How safe are fighter aircraft from cyber attacks?
The Swiss electorate said Yes to the acquisition of new fighter aircraft. They will contribute to the security of Switzerland. Yet modern fighter aicraft are packed with electronics and software. Is it possible to «hack» fighter aircraft? And what needs to be taken into account during the evaluation, so that this scenario does not occur? Matthias Bertram, cyber specialist in the project for new fighter aircraft, explains the cyber risks involved in fighter aircraft.
Aeronautical Systems, Section New Fighter Aircraft
Matthias Bertram (43) is a graduate engineer (university of applied sciences) in electrical engineering. After a position in research at the «Inselspital» Hospital Bern, followed by various functions in product development in an international medical technology company, he joined armasuisse in 2018. Since then, he has been working as a project manager for mission support systems and as a deputy project manager in engineering in the project «New Fighter Aircraft».
How much software is in a fighter aircraft?
The software of modern fighter aircraft is based on millions of lines of code. If you were to print out this programme code, you would have a stack of paper more than 10 metres high. The related ground systems, such as the mission planning system, also contain software. These also need to be considered in the cyber risks of fighter aircraft.
How do you deal with the associated cyber risks?
A modern weapon system such as a fighter aircraft with its ground systems is subject to strict cyber risk management during its entire life cycle, including disposal. The important thing is that this is designed holistically and covers all aspects of technology, the operations and maintenance of a fighter aircraft. For example, the information system must be structured and certified such that it cannot be accessed in an unauthorised manner and the security-cleared staff only get access to the information and systems necessary for the respective work.
Measures performed to increase cyber security are tested and periodically checked.
The training and continuous education of staff in this area is also extremely important. The specific knowledge and involvement of employees is a key factor in ensuring cyber security.
How is cyber security evaluated and ensured in the evaluation and later in procurement?
During the evaluation, we analyse the new fighter aircraft candidates by means of the answers to a detailed questionnaire including the subject of cyber security, which is to be answered as part of the offer. For example, we want to know how the manufacturer's supply chains are set up and how staff and subcontractors are checked. Based on the data received, the cyber security of the candidates is assessed as part of the evaluation.
When the new fighter aircraft is procured, what is most important is implementing the integration in the Swiss system environment. Identified cyber risks are controlled using the necessary measures, so that cyber security can be ensured at all times.
Which new challenges does the topic of cyber cause in procurement?
Due to its extreme importance, we cover the subject with a comprehensive cyber security process in the New Fighter Aircraft project, which provides clear requirements to the project management and the candidate, whereby the candidate's requirements will also be part of the procurement contract.
In the area of cyber threats and information technology, we are operating in a very dynamic environment and must be able to react to such threats even in our procurement processes.
In the operations & maintenance area, we also have experiences with established cyber security processes with the F/A-18C/D, which we can rely on and which we will further develop.
Which cyber protection measures need to be performed for actual application (in other words, if a fighter aircraft is actually procured and used)?
Fighter aircraft are protected holistically against possible cyber attacks. A broad bundle of measures and processes of cyber security is implemented in the operations and maintenance area.
Many protective measures are basically similar to well-known measures of information security and data protection, but they are implemented very distinctly: The protection of the aircraft is guaranteed, for example, by appropriate buildings, alarm systems, guarding, access control, etc. In the area of software and data, for example, signatures, encryption, role-based access, virus scanners and real-time analyses of running systems are used as protective measures. The numerous measures are based on the coordinated implementation of holistic and systematic cyber risk management.
Assuming that a fighter aircraft system is actually attacked in the cyber area - what are the next steps? Who does what, when, why?
It is important that cyber attacks are detected early on, which is why the systems are continuously monitored in operation. However, as described above, the prevention of cyber attacks in fighter aircraft and ground systems is very well developed.
When an attack is detected, a prepared cyber emergency concept is put into operation. This concept defines how to react to a cyber attack and how the system concerned can be cleaned and returned to normal operation again as fast as possible.