EASA engaged in a “responsible disclosure” of cybersecurity issues in coordination with operators and authorities

Cyber security is becoming more and more important in the aviation sector due also to technological advances. EASA’s role is to ensure that cyber risks are taken into account during aircrafts design, development and operation and then controlled in order to avoid adverse effects on citizens’ safety.

Last year IOActive engaged in a ‘responsible disclosure’ with EASA of some vulnerabilities that had been found in onboard satcom system providing internet to passengers. The process of responsible disclosure ensures that potential safety risks are addressed before the vulnerability is made public.

Following this process EASA coordinated with operators and authorities and perform independent verifications. It was concluded that there was no impact on safety, based on the technical knowledge of certified installation. Furthermore, the supplier corrected the vulnerabilities and once it was determined that the corrections were implemented and that no system was accessible from the internet, it was agreed with IOActive that they could publicise their research.

More information on what EASA does in this domain can be found on the Cybersecurity page.