Cyber Security in Aviation SMS Data Management

Technology has made aviation safety management systems (SMS) much easier to manage as a whole. Furthermore, this formal, structured approach to managing safety has undeniably contributed to system safety.

Technology is wonderful. It has been changing our lives at an unprecedented rate, and we can easily see how it has positively affected the aviation industry.

Sophisticated software for hazard detection, autopilot, communications, aviation risk management software and other technologies have greatly aided human capabilities for mitigating risk and avoiding flight and ground hazards. One need only look at year by year graph of incident data and compare it to the rise of computers and aviation safety software in the 21^st century.

Related Aviation Safety Software Articles

• 21 Benefits of Risk Management Software
• Spreadsheets vs Software for Aviation Safety Management
• How to Choose Aviation SMS Software - Educating SMS Professionals

Aviation SMS Software Increases Proactive Risk Management Activities

The trend is irrefutable – proactive risk management increases when safety professionals and aviation organizations adopt modern risk management technology.

At the same time, the aviation industry – and indeed all other industries – has increasingly moved from using technology as an aid to relying on it. You might even call it a crutch.

At all levels of aviation, technology is at the most integral part of the operations for:

• Aircraft;
• Airports;
• Oversight agencies such as the FAA or ICAO; and
• Aviation safety management systems.

This isn’t necessarily a bad thing. But while the capabilities of aviation software and technologies have increased rapidly, addressing the security of these technologies is way behind. Currently, cyber-security is becoming a hot topic in aviation risk management – just look up aviation safety articles regarding cyber-security and you will see many recent, growing concerns.

But the basic fact is, the aviation industry should have been this concerned many years ago. Addressing cyber-security as probably the greatest risk in the aviation industry should not have started in the past year. And currently, I can say with a great deal of certainty that cyber-security should be at the forefront of your aviation SMS concerns.

What Your Aviation SMS Needs

Before I jump in and start talking about cyber-specific aviation SMS issues, let’s get to the meat and touch on the question you probably care about most: why should you care?

While phrases like “cyber-security” and “technology” may make this sound like more of an IT issue than an aviation SMS issue – make no mistake that the burden of safety will and should always be on the efficacy of the SMS implementation.

What current safety policies, procedures, and strategies does your SMS implementation currently have in place to mitigate cyber-security threats?

Proactive Activities to Protect Aviation SMS Data

Aviation safety management systems should take steps to:

• Incorporate IT security aspects into their SMS processes, inspections, etc.;
• Have training for identification of suspicious cyber activity and indications of malware;
• Discussions about cyber-security should be a regular mainstay in a meeting with employees, stakeholders, and executive management; and
• Have procedures and training regarding what to do in the event of a cyber-attack, whether it’s an on-flight attack, airport attack, or some kind of malware in the organization's servers.

One proactive aviation safety advocate makes a good point when he says:

“First, an aircraft might be hard to hack today but not necessarily tomorrow. Second, security cannot be an afterthought; it must be a part of an Internet-connected system’s design from start to finish.”

Related Proactive Risk Management Articles

• Difference Between Reactive, Predictive and Proactive Risk Management in Aviation SMS
• From Reactive to Proactive Risk Management in Aviation SMS
• How to Practice Proactive Risk Management in Aviation Safety

When Aviation SMS Failed Cyber Security

When did aviation SMS fail when it comes to cyber-security? There’s really no direct answer here, but we can probably assume with a good deal of confidence that it failed when the aviation industry adopted internet-based technologies without considering data security first.

We arrive back at the age-old issue of production vs. preparedness. Modern Web-enabled technology makes services better and more efficient at nearly every level of aviation, and the industry quickly adopted it. These technologies were rapidly integrated into aircraft and airport subsystems and, in doing so, they have introduced safety concerns at perhaps the most fundamental level of basic cybersecurity: physical security. Physical security basically means preventing unauthorized access.

But it’s more than simply not having a safety-first attitude towards new technologies. Some of the responses against security risks have been rather startling.

We only need to look at the famous example of Chris Roberts. In May of 2015, he allegedly was able to hack into a Boeing aircraft and make small manipulations to the plane. While there is some controversy regarding how much Roberts was actually able to manipulate, the fact that Boeing’s first response was basically to say “It’s impossible,” raises some serious red flags.

What’s Currently in Place

From what I can gather, there’s not a whole lot in place at the moment beyond the good word of manufacturers that their technology is safe. No vendor or aviation organization likes to admit that they have been hacked or that their Web technologies are vulnerable to attacks. In addition, the whole idea of aviation safety is to proactively be prepared when things don’t go as expected – and things never always go as expected.

Based on research, this is what I've been able to learn about how regulators and standards bodies address cybersecurity.

• IATA has released an Aviation Cyber Security Toolkit, that features risk mitigation strategies among other things;
• FAA unveiled recently that they are working on guidelines for “hack-proof” planes guidelines – however, at this point, they are only at the “guidelines” stage and “hack-proof” doesn’t sound like a particularly achievable goal; and
• The FAA also has documentation for cyber-security roles and responsibilities.

Most of what I can find mostly relates to what is being worked on, or what the concerns are, rather than the extensive measures that are already in place. If you are familiar with defending against Web attacks, one of the first principles is "security through obscurity." This concept simply means that the less your attackers know about your system and your processes, the more difficulty these attackers will encounter as they attempt to breach your aviation SMS software and underlying data management systems.

Related Aviation SMS Software Articles

• How to Choose the Best Aviation Safety Database Software
• How Does Aviation Safety Software Improve Safety? - Aviation SMS
• 20 Benefits of Aviation SMS Software

Cyber Security: Critical Threat to Aviation SMS

Just to give an idea of just how critical technology failures can be – whether incidental safety failures or safety failures as the result of malicious intent, consider some of the following examples:

• The crash of Spanair flight 5022 just after take-off in Madrid Barajas Airport on 20 August 2008, killed 154 people. The Civil Aviation Accident and Incident Investigation Commission of Spain reported that the crash occurred because the central computer system used for monitoring technical problems onboard the aircraft was infected with malware;
• An attack on an FAA computer in February 2009, where hackers obtained access to personal information on 48,000 past and present FAA employees;
• A cyber-attack that instigated the shutdown of the passport control systems at the departure terminals at Istanbul Atatürk and Sabiha Gökçen airports in July 2013, in which many flights were delayed;
• An apparent cyber-attack that possibly involved malicious hacking and phishing targeted 75 airports in the USA in 2013; and
• The (possible) in-flight hacking of an aircraft by Roberts in 2015.

What the above incidents point out is that at all levels of aviation – aircraft, airports, oversight – there is a great risk when data management systems remain vulnerable to malicious activities. Oversight agencies are tasked with responding to the security problem as a whole with specific requirements for technologies. For example, the FAA has defined standards for electronic record-keeping systems. You can find these standards at FSIMS 8901 Chapter 31.

What is your strategy for dealing with SMS data management vulnerabilities?

Your aviation SMS is tasked with recognizing where you are vulnerable to cyber-attacks and what you can do to mitigate incidents should they happen. How can you comply?

Based on SMS audits, SMS Pro provides guidance to our clients as to how SMS Pro deals with the concerns outlined in the FAA's electronic record-keeping standards. While this may not be the only way to address this need, we have found it to be effective. Follow this link to learn how NWDS addresses the FAA's record-keeping standards.

Data security is very important to most consumers and businesses. If you are choosing a vendor to provide your aviation SMS database, it is recommended that you ask them how they keep your data safe. If the SMS database provider is too open with you regarding their IT security, then this should be a red flag and they don't practice Web security using a most common philosophy of security through obscurity.

Whenever a software provider tells you all their security secrets, they are, in effect, making it easier for hackers to penetrate your system. Why do I tell you this? All I can do is smile.

If you are looking for a secure, Web-based aviation SMS database to manage your SMS documentation requirements, you will not be disappointed with SMS Pro. SMS Pro is a very robust and secure SMS database that has been in production for over a dozen years.

To learn more about SMS Pro, please watch these short demo videos.

Last updated March 2024.