Cybersecurity at the seat of the pilot

[Michel_Piaggio]

Are you a commercial airline pilot?

For my Executive Master Cybersecurity thesis at Leiden University, I am conducting a short survey on ‘Cybersecurity at the seat of the pilot’. The research focuses on the responsibilities and crucial role of pilots dealing with cyber threats in the cockpit.
Your participation is highly appreciated.

Click the link below to access the Participant Information Sheet and survey.

https://qualtricsxmt3f2nlxny.qualtrics. ... RLQelelaPc

Thank you for your support and insights.

Michel van Rosendaal
Leiden University – Faculty of Governance and Global Affairs

[CaptDukeNukem]

Nope. No commercial pilots on here. Try pprune.

[Michel_Piaggio]

Thanks for the feedback Captain. And the tip.

My research focuses on how airline pilots can recognize and respond to potential cyber incidents in the cockpit. What may be expected from pilots and what not. (It is not a study into technical cyberattack scenario's.)
If there are any professional pilots here who have a few (10 - 15) minutes to spare, I would greatly appreciate your participation in the survey. Every response helps improve our understanding of this topic.

[Sulako]

I took the survey and it's interesting. Certainly will come up more often in the future. I've been GPS jammed before - near Israel and also Burma - but haven't been spoofed yet, though I think it's coming.

[cdnavater]

I took the survey and it's interesting. Certainly will come up more often in the future. I've been GPS jammed before - near Israel and also Burma - but haven't been spoofed yet, though I think it's coming.

Thanks for letting us know you took the survey, I have a hard time clicking links for unknown sites, a lot of scammers out there these days.
To the poster of the survey, there is nothing currently being trained regarding cyberattacks and as far as I’m aware, my aircraft systems cannot be hacked.
I did recently have a TCAS resolution to a potential mid air collision, I responded to the resolution and when I advised ATC, they informed me of no aircraft in my vicinity. The only thing I can attribute it to is a false indication or a spoof aircraft but it was very real in the moment, when your system is saying climb, climb now while you’re in a 3000’ per minute descent, gets the heart rate up for sure!

[Michel_Piaggio]

Thank you both for sharing your experience. It also illustrate the challenge pilots face. My focus (and that of the survey) is on understanding how pilots would recognize and respond to cyber threats. What can and what can not be expected of pilots.
The TCAS RS is a great illustration. No, control of the aircraft has not been taken over, but it is very well possible that data was intentionally tampered with. With potential consequences for flight safety.

If any other pilots are reading this, I'd greatly appreciate your participation in the survey. The more perspectives I can collect, the more useful and realistic the findings will be.

If you have any questions about the study, please don't hesitate to ask.
Thank you for supporting the research.

[Michel_Piaggio]

This is an one time repeated request.

I am looking for some more commercial airline pilots to complete the short survey ( 10 - 15 minutes, anonymous).
By now, more than 60 pilots have participated. To ensure a good spread of roles and experience levels, additional responses are still very welcome.

Your participation is greatly appreciated.
Sharing with your network also helps enormously.

Link:
https://qualtricsxmt3f2nlxny.qualtrics. ... RLQelelaPc
Thank you once again.

Michel van Rosendaal
Executive Master cybersecurity
University of Leiden
Faculty of Governance and Global Affairs

[Eric Janson]

Are you a commercial airline pilot?

For my Executive Master Cybersecurity thesis at Leiden University, I am conducting a short survey on ‘Cybersecurity at the seat of the pilot’. The research focuses on the responsibilities and crucial role of pilots dealing with cyber threats in the cockpit.
Your participation is highly appreciated.

Click the link below to access the Participant Information Sheet and survey.

https://qualtricsxmt3f2nlxny.qualtrics. ... RLQelelaPc

Thank you for your support and insights.

Michel van Rosendaal
Leiden University – Faculty of Governance and Global Affairs

Your survey is overly complicated and deals with issues that we have no information about as Pilots (IT architecture).

Your select 5/10 option isn't logical because all 10 choices are valid options.

I have experienced multiple GPS Jamming/Spoofing events. The only consequence is the downgrading of navigation capability which may require conventional approaches to be flown. In several cases the GPS did not recover after flying clear of the jamming/spoofing area.

No issues dealing with any of the above.

airbus manuals have a section dealing with this and the actions to be taken.

I fly an older aircraft that has no Internet on board - just Datalink/CPDLC.

[Michel_Piaggio]

Eric,
Thank you for your feedback, and taking the survey. Both inputs do help me greatly.

Sorry to hear you find the survey overcomplicated and the intentions of some of the questions apparently are perhaps not always clear. For clarification purposes:
- the question on IT architecture is not intended as a 'testing-technical-knowledge question'; it is on what knowledge would be helpful as to detect cyber threats;
- the questions on competenties (or better 'desired behaviours'): I do agree, everything is valid, that is exactly the point. The research tries to figure out if pilots think there is a difference (in required competenties) in dealing with safety hazards vs cybersecurity threats.

GNSS Spoofing to me is an example of a cybersecurity breach. And again, I agree with you: nowadays pilots know how to deal with it (although it might still have ongoing safety impacts e.g. turning of the GPWS, and the need to recycle the system once on the ground). However, that most certainly was not the case the first times it happened, years ago. It was not detected at first, it was not understood what was happening, it was unclear what to do, there were no procedures in place, etc. Research has shown that flight safety did indeed require attention at that time.

Interesting you refer to CPDLC: this could well be the next 'area of attention'. Due to its lack of authentication and encryption, it is vulnerable to data manipulation. And this is true for more systems (e.g. ADS-B, ACARS).

The research tries to figure out to what extent all this is a threat to flight safety and what can and cannot be expected from pilots dealing with this (e.g. emphasising certain 'competenties'? having a basic understanding of system protection? etc.).

Once again, thank you for sharing your insights.

[Eric Janson]

Interesting you refer to CPDLC: this could well be the next 'area of attention'. Due to its lack of authentication and encryption, it is vulnerable to data manipulation. And this is true for more systems (e.g. ADS-B, ACARS).

The research tries to figure out to what extent all this is a threat to flight safety and what can and cannot be expected from pilots dealing with this (e.g. emphasising certain 'competenties'? having a basic understanding of system protection? etc.).

Once again, thank you for sharing your insights.

The CPDLC/ADS-B/ACARS cannot be used to alter the flight path. Pilot input is needed for flight path changes.

I would rate the threat as extremely low - I've never heard of false messages being transmitted.

We had a NOTAM in Eritrea a few years where rebels were transmitting false clearances on the frequency used by ATC. Even in this situation it was possible to check on the validity of a clearance (which I won't discuss here). I never had this happen but all flightcrew were aware of the NOTAM.

If possible I'd like to read your thesis once you've finished it.

[Michel_Piaggio]

Off course, happy to share once finished. (will take some more months )

[Michel_Piaggio]

Reminder: final s days to participate

The online survey for commercial pilots concludes in 48 hours. Completing it is highly efficient and takes around 10 minutes.

Link:
https://qualtricsxmt3f2nlxny.qualtrics. ... RLQelelaPc

Many thanks to those who have already contributed, and thank you to the forum for granting permission to post this study.

Safe flights & kind regards,

Michel
Van Rosendaal
University of Leiden.