Unifly has announced the successful completion of the Unified UTM Cybersecurity Model project, granted by the Federal Aviation Administration (FAA) as part of the Broad Agency Announcement call 003. In partnership with the Rhea Group and NY UAS Test Site
(NYUASTS), the aim of the project was to refine a UTM cybersecurity model, including the requirements and certification scheme, and to validate the model in an operational environment.
According to a company press release the key characteristics of UTM systems – software-based, highly automated, and relatively recent – make them an attractive target for cyberattacks that exploit vulnerabilities, “threatening aviation safety, the privacy of airspace users, and business operations.
“Although cybersecurity is unanimously recognized as a critical safety concern, UTM cybersecurity has only been partially explored to this date. This includes either considering a limited subset of security attributes (e.g., authentication) or applying generic cybersecurity frameworks (e.g., National Institute of Standards and Technology (NIST) Cybersecurity framework) that do not provide sufficient cyber resilience for the complex ecosystem that is UTM.
“As a result, no comprehensive approach to system requirements, and much less a unified certification scheme, has been developed to assess and validate cybersecurity for UTM systems. These gaps have triggered an urgent need for an updated security framework. In the initial phase of the project, interviews were conducted with the following
stakeholders from the UTM ecosystem: FAA ATO (Federal Aviation Administration – Air Traffic Organization); NASA (National Aeronautics and Space Administration); CNA (The National Security Analysis); Nav Canada (The Air Navigation Service Provider of Canada); DroneUp (Drone Delivery Service Provider)
“During the interviews, the concept of a unified UTM cybersecurity model was presented. Feedback and security requirements were collected from all interviewees, who acknowledged the need for a new security framework.”
According to Jared Thompson, Nav Canada: “When considering traditional Air Traffic Management (ATM), it never had a model that focused on the operational aspect. Therefore, as we introduce additional layers like UTM, it’s imperative to establish a cybersecurity direction as a baseline. While some operational frameworks do exist, they have not been applied in the ATM context.‘”
The project team refined both the system requirements and the security controls for the updated prototype model. The updated prototype model underwent a demonstration through actual flights conducted in an operational environment at the NY Test site in Syracuse, utilizing tracking facilities and Unifly’s Broadcast Location and Identification device (BLIP). The validation process comprised more than 60 flights conducted in diverse operational environments. These flights encompassed three distinct scenarios: operations under optimal conditions, operations subjected to simulated attacks, and operations with the implementation of countermeasures against such attacks.
The testing and demonstration of the updated prototype model in real-world conditions at the NY Test site confirm the need and efficacy of the implemented security controls, according to the press release.
“After extensive research, testing, and data gathering, several reports containing findings and best practices have been delivered. These reports will serve as a baseline for future
cybersecurity framework development. The results of this project will not only benefit the UTM industry but also various stakeholders, including drone operators, regulators, and the general public, by ensuring the safety and privacy of all airspace users. By implementing advanced cybersecurity measures, we can all have peace of mind, knowing that our airspace is secure.”
For more information