Aviation Officials Step Up Cybersecurity Checks of Older Messaging System

October 16, 2016

U.S. and European aviation authorities are focused on cybersecurity threats that could affect a basic data-transmission system widely used by airlines around the world.

Such concerns about the decades-old system, called Acars and primarily used for air-traffic purposes and to provide information about the status of various aircraft components during flights, have surfaced in the past few months on both sides of the Atlantic. The issue has been raised in U.S. government contracting documents, as well as in comments by industry officials and high-level European safety regulators.

The information sent by the Acars network from planes to the ground isn’t considered safety critical, nor does the system handle any data that could immediately imperil safe operation of flights. No specific hacking attempts or intrusions have been detected, government and industry officials said.

But as the industry moves to revise 1980s-vintage transmission protocols and methods, including use of new frequencies and expanded messaging formats, experts have expressed heightened worries about the vulnerabilities of Acars to hackers or other types of outside intrusions. Because of its age, the system lacks some of the safeguards embedded in newer onboard messaging networks.

Disruptions of Acars could result in major problems for airline scheduling, maintenance or other operational functions, experts interviewed over the past few months said. Acars stands for Aircraft Communications Addressing and Reporting System, originally designed to send short air-to-ground messages. Future uses envision dramatically greater capacity and a wider range of messages.

In September, the Federal Aviation Administration awarded a first-of-a-kind contract to Milwaukee-based Astronautics Corp. to develop comprehensive risk-assessment tools to pinpoint cybersecurity vulnerabilities of aircraft electronics. Acars is slated to be the first onboard system that will be examined using those tools.

At the time, Astronautics said it planned to devise an “efficient, timely and repeatable process” to identify cyberthreats and risk-mitigation strategies.

FAA officials have declined to comment specifically about Acars or details of the contract. In an email on Thursday, the agency said it “will continue to further strengthen its capabilities to defend against new and evolving” cyberthreats.

Earlier, a top official of the European Aviation Safety Agency singled out Acars as a prime example of the need for stepped-up cybersecurity reviews of onboard data systems. Luc Tytgat told an FAA-EASA conference in Washington in June that work was under way “to see if we should not go back to certification” studies of Acars vulnerabilities.

Read full story…