Technology has made aviation safety management systems (SMS) much easier to manage as a whole. Furthermore, this formal, structured approach to managing safety has undeniably contributed to system safety.
Technology is wonderful. It has been changing our lives at an unprecedented rate, and we can easily see how it has positively affected the aviation industry.
Sophisticated software for hazard detection, autopilot, communications, aviation risk management software, and other technologies have greatly aided human capabilities for mitigating risk and avoiding flight and ground hazards. One need only look at year by year graph of incident data and compare it to the rise of computers and aviation safety software in the 21st century.
The trend is irrefutable – proactive risk management increases when safety professionals and aviation organizations adopt modern risk management technology.
At the same time, the aviation industry – and indeed all other industries – has increasingly moved from using technology as an aid to relying on it. You might even call it a crutch.
At all levels of aviation, technology is at the most integral part of the operations for:
This isn’t necessarily a bad thing. However, while the capabilities of aviation software and technologies have increased rapidly, addressing the security of these technologies is way behind. Currently, cyber-security is becoming a hot topic in aviation risk management – just look up aviation safety articles regarding cyber-security and you will see many recent, growing concerns.
But the basic fact is, the aviation industry should have been this concerned many years ago. Addressing cyber-security as probably the greatest risk in the aviation industry should not have started in the past year. And currently, I can say with a great deal of certainty that cyber-security should be at the forefront of your aviation SMS concerns.
Before I jump in and start talking about cyber-specific aviation SMS issues, let’s get to the meat and touch on the question you probably care about most: why should you care?
While phrases like “cyber-security” and “technology” may make this sound like more of an IT issue than an aviation SMS issue – make no mistake that the burden of safety will and should always be on the efficacy of the SMS implementation.
What current safety policies, procedures, and strategies does your SMS implementation currently have in place to mitigate cyber-security threats?
Aviation safety management systems should take steps to:
One proactive aviation safety advocate makes a good point when he says:
“First, an aircraft might be hard to hack today but not necessarily tomorrow. Second, security cannot be an afterthought; it must be a part of an Internet-connected system’s design from start to finish.”
When did aviation SMS fail when it comes to cyber-security? There’s really no direct answer here, but we can probably assume with a good deal of confidence that it failed when the aviation industry adopted internet-based technologies without considering data security first.
We arrive back at the age-old issue of production vs. preparedness. Modern Web-enabled technology makes services better and more efficient at nearly every level of aviation, and the industry quickly adopted it. These technologies were rapidly integrated into aircraft and airport subsystems and, in doing so, they have introduced safety concerns at perhaps the most fundamental level of basic cybersecurity: physical security. Physical security basically means preventing unauthorized access.
But it’s more than simply not having a safety-first attitude towards new technologies. Some of the responses against security risks have been rather startling.
We only need to look at the famous example of Chris Roberts. In May of 2015, he allegedly was able to hack into a Boeing aircraft and make small manipulations to the plane. While there is some controversy regarding how much Roberts was actually able to manipulate, the fact that Boeing’s first response was basically to say “It’s impossible,” raises some serious red flags.
From what I can gather, there’s not a whole lot in place at the moment beyond the good word of manufacturers that their technology is safe. No vendor or aviation organization likes to admit that they have been hacked or that their Web technologies are vulnerable to attacks. In addition, the whole idea of aviation safety is to proactively be prepared when things don’t go as expected – and things never always go as expected.
Based on research, this is what I've been able to learn about how regulators and standards bodies address cybersecurity.
Most of what I can find mostly relates to what is being worked on, or what the concerns are, rather than the extensive measures that are already in place. If you are familiar with defending against Web attacks, one of the first principles is "security through obscurity." This concept simply means that the less your attackers know about your system and your processes, the more difficulty these attackers will encounter as they attempt to breach your aviation SMS software and underlying data management systems.
Just to give an idea of just how critical technology failures can be – whether incidental safety failures or safety failures as the result of malicious intent, consider some of the following examples:
What the above incidents point out is that at all levels of aviation – aircraft, airports, oversight – there is a great risk when data management systems remain vulnerable to malicious activities. Oversight agencies are tasked with responding to the security problem as a whole with specific requirements for technologies. For example, the FAA has defined standards for electronic record-keeping systems. You can find these standards at FSIMS 8901 Chapter 31.
What is your strategy for dealing with SMS data management vulnerabilities?
Your aviation SMS is tasked with recognizing where you are vulnerable to cyber-attacks and what you can do to mitigate incidents should they happen. How can you comply?
Based on SMS audits, SMS Pro provides guidance to our clients as to how SMS Pro deals with the concerns outlined in the FAA's electronic record-keeping standards. While this may not be the only way to address this need, we have found it to be effective. Follow this link to learn how NWDS addresses the FAA's record-keeping standards.
Data security is very important to most consumers and businesses. If you are choosing a vendor to provide your aviation SMS database, it is recommended that you ask them how they keep your data safe. If the SMS database provider is too open with you regarding their IT security, then this should be a red flag and they don't practice Web security using a most common philosophy of security through obscurity.
Whenever a software provider tells you all their security secrets, they are, in effect, making it easier for hackers to penetrate your system. Why do I tell you this? All I can do is smile.
If you are looking for a secure, Web-based aviation SMS database to manage your SMS documentation requirements, you will not be disappointed with SMS Pro. SMS Pro is a very robust and secure SMS database that has been in production for over a dozen years.
To learn more about SMS Pro, please watch these short demo videos.
Last updated December 2024.