FAA asks industry for aircraft system security and protection technologies

WASHINGTON, 4 March 2016. Federal Aviation Administration (FAA) officials in Washington, concerned about aircraft network systems security on current and future aircraft, have issued Broad Agency Announcement (BAA) DTFACT-16-R-00037 for Aircraft Systems Information Security/Protection (ASISP).

Future generations of aircraft will be increasingly network centric to expand aircraft connectivity for improved safety, operations, and maintenance. Aircraft manufacturers and modifiers are installing avionics systems to enable increased connectivity within an aircraft as well as to networks external to the aircraft to take full advantage of new computer technologies for more efficient aircraft operations and safety enhancements.

Stoyan Yotov / Shutterstock.com

The increased connectivity, particularly to external networks and systems without sufficient security controls could introduce information security vulnerabilities, which if exploited, might impact the safety of aircraft operations and continued airworthiness.

Examples of such external networks and services include: airline operation centers, airport gate links, flight information databases, and aircraft software uploads and maintenance.

Research is needed to address Aircraft Systems Information Security / Protection (ASISP) concerns, encompassing aircraft certification and continued operational safety. The focus is on the aircraft itself and does not encompass the entire national airspace system (NAS), but does include aircraft connectivity to external links (also called access points or apertures). The research will explore where ASISP-related threats and risks can compromise fail-safe mechanisms in the architecture, design, and operation of aircraft systems, including ASISP-related particular risks that might lead to common cause failures.

In summary, this ASISP research effort will develop a timely process to explore security vulnerability/threat identification and risk identification/mitigation to provide the necessary information to support the FAA’s eventual development of aviation policies, regulation, and training requirements to ensure the resilience of aircraft network systems from cyber-attacks.

More specifically, this Broad Agency Announcement (BAA) provides direct support to the FAA NextGen Aviation Research Division (ANG-E2) to research, develop, and apply methodologies for ASISP Safety Risk Assessment (SRA) associated with avionics systems onboard aircraft operated in the U.S. National Airspace System (NAS). This research, including the resulting methodologies and SRAs, is intended to assist decision-making by the FAA’s Aviation Safety (AVS) organization to establish appropriate safety policies and regulations.