Safe But Not Secure: The Changing Landscape of Cybersecurity in Aviation
As commercial aviation becomes an always-online, fully connected industry, it is more important than ever that security measures are as cutting edge as the technology being put in the sky. Where is the industry falling behind?
In 2015, cybersecurity consultant Chris Roberts claimed to have hacked an airliner while riding it, drawing the immediate attention of federal authorities while underscoring the need for comprehensive cybersecurity for airliners that even now are becoming more rather than less connected.
Lost in the rush to update legacy aircraft with state-of-the-art avionics and electronic cabin amenities like wireless internet was a focus on securing those systems against intrusion by bad actors, industry officials told Avionics International. “Airplanes were never designed to be connected, whatsoever, to the internet,” said Panasonic Avionics Information Security Officer Michael Dierickx. “What we did was make a giant [internet of things] device.”
It is important for passengers to feel safe when they fly, and they are, but safety and security are not the same thing, Dierickx said. Passengers should know the difference and airlines should focus on both, he said.
“It comes to end user training,” Dierickx said. “What the passenger really needs to be aware of is while the airline is offering you a better user experience, there is no difference between that wireless onboard an aircraft and going to a Starbucks. … Wireless technology is wireless technology. Passengers will always confuse security with safety. If somebody hacks another passenger on an aircraft, someone thinks that means they can take over a flight-control system — and that’s absolutely false.
Alaska Airlines Director of Information Security Architecture Jessica Ferguson said aircraft entertainment and control networks are segregated to prevent a malicious actor from compromising flight controls. Hackers are unable to move between those domains because of the way the system architecture segregates them.
“The safety-critical systems that are used for actual control, flight planning and security plans are quite involved. … Then there’s what we call the aircraft information system domain. That’s typically where, if you are an operator, all things like your electronic flight bag (EFB) are. There are systems that may talk with the aircraft. Then we have what’s called the Passenger Information and Entertainment Services Domain (PIESD), your entertainment systems, passenger information, in-flight passenger Wi-Fi.”
Roberts is less confident in system segregation as a safety mechanism and believes flight-critical systems are still at risk of intrusion, interference or disruption. The U.S. Department of Homeland Security has recognized those vulnerabilities and is working to prevent future hacking, he said.
“My concern is still valid,” he said. “There is too much of an attitude that we have segmented it. We have the perception of an air gap, so we should be fine. Nobody has hacked us yet, so why would they now? A lot of industries are realizing it is not the way to go.”
Traditional technology companies deal with a very different regulatory landscape than the one imposed on airlines by the FAA, EASA and other civil aviation regulatory and standards bodies. Aviation companies are forced to merge fast-paced, constantly updating software with hardware that deals in decades-long lifecycles, all while keeping airplanes connected and secure.
If the friction between hardware and software is poorly managed, the consequences are drastic: a relatively minor incident of a hacker exploiting vulnerabilities can cost a company millions. When you’re dealing with planes carrying passengers, serious issues are life-and-death.
Neil Adams, director of national defense at nonprofit defense research-and-development lab Draper, said interception of transmitted data is the most visible cybersecurity threat and therefore receives the most attention.
Ensuring software and upgrades to existing systems are free of bugs or defects also is important. That task is made more difficult when companies employ commercial off-the-shelf (COTS) products and customize them for their use, a fast and easy way to keep up with technology advancements at low cost, Dierickx said.
If a company is using heavily modified COTS products, the latest firmware update might not be compatible, and there is a long lag time before that can be addressed. Multiply that by lots of products all potentially receiving frequent updates and add in regulatory delays, and the risk of vulnerabilities increases.
It is difficult to maintain information and software assurance without securing and monitoring supply chain, especially when dealing with suppliers in countries known for counterfeit products like China, he said.
Finally, anti-tampering measures should be taken to ensure components are resistant to reverse engineering, signal processing and algorithm abuse, Adams said.
While information assurance gets by far the most attention, anti-tampering can be a real concern for particularly older components that are fundamentally unsecure. But the two bigger areas of concern, according to Adams, are supply chain integrity and software assurance. They are the industry’s biggest weaknesses, but neither get the attention required, Adams said.
Information assurance gets so much attention because it is a relatable problem. The fact that the data is being generated and transmitted is one of the major reasons cybersecurity is such a pressing issue. However, simply trying to intercept and de-crypt pieces of secure data is not one of the more reliably effective methods of accessing that data. Valuable data will usually be secured, and a better payoff for hackers will come from abusing component vulnerabilities to gain access to systems, from which point they can continually harvest data or wreak havoc.
Data security doesn’t change dramatically between the terrestrial and airborne spheres. Some of the biggest problems the aviation industry encounters in the other stovepipes come about because the traditional cybersecurity practices that would be used in terrestrial instances no longer apply in the same way, according to Panasonic’s Dierickx.
One of the most precarious confluences of software assurance and the legacy aviation timelines is seen in the industry standard for handling updates and patches to avionics systems. Because of regulations, updates that get passed through the chain from manufacturer to vendor to operator — needing appropriate certifications for all relevant regions along the way — can delay important security updates for months.
“Change control in avionics systems is horrendous,” Roberts said. “Everything is slow. Turning to Panasonic, saying, ‘You have holes in IFE, cabin control, whatever,’ — They’re looking at six to 12 months and a $1 million-plus effort with FAA headaches to patch stuff.”
Companies like Honeywell and many software developers are exceptions to that rule and have been good about working with researchers to find and solve vulnerabilities. The same is true of the government and military, but “they have a different agenda,” he said.
“We need better collaboration between organizations,” Roberts said. “When we tried to alert organizations, we’d go to Boeing or Airbus, and they’d point to the suppliers, and suppliers would point to airlines, et cetera. … So, you want everybody to get in a room and sit down because it’s a collective problem. We all have a stake. We have to come together and come to a solution.”
There is an effort in the industry to do just that. The Aviation Information Sharing and Analysis Center (ISAC) encourages companies to openly share vulnerabilities they find for the benefit of the community at large and act cooperatively rather than competitively.
Roberts likes the basic concept of the ISAC, “but it means people have to collaborate, which is a challenge.”
Companies need to adopt both active and reactive cybersecurity measures, both Adams and Roberts said. They help create a layer of redundancy and inoculate against human error, which is inevitable when a human is programming and setting up systems, Roberts said.
They need “software capabilities that go through and assess faults,” Roberts said. “Behavioral architecture. In my case, it should have detected extraneous traffic coming from a seat-back entertainment system heading to the cockpit, … killed it and alerted someone.”
The best approach to cybersecurity is to develop solutions for entire classes of vulnerabilities, so a single solution can take care of dozens, Adams said.
“But when you’re fielding an aircraft system, there are so many components and software, so many vulnerabilities, you need a more expansive thing,” he said. “It’s like plugging the dyke with your finger when there’s many holes in the dyke.” AVS