Jan 23. 2020 Products and services delivered by Thales to aviation customers come with “cybersecured-by-design” principles. We spoke with Nathalie Feyt, Avionics Cybersecurity Design Authority at Thales, in order to get the big picture about cybersecurity in aviation and what the Group is delivering.
Just how serious a threat is cybersecurity in aviation?
As recently outlined in the benchmark report into aviation cybersecurity released by Atlantic Council and underwritten by Thales, the aviation industry has reaped the benefits of digitization over the past ten years, but this has also triggered new risks, including social and technical vulnerabilities that had never previously been addressed. And, as the report also mentions, “any disruption can quickly ripple out to have international impacts, cause significant financial and reputational damage, and potentially compromise safety”.
So the potential risks are substantial. Permanent connectivity has created a larger threat surface and aircraft today are communications and data nodes, projected to generate 98 million terabytes of data by 2026. The challenge is to secure data transfers between ground and aircraft, both in the cockpit and in the cabin, as well as between onboard sensors and systems.
In the aviation ecosystem, where the various players are all highly interdependent and increasingly interconnected, cybersecurity involves not only the protection of information in the form of digital data, but also the associated networks, websites, services, computers and portals that are transporting and enabling access to data.
What skills, infrastructure and resources have been deployed by Thales to counteract this threat?
Cybersecurity is one of the four key technological areas identified as setting Thales apart from competitors in each of our markets (along with Connectivity/IoT, Big Data and Artificial Intelligence), so it’s very much a priority area for the Group at large. Thales boasts major cybersecurity credentials as a worldwide leader in data protection, with 5,000 IT and security engineers, including 2,000 cybersecurity specialists. We run five Cybersecurity Operation Centers (CSOCs) spread out around the world and five high-security data-centers that already combine to protect 80% of the world’s bank transactions and ensure the cybersecurity of nine of the top ten internet giants!
The Group has been able to capitalize on this infrastructure and apply this expertise to the aviation sector, which is vital when you consider that two out of every three aircraft take off and land using Thales equipment, and that each day 1 million passengers use our in-flight entertainment (IFE) systems! Our tailored solutions are therefore applied to avionics, IFE, communications, radar and air traffic management, as well as preventive maintenance, security supervision incorporating specific threat intelligence, and rapid response teams in case of an attack.
Thales also works with aviation players to carry out cybersecurity risk analysis, compliance audits, cybersecurity awareness workshops, set up rapid intervention forces (Computer Emergency Response Teams), deliver cyber threat intelligence and security monitoring services.
What methods have been used to embed cybersecurity into Thales’s offering?
The "cybersecured-by-design" principle is applied to the entire Thales ecosystem with risk-oriented governance from design and development up to programs and products, based on three pillars: “protect, detect and operate”. At each step of a product life cycle, from its creation to its use, Thales therefore deploys systematic risk analysis with a rationale of the security situation. The level of protection is tuned to incorporate the detection capacities of abnormal behavior, followed by regular cyber check-ups.
Penetration testing is performed internally by independent teams of “ethical hackers” ahead of delivery to customers. Finally, when our products are in service, Thales supports its customers with services to manage continuous security, monitoring the evolution of the security situation, the occurrence of new threats and the discovery of new vulnerabilities.
Our teams have been hard at work to ensure that the hardware (displays and human-machine interfaces) and software that are embedded in the FlytX offering come with cybersecured-by-design capabilities, whether for commercial or military users. When we talk about the key assets of FlytX, we highlight qualities such as its compactness, its crew-centric focus, its customization capabilities and its permanently and fully-connected status. Obviously, cybersecurity aspects mainly concern that “connected” dimension, as an enabler to ensure these ruggedized systems comprise no blind spots whatever, despite constant interchanges with open-world applications and data sources… and this is the area where we have thoroughly applied our in-house cybersecurity expertise.
For instance, the associated connectivity servers authenticate the legitimacy of users and requests, and data is filtered to be identified as fully-conform and properly-formatted. That cybersecured-by-design approach means that FlytX – along with its “navigation brain”, the PureFlyt Flight Management System – is already fully aligned with upcoming rules and new aviation cyber regulations. It is all about upstream anticipation and, from that standpoint, this is a major differentiator and we are very much ahead of the game… The FlytX cockpit solution is not only fully cybersecured today but is also the most future-proof of its type on the market!
So, what regulations are taking shape to structure and harmonize cybersecurity, and how is Thales contributing to the process?
Aviation authorities including EASA and FAA are standardizing cybersecurity rules for the airline domain, on the basis of the findings of workgroups that comprise operators and manufacturers. At EU level, regulations are set to be introduced in 2021 and among the tasks identified are the drafting of a new paragraph in certification specifications to integrate cybersecurity considerations (referred to as “rulemaking task” RMT.0648), and transverse regulations for all aeronautic domains to set up a global framework for information security management systems (RMT.0720).
More generally, the sector at large is extremely active in this area. For instance, ASD (Aerospace and Defence Industries association of Europe) has a cybersecurity task force whose aim is to deliver position papers on aviation cybersecurity strategies, and organizations such as EASA and EUROCAE are coordinating a number of technical advisory committees in areas such as formalizing guidance for homogenous risk management procedures, and identifying security risks and threats and their impact on the aeronautical domain. Needless to say, Thales is playing an integral part in all these developments!
How about future challenges, notably the introduction of new forms of travel (urban air mobility) and the increasing use of drones in public airspace?
Thales will continue to apply the same rigorous methods and principles as we branch out into these new areas, which are very much the future of air travel and airspace usage. Unmanned platforms and systems will continue to increasingly shift towards more cloud-based structures, where self-healing cyberdefensive systems will rely heavily on the provision of monitoring and operational reconfiguration services. Our ultimate objective is to offer cybersecurity monitoring solutions and this is something we already deliver for our cabin systems through the IFEC (in-flight entertainment and connectivity) Network Operations Center we have set up in the US. The model can be extended in the future.
So, whether we’re talking about air taxis or delivery drones, or indeed the counter-systems being rolled out to deliver the protection needed against airspace incursions or sensitive site intrusions, we will capitalize on our Group-wide expertise and capabilities (key technological bricks, encrypted sensitive data, secure data storage) to ensure those solutions also embed unparalleled cybersecurity credentials for optimum integrity, reliability and legitimacy.