New government regulation has been introduced to deal with threats on military air safety.
Cyber-attack presents a significant threat to the safe operation of modern military air systems.
The Military Aviation Authority (MAA) now has the Cyber Security for Airworthiness (CSA) regulation to ensure safety-related systems are appropriately protected from this non-traditional, emerging threat to air safety.
A government statement claims: “The aviation ecosystem is becoming more complex and connected.
“Modern military air systems, like their civil counterparts, are reliant on the correct functioning of avionic systems for safe operation.
“Increasingly, advanced network architectures are being introduced to interconnect avionic systems and other systems for internal and external data transmission.
“These technological advancements bring greater efficiency and performance but could introduce threats to airworthiness and air safety if not sufficiently protected.
“It is vital that cyber security assessments are conducted for connected systems to identify and mitigate, if necessary, airworthiness and air safety risks.”
Physical access security can provide some mitigation, says the statement, but “it is important to note that this can only go so far”
It adds: “For example, cyber security vulnerabilities can be introduced to airborne electronic hardware (AEH) or safety-related airborne software through insecure supply chains.
!Increasing reliance on computerised ground support systems and other systems which connect to avionics, such as connected-electronic flight bags (EFB) or mission equipment, could also introduce vectors for malicious software (malware) if not mitigated. Essentially, any external connectivity for the air system could introduce new threats.
“Some legacy air systems may have fewer intrinsic threats due to older federated architectures, bespoke computer technologies, and less reliance on avionic systems for safe operation.
“It is essential, however, that any extant risks are understood and mitigated.
“It should also be noted that type design changes which introduce new capabilities may establish connectivity to older systems; these could have been developed without consideration for cyber security controls, thereby introducing new vulnerabilities.”