How Secure Are IFEC Systems?

In the age of the connected aircraft, the aviation community embraces a culture of resiliency and proactive collaboration to counter increasing cyber threats.

The aviation world has come a long way from the days when the extent of connectivity in the cabin revolved around self-contained in-flight entertainment and connectivity (IFEC) systems comprising a server, distribution system and seatback displays. Being connected was limited to watching a movie offered by the airline or scanning pre-recorded news broadcasts.

Then came SwiftBroadband service followed by more powerful high-bandwidth satellites and Wi-Fi in the cabin, and with it, a proliferation of passenger smartphones and other devices. It’s not surprising that 81 airlines today offer a full range of IFEC services with the ability for travelers to connect their personal electronic devices [PEDs] to the aircraft’s wireless network.

“There is a real proliferation of connected aircraft,” said Frederick Schreiner, CTO of Thales InFlyt Experience. “A recent article by Airbus talked about 50% coverage by 2020, and I’ve seen other articles say, ‘2021.’

The adoption rate of connectivity will be based on linefit adoption and retrofit activity of systems.”

He observed that airplanes today are no longer “isolated aluminum tubes,” but nodes in the Internet of Things. “We’re talking to it; people are able to connect, stream, text and browse.”

Airlines, he added, are increasingly investing in data analytics, not only to differentiate the customer experience with personalized services, but also to create operational efficiencies on the plane.

Considering these advancements and news about cyberattacks on the ground, the question is whether the aviation sector can stay ahead of resourceful adversaries who have successfully exploited network weaknesses in multiple industries. Hacker Chris Roberts’ well-publicized claims to the FBI in 2015 said he had compromised a jetliner’s flight controls at least 15 times by connecting through entertainment systems. While his claims remain the subject of debate, the ordeal “was a wake-up call” to the aviation industry, recalled Schreiner.

“There was a very intensive effort on the part of Thales, Panasonic, Boeing, Airbus and the federal government to work to validate or disprove Roberts’ claims about control systems,” recalled Schreiner.

Schreiner emphasized that the aviation community and partners collectively determined that no such breach occurred, since the operational system that controls an aircraft’s navigation and safety functions is separate from the IFEC system.

Thales’ CTO said collaborative cybersecurity agreements with Airbus and Boeing ensure “the cabin and cockpit domains are properly protected.”

“On the cabin side, we have a number of layered protections within the IFE system to protect from potential attackers who connect to access points on the aircraft,” added Samuel Miller, Thales’ product security officer. “We are continuously testing and updating and patching those controls to make sure that they can protect the IFE system appropriately.”

Though both Miller and Schreiner agreed that “no one is immune” from threats, they argued that the aviation sector is more process-driven to address security vulnerabilities quickly. That mindset wasn’t in place at Equifax, which was hit by a massive data breach early 2017 that comprised personal data on more than 145 million Americans. The cause: an earlier vulnerability that hadn’t been mediated quickly.

“We’re gearing our processes to quickly identify and contain root causes and take the necessary action to mitigate the impact of these things, so that’s key,” said Schreiner. “You have to have internal processes that are well aligned to respond quickly. If you can get that institutionalized and the appropriate triggers in place, you can act quickly.”

Panasonic Avionics emphasized the role its network security operations centers play in monitoring their airline customers’ in-cabin networks and the devices connected onto cabin IFEC systems.Photo courtesy of Panasonic

Understanding the Most Worrisome Cyber Threats in the Passenger Cabin

Threat vectors of most concern to the aviation sector are ones where someone is trying to steal intellectual property, such as a film or a passenger’s personal or financial information. The other category, denial-of-service attacks, can disrupt customers’ IFEC viewing experience with degraded images, blackened screens or malicious messages appearing on passengers’ viewing screens.

One security flaw, discovered by Belgium’s University of Leuven researcher Mathy Vanhoef, appears to affect Wi-Fi connections. The issue stems from WPA-2, a protocol that secures wireless networks. The flaw, called KRACK (short for key reinstallation attack), could allow a hacker within range of someone’s device to break encryption and potentially steal and manipulate data.

According to Miller, passengers are not vulnerable when connecting to onboard Wi-Fi because those networks typically do not use WPA-2. But airline crews do connect to WPA-2 networks, which require a common password before using tablets and electronic flight bags.

“What’s critical is that these devices are patched as soon as possible,” said Miller. “KRACK is actually a set of many vulnerabilities. Most of the vulnerabilities are actually on the PED device itself — the tablets, laptops — but there may be a couple specific to the access points. It’s critically important that airlines update their devices as soon as an update becomes available.”

Many industry observers point out that there are key differences in how airline service and hardware providers go about outfitting systems on aircraft that make them less likely to be vulnerable the way that public wireless hot spots in places like a coffee shop would be.

“Our use of commercial-off-the-shelf products is limited. We customize and are never complacent, always protecting our assets, understanding new types of attacks and vulnerabilities for the hardware and software layer and deploying patches when necessary,” noted Michael Dierickx, director of security engineering and information security officer for Panasonic North America. “There’s a lot of checks and balances and controls in place for what is allowed on board an aircraft and how it operates.”

Panasonic Avionics is monitoring more than 45 airlines and 1,700 IFEC-connected aircraft. According to Dierickx, Panasonic leverages best practices of security teams across all of

Panasonic, including its automotive and eco solutions for smart cities businesses. “There’s a constant dialogue going on among our security teams, and that gives us an extra layer of knowledge sharing,” he said.

Making the Right Investments, Leveraging Knowledge

Thales takes a similar approach, leveraging security knowledge across the broader Thales Group. Today, 19 of the world’s 20 largest banks, four of the five largest energy companies and 27 NATO countries rely on Thales for risk assessment, penetration testing, key management and encryption. Many of the same tools and expertise are applied to protect Thales IFEC systems.

Satcom Direct, which primarily serves business aircraft, made an investment three years ago in its infrastructure, which is now privately owned. “We made sure that network connections from the air to the ground are over a secure satellite connection and that it comes into a secure infrastructure,” said Chris Moore, chief commercial officer for Satcom Direct.

Thales and Panasonic also emphasized the role their network security operations centers play in constantly monitoring their airline customers’ in-cabin networks and the devices connected onto cabin IFEC systems. In addition, many are making cybersecurity monitoring a direct service to their airline customers.

At this year’s National Business Association trade show, Satcom Direct announced SD Pro, a web-based platform that delivers flight planning, scheduling, flight tracking, flight data, connectivity monitoring and maintenance tracking via a single access point.

Thales in 2018 plans to deliver a real-time security monitoring capability to help airlines operate more efficiently.Photo courtesy of Thales

“We’ve seen quite a ferocious uptake. We’re actually offering the cybersecurity module as a default for our SD Pro customers,” said Moore, noting that 7,500 aircraft are using the tool. The cybersecurity module allows customers to see low, medium and high-level threats to their network in an easy-to-understand format.

“We offer a comprehensive approach, including education, threat monitoring and full-on VPN. An important first step, our Cyber Security Audit, helps flight departments understand vulnerabilities from the various devices boarding the plane, down to the security policies of their suppliers,” Moore added.

Thales’ 2018 roadmap includes delivering a real-time security monitoring capability. “We’re looking to bundle cyber services with other types of services to create greater value and help airlines operate more efficiently,” said Schreiner.

Taking a Leadership Role in Cybersecurity Awareness

The companies also emphasized their commitment to continue to increase the industry’s cybersecurity awareness and readiness.

Satcom Direct briefs members of its customer advisory board quarterly on current and emerging technology and security issues, while Panasonic hosts an annual security conference, where customers, original equipment manufacturers (OEMs) and government agencies are invited to discuss security approaches and to tour the company’s network security operations center.

In November, Thales partnered with the Atlantic Council’s Cyber Statecraft Initiative to release an in-depth report, “Aviation Cybersecurity—Finding Lift, Minimizing Drag.” The report, underwritten by Thales with input from security experts across the industry, examined major cyber threats, vulnerabilities and potential solutions.

One of the contributors to the report, Jeffrey Troy, executive director of the Aviation Information Sharing and Analysis Center (A-ISAC), expressed confidence in the industry’s continuing leadership and track record for safety.

“I’ve seen the passion of these companies for security,” said Troy, a former FBI special agent.

Airline manufacturers have well-defined processes and built-in validations to ensure that safety is paramount in the plane. “Before cybersecurity ever became the problem of the day that everyone is addressing, safety has been an incredible focus of the entire industry, and the results of that focus you can clearly see in the safety record of the industry over the years,” Troy said.

A-ISAC’s mission is to share security information across the aviation sector. According to Troy, the number of association members has doubled in 2017 and includes airlines, airport operators, OEMs, and service and technology providers from five continents.

“Collaboration is paramount. That’s the mission of the A-ISAC. The significant increase in companies joining the A-ISAC is testament to how much they want to be able to collaborate with each other,” he said.

To illustrate his point, Troy said when an airline, airport or manufacturer uncovers a vulnerability or experiences an attack, “they don’t look at it as, ‘It was my airport or my company.’ They look at it as, ‘It was our industry.’”

Aviation Security Leaders Weigh In

What’s the Next Big Cybersecurity Challenge for Securing the Passenger Cabin?

“One of the big themes is data privacy. As the [EU] General Data Protection Regulation goes into effect, airlines are also looking for the value propositions around increased personalization. There will be a lot of visibility on the use of personal data to enhance people’s flight experience. We also know that we are in a world now where the number of PEDs exceeds the number of people. That will continue. PEDs contain software, and we don’t know when a passenger comes on board what’s on their PED. We have to remain vigilant as we interact with people’s personal devices to ensure that there is no chance that there is a transmission of any type of virus or bot.” – Fred Schreiner, CTO, Thales InFlyt Experience

“As the plane continues to be a node in the network, there will be an increase in data volume and attack surfaces. Having the proper tools, technologies and people in place to secure the larger volumes of data, including a lot more personal data, will be critical in the future. It’s a focus of our roadmap.” – Samuel Miller, product security officer, Thales InFlyt Experience

“It always evolves; we’re never complacent, we’re always trying to be on the forefront, protecting our assets, understanding new types of attacks and vulnerabilities from the hardware and software layer.” – Michael Dierickx, director of security engineering, information security officer, Panasonic North America

“We are very concerned about the laws in the U.S. and around the globe with respect to people scanning for vulnerabilities in the IFEC system while the plane is in flight. Is that a potential criminal activity? Discussions are ongoing in the industry on how we define this moving forward.” – Jeffrey Troy, executive director, A-ISAC

“Cybersecurity is one of the most important issues facing aviation today, and it’s a question of ‘when?’ not ‘if?’ A conscious effort toward building the aviation community’s awareness of security is crucial, and we’re continuing to build solutions to keep customer data safe — now and in the future.” – Chris Moore, chief commercial officer, Satcom Direct

End-to-End Cybersecurity in Aerospace

To what extent must hardware manufacturers, service providers and others across the satellite ecosystem collaborate to ensure secure cyberspace for their customers? During a panel at the 2017 CyberSat Summit in Tysons Corner, Virginia, in November, experts agreed that one of the biggest challenges in cybersecurity today is the ongoing transition to an ecosystem where competing companies must cooperate on joint solutions for their shared customers.

In-flight connectivity for airlines exemplifies a vertical that may leverage solutions from multiple companies to serve their customers’ needs. “Instead of using one constellation, there may be one or two or three; instead of one point of presence (POP), it may be two or three,” said John Zban, CIO at Satcom Direct.

The crux of the cybersecurity issue, the panelists agreed, is that all nodes within the satellite ecosystem must be resilient. “If you have a chain and it’s made of titanium, [a] paper link diminishes the strength of the entire chain,” Zban said.

A paradigm for sharing critical cybersecurity information already exists in the form of the Information Sharing and Analysis Center (ISAC). Since 2012, ISAC has featured threat warning and incident reporting capabilities divided by sectors, allowing those operating in aerospace, for example, to share actionable information related to cybersecurity and situational awareness. But the panelists agreed that the organization is not the only and final solution to coordinate efforts across the satellite ecosystem.

Norm Balchunas, senior director of defense/cybersecurity services and connectivity for Honeywell Aerospace, expressed confidence in Honeywell and other companies’ willingness to share its cybersecurity knowledge with adjacent manufacturers. “I am impressed with the aviation industry and how we’re communicating with each other,” he said. “ISAC has to catch up with how we conduct business on a day-to-day basis.” AVS

previousAlaska Airlines: Fleet Upgrades and Flight InnovationnextAlphabet Soup of Mandates Plus Must-Haves Drive Competition, Innovation