Cracking the cybersecurity code for AAM
As the advanced air mobility (AAM) era approaches, cybersecurity is critical — as important as making sure eVTOL aircraft themselves are safe to fly. The threat of cyber attack to aviation and other types of critical infrastructure can come from any source — domestic or foreign.
There’s been significant recognition in the U.S. of the importance of cybersecurity since the 2021 cyber attack on the Colonial Pipeline, one of the largest oil pipelines in the country. The hack (ransomware) was considered a national security threat, and “the federal administration was quick at reacting,” said Gaël Le Bris, vice president of aviation planning and senior technical principal at global engineering firm WSP. He also chairs the Transportation Research Board’s standing committee on aviation safety, security and emergency management.
Le Bris explained that by 2023, the National Cybersecurity Strategy was issued and translated into mode-specific requirements by the Transportation Safety Authority (TSA).
“In addition, the U.S. Government Accountability Office also released reports on cybersecurity in aviation [with one on aircraft systems released in 2020], with important findings and recommendations.”
Those conclusions have potential implications, he said, “for the development of future certification requirements for highly-connected and automated aircraft,” which is how many would describe the AAM era to come.
But while it’s very positive that the U.S. government is recognizing cybersecurity challenges as AAM approaches, Le Bris said “we need to make sure these systems are hardened and resilient.”
Building resiliency
Le Bris reported that the Federal Aviation Administration (FAA) and other aviation authorities have recently released concepts of operations related to AAM, defining how stakeholders will interact with each other to enable highly-connected and collaborative air traffic management in the lower airspace.
Le Bris said this proposed architecture includes a role for third-party service suppliers to work with the FAA-provided air traffic service to exchange real-time information between aircraft, among operators and with “conventional” air traffic management systems. He added that “the FAA is thinking about applying such a vision, broadly dubbed extensible traffic management [xTM], to higher airspace operations as well.”
For his part, Aharon David, aviation cybersecurity expert with consulting firm AFuzion, noted that overarching cybersecurity standards for aviation and other industry sectors are quite siloed, and as AAM cybersecurity standards are developed, it would be beneficial to harmonize all these standards.
“Some harmonization is happening but it’s hard to do and it’s hard to apply new standards to something like AAM as it hasn’t even started up yet,” he said. “The automotive sector uses SAE/ISO 21434. Industrial control systems use IEC 62443. Healthcare uses its own standard. And in aerospace, there is the American and the European ED-202A, identical but using different IDs. There are some discussions about AAM cybersecurity standards in Europe, but the first attempt at discussing generic cybersecurity for all cyber physical systems is by SAE’s G-32, in which I also take part.”
But while the regulatory aspect is critical, Le Bris noted that potential vulnerabilities remain all along the AAM value chain, from physical equipment that can be jammed to communication and cloud-based systems that can be hacked.
Differences of scale
David is also of the view that cybersecurity threats in the eVTOL sphere are broad. Indeed, they are much broader than in the commercial aircraft sphere for a simple reason.
“In commercial aircraft, we don’t know everything about cybersecurity threats, but we know a lot. There are very few communication pathways. There is well-established digital infrastructure. We have high levels of security with aircraft software systems development, and we have a controlled environment on the ground at airports,” David said. “The typical environment is what we call ‘sterile’ in terms of aircraft operation and maintenance personnel, airport personnel and even among those who develop aircraft. So, the threat from people is quite contained.”
But in the eVTOL era, he explained that “many more personnel will be involved, by at least one order of magnitude. There are going to be so many vertiports and so many of these aircraft in operation. How do you clear all those people? It has to be done, but you can’t apply the same mentality.”
He also noted that in the commercial airliner sector, if you make your aircraft systems correctly, you are resilient to cyber attack. Due to the huge risk to loss of life even if one commercial plane is compromised through cyber attack, the investments in cybersecurity are correspondingly large.
“With eVTOLs, however,” David said, “the companies are tiny in comparison and don’t have the deep pockets to invest a lot in cybersecurity. We don’t even have requirements in place for this yet.”
On that note, David also noted that temptations exist to cut corners in the standards for eVTOL cybersecurity because the aircraft themselves are also tiny in comparison.
“There are hundreds of computing systems aboard an airliner and everything is protected from cyber attack. There is a heavily-protected envelope around the critical systems, generally the flight control, engine control, life support control, etc.,” he said. “But in an eVTOL, there is, in my view, a great temptation to bundle protection of critical and non-critical systems together and just have one system. This is not wise.”
Physical security
Physical security is also obviously a concern, and for eVTOLs, it’s yet to be determined what this will look like. We do know a little, however, about how physical security levels at future vertiports will be affected by location and type of operation.
Le Bris first noted that to date, general aviation (GA) airports in the U.S. and especially heliports have not been subject to the same TSA security requirements as commercial airport facilities. TSA is mandated, however, to develop a standardized threat and vulnerability assessment program for all GA airports and to implement the program on a risk-managed basis.
But some AAM operations at smaller airports will trigger the need for air carriers to develop a TSA security plan per 49 CFR §1544.101 (a) — for instance, flights to and from commercial airports with a sterile area. That is, if AAM operations are accommodated at the same terminals as scheduled commercial flights, Le Bris explained that these AAM flights and their passengers could be subject to higher security standards in order to ensure a consistent mitigation of threats.
But this may not be the case if a separate “landside” vertiport is developed near commercial passenger terminals. And at small GA airports, even the typical airport passenger screening process might not be always warranted depending on the destination, the size of the aircraft, and the operations requirements.
At the same time, Le Bris believes the regulations may evolve to fit certain specificities of AAM. But even if they don’t, AAM providers might elect to implement layers of security going beyond what is required for each individual flight. “This can help make the passenger experience consistent,” he said, “and simplify some aspects of vertiport design and operations.”
Looking forward
According to Le Bris, malicious actors in security realms often follow patterns, but they also know how to get creative with new approaches.
“Therefore, rather than applying one-size-fits-all rigid standards, we need to be smart and agile in the way we develop security processes and manage resources,” he said, “in order to adapt strategies to our ever-changing world and be responsive to evolving menaces.”
David noted that it’s still very early to determine how AAM cybersecurity can and should be different compared to that of traditional aviation cybersecurity. “These questions are cutting-edge,” he said, “and don’t have answers yet.”