
The important thing is for all stakeholders to share the same broad vision of the risks so that communication interfaces can be protected effectively to avert any impact on the aircraft. Technical and organizational measures are mutually reinforcing — and that is the key to effective protection.
What preventive role is Thales playing in this respect?
The overall safety and security of an aircraft is only as strong as each link in the chain. Our approach is to analyse risks and define solutions in ways that factor in security issues as early as possible in the design process so we can meet each of our customers’ expectations.
Thales has invested a lot of effort in recent years in applied security engineering for avionics, notably by recruiting the best talent, participating in standardisation committees (EUROCAE in Europe, ARAC in the United States) and pursuing R&D in new security technologies.
What does this actually mean in practice?
Security engineering uses the same approach as other fields of engineering. For example, we’ve designed our development process so that countermeasures are correctly implemented at each step to ensure our solutions are safe and secure. We also conduct security audits throughout this systems engineering cycle to assess how robust they are. And once development is complete, dedicated teams from Thales’s Information Technology Security Evaluation Facility (ITSEF), certified by ANSSI, France’s national agency for information system security, put the security systems through their paces to show that the required level of security has been achieved and that residual risks are negligible. Our key strength here is the expertise we have acquired in cybersecurity and our close collaboration with other Thales security businesses.
System integrity and security have always been a top priority for Thales. Today we are a recognized leader in cybersecurity, securing 80% of the world's financial transactions. Direct access to that kind of expertise is obviously a great asset.
How do you adapt to evolving threats?
Threats are indeed involving all the time, but once an aircraft has been certified it can remain in service for decades. That means we have to be capable of maintaining the highest level of security throughout a system’s lifetime by constantly upgrading it. We apply a Continued Security Airworthiness approach to track evolving threats through our Computer Emergency Response Team (CERT-IST). Then we work with aircraft manufacturers and airlines to address any concerns about their potential impact on aircraft systems.
“Our key strength is the expertise we have acquired in cybersecurity and our close collaboration with other Thales security businesses.”
Find us on Twitter @thales_avionics, on our official Youtube channel Onboard TV and on LinkedIn Thales Aerospace.