As the aviation industry struggles to adopt cybersecurity measures in an effort to keep airspace safe from hackers, authorities in the U.S. and European Union are reportedly failing to see eye to eye.
While keeping safe the computer systems relied upon by airlines is certainly nothing new, a “trans-Atlantic tiff” has emerged following a meeting in Washington, D.C., last week where American aviation experts discussed the future of international airspace cybersecurity, the Wall Street Journal reported on Tuesday.
With stakeholders in the U.S. and EU having failed so far to reach common ground with respect to hammering out uniform cybersecurity policies to adopt on both sides of the ocean, industry representatives told the paper that new problems could arise unless a compromise is reached soon.
As an agreement is sought out, however, European regulators stressed the importance of the issue in a document cited by the Journal this week that stated “all recently designed large airplanes are known to be sensitive” to cyberthreats because of the “interconnectivity features of their avionics systems.”
Regulators in the U.S. and EU understand that airline software needs to be routinely updated to ensure applications aren’t left vulnerable to attack. The Journal reported that representatives with America’s Federal Aviation Administration and the European Aviation Safety Agency agree that onboard systems must be isolated to avoid letting attackers jump from network to network with potentially grave repercussions.
Nevertheless, differences are still apparent on either side with regards to how, exactly, further tests and adjustments should be implemented. Industry officials told the paper that American suppliers may encounter major challenges when it comes to selling flight-related systems abroad unless both the U.S. and EU agree to adopt similar measures.
The U.S. favors “different standards based on the threat and magnitude of a potential nefarious actor,” Jens Hennig, the co-chairman of a FAA-created panel tasked with recommending new rules, told the Journal. “Having differences between U.S. and European standards is never good for manufacturers.”
Indeed, EASA spokesman Dominique Fouda admitted to the newspaper that the U.S. and EU rely on “slightly different philosophies” when it comes to cybersecurity, and that both sides are attempting to reach common ground but “are still not there.”
The isagreements between both sides with regards to adopting uniform cybersecurity policy come eight months after the U.S. Government Accountability Office said in a report that hundreds of commercial aircraft may be vulnerable to cyberattacks conducted over interconnected-onboard systems.
“Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented,” the report stated. “The experts said that if the cabin systems connect to the cockpit avionics systems and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.”
Earlier this month, Sen. Edward Markey, Massachusetts Democrat, sent letters to a dozen domestic airlines and two airplane manufacturers to ensure they are taking cybersecurity concerns seriously.
“As new technologies continue to enhance all aspects of the airline industry, airplanes and airline operations have become increasingly interconnected,” he wrote. “With these ethnological advancements come great benefits. … However, as we’ve witnessed recently in the automobile industry, I am concerned that these technologies may also pose great threats to our security, privacy and economy.”
United Airlines and American Airlines both admitted in 2015 that they launched investigations upon reports of being breached by cyberattackers, and around 1,400 passengers of a Polish airline were grounded in June after hackers reportedly compromised ground computers that control fight plans.
Sebastian Mikosz, CEO of the Polish airline LOT, told Reuters at the time: “Of course, this is an industry problem, not a LOT problem but an industry problem on a much wider scale, and for sure we have to give it more attention, if it can be given more attention.”