Florida Aerospace



                                                             STORY BY DAVE HUGHES

CCX Technologies serves business and commercial aviation in two ways – with an innovative, all-purpose avionics testing device and with all-inclusive cybersecurity equipment and services. CCX’s multi-mode testing device is becoming popular at avionics repair shops in the United States. This year, it is being offered in Europe as well. The Ottawa, Canada-based company developed the T-RX Avionics Tester, a portable tablet test unit with versions for radio or pulse testing or both. 

The tablet has a color 10.4-inch touchscreen and is capable of testing 16 different types of avionics equipment. This includes a tablet for radio testing of VOR, ILS and VHF comm or a tablet for pulse testing of transponder Mode A/C, S, and ADS-B 1090 megahertz. It is possible to get both radio and pulse testing on one module. Testing of ADS-B 978 MHz is optional as are ELT, HF, SELCAL, and TCAS. GPS signal generator and VHF Digital Link Mode 2 capability are also available, and this helps aircraft owners comply with airspace mandates such as the 2020 Eurocontrol requirement for VDL Mode 2 for FANS-1/A above flight level 285. T-RX checks both transmit and receive functions for aircraft using VDL Mode 2. The mode boosts the air-ground data rate to 31,500 bits per second.

The GPS signal generator allows avionics technicians to generate GPS signals with a specific position and track. A T-RX for radio testing can conduct 100 different types of tests on the majority of avionics radio systems. For example, it will check five different parameters associated with VOR. CCX President Chris Bartlett said the company saw an opportunity in the test equipment niche because an innovative approach could streamline tests that were developed decades ago and hadn’t changed much in all those years. CCX figured that a modern approach with a touchscreen tester that could print out test reports would be welcome in today’s avionics repair shops. The printouts can be attached to customer work orders to save time and verify that testing was done correctly. 

Now the T-RX radio or pulse test module or the T-RXRP for both radio and pulse can support everything from Cessnas to the largest commercial and military aircraft. The portable, rugged, wireless module can also connect to the internet for software updates as test requirements and standards change. 

The list prices for these test modules range from about $13,000 for the radio tester, about $20,000 for the pulse tester and about $31,500 for the radio/pulse tester. In January 2022, CCX signed an exclusive distribution agreement with U.K.-based Evolution Measurement, adding the company to its authorized partner network. Evolution Measurement provides products, support and consulting for a wide range of precise measurement tasks including pitot-static equipment in aviation.

 “This arrangement will give more maintainers across Europe access to modern avionics testers not previously available, and will streamline testing for them,” Bartlett said. In a separate line of business, CCX is targeting avionics cybersecurity. 

The company is providing cybersecurity products and services at a time when concern over penetration of networks aboard business jets is rising. Like every other high-value enterprise targeted by hackers, airplanes are not being overlooked today. 

The company’s cybersecurity products and services are also in use on military aircraft. Bartlett said there has been plenty of good work in the industry improving connectivity, hardware, routers and antenna systems. However, these electronics upgrades seldom start with an eye on cybersecurity. 

There is plenty of confusion in the avionics industry and a bit of old-school resistance to the idea that cybersecurity has to be addressed at some level, according to Bartlett. Before co-founding CCX, he had senior leadership roles at TrueNorth Avionics, as director of product management and vice president of business development. In addition, Bartlett had highlevel roles in the electronics, automotive and green energy sectors, in operations management and business development.

CCX is not able to disclose who its customers are due to privacy issues. The company installs its SystemX Aviation on aircraft to protect the cabin and flight deck. The system is able to monitor the aircraft’s complete communications network. “We are one of the few companies that also monitor flight deck data busses,” Bartlett said.

A lot of aviation organizations are now addressing avionics cybersecurity, including the Federal Aviation Administration; European Union Aviation Safety Agency; International Civil Aviation Organization; National Business Aviation Association; General Aviation Manufacturers Association; and the Aircraft Owners and Pilots Association.


 The FAA hosts an annual cybersecurity awareness symposium also known as Cyber Day. This meeting attracts government, industry and academic participants.

A General Accounting Office report on aviation cybersecurity published in October 2021 found that while avionics systems could be vulnerable to cyberattack, there had not been any reports of successful intrusion on an aircraft’s avionics system. But the threat is out there.

The report GAO-21-86 in 2020 said aircraft networks and systems share data with pilots, passengers, maintenance crews, other aircraft and air traffic control in ways previously unforeseen. These interconnections could be at risk from a range of cyberattacks if not protected, the report stated. Key vulnerabilities cited in the report include:

1. Not applying modifications (patches) to commercial software. 

2. Insecure supply chains.

3. Malicious software uploads.

4. Outdated systems on legacy aircraft. 

5. Flight data spoofing. Increasing connectivity may even lead to the safety of flight risks in the future.

The FAA is not up to speed yet, according to the GAO. The report stated the FAA has not assessed its oversight program to prioritize avionics cybersecurity risks, developed an avionics cybersecurity training program, issued guidance for independent cybersecurity testing, or included periodic testing as part of its monitoring program. There is plenty of work to be done on these issues by the agency to guard against cybersecurity risk, the GAO concluded. Bartlett noted a lot of people in the industry don’t understand yet what it means to have cybersecurity. He said the industry is learning about cybersecurity, but some in aviation are expressing skepticism that it is needed. Those with an old-school perspective are fine with security as it has been done in the past

Bartlett noted a lot of people in the industry don’t understand yet what it means to have cybersecurity. He said the industry is learning about cybersecurity, but some in aviation are expressing skepticism that it is needed. Those with an old-school perspective are fine with security as it has been done in the past.

He noted the issue of what is needed is not going away and the learning curve will be similar to that experienced when the aviation industry was grappling with new Satcom providers and capabilities in the early 2000s Some maintenance organizations are proactive in offering cybersecurity solutions to customers and others not so much. “In reality, unlike a typical maintenance issue, it is not as obvious to offer cybersecurity,” Bartlett said.

Hacking of aviation-related computer systems does occur. In October 2021, Flying magazine reported that a former employee hacked into the facility’s computer, according to police reports. The maintenance technician, who was arrested, allegedly altered or deleted the maintenance records on a dozen aircraft. All squawks had been removed, which meant the aircraft may have been operated in an unairworthy condition on seven flights.

CCX advises customers to do an evaluation of their aircraft networks based on the latest vulnerabilities and intrusion methods used by hackers. 

These techniques are always changing. This year, CCX is encouraging business jet operators to move away from checking the network at a point in time to perpetual monitoring. CCX recommends this continue whether the aircraft is on the ground or in the air. SystemX installed on the aircraft is capable of doing this and it can operate autonomously.

CCX then monitors the performance of its SystemX based on the level of service selected by a customer. Some may not need or want to pay for in-flight monitoring. CCX can download data while the aircraft is in the air or post-flight depending on how SystemX is configured.

The Canadian company is engaged with aircraft manufacturers and the military services. Its SystemX system can be used on any MIL-STD-1553 bus, ARINC 429 bus, ADFX or standard Ethernet.

A key part of the service is to continuously update things for new vulnerabilities in the cabin or on the flight deck as hackers change their intrusion tactics. It is easy for CCX to update SystemX equipment on an aircraft. This doesn’t require as much work as a configuration change would.

In a CCX white paper on aviation cybersecurity, the company asserts that the traditional ways of assuring aviation network security defined by RTCA DO-326A are not sufficient.

Testing aircraft systems as individual entities no longer works when they are increasingly interconnected. These linkages can be analyzed for known vulnerabilities under current RTCA and EASA standards, but vulnerabilities are constantly being discovered by those who want to exploit them. Networks must therefore be monitored to identify previously unknown and undetected exploitation.

Malware can bridge networks, and the Stuxnet computer worm showed that physical damage is possible when it was first used to cripple hardware at Iran’s nuclear facilities. Stuxnet has mutated and spread.

CCX recommends persistent monitoring of all networks on board an aircraft, including avionics data buses, passenger entertainment systems and maintenance networks. An attacker only needs to be right once.

CCX also has a white paper on how to fully secure the avionics bay and cockpit against future cybersecurity threats using a Zero Trust Model.

Unlike the perimeter model of security that trusts all traffic, devices and users that pass through a specific gate, Zero Trust assumes no traffic or device should be trusted unless it meets precise parameters. This is an architecture like that for a triple INS system that doesn’t trust a sensor if it starts to diverge from the other two.

The INS system doesn’t trust all three throughout the flight after they have passed a preflight check. Perimeter security is vulnerable because anyone who gets in can move about freely. 

This flaw has been exploited in a lot of known cyberattacks, and Zero Trust is now needed to protect more complex and interconnected systems. CCX explains how a Zero Trust architecture works and how it can be implemented incrementally in existing avionics systems that were designed before this type of cybersecurity became necessary.

Ottawa, where CCX is headquartered, is a center of high-tech businesses, including multinational giants and homegrown companies. Software-intensive aerospace businesses like CCX in Ottawa also include Searidge Technologies, a leader in remote ATC tower technology as well as the Fortune 500 companies General Dynamics, Thales, Leonardo and Lockheed Martin. 

The company is operating in its fifth year now, and it has 30 employees. In the future, it wants to expand from aviation to additional defense applications. 

To learn more about CCX Technologies, visit ccxtechnologies.com