Earlier this year, a U.S.-airline revenue flight in oceanic airspace received a clearance via text from a controller—a process that is becoming more common as the industry shifts routine exchanges between pilots and air traffic controllers from voice to data. The flight crew saw the message, accepted the clearance and began to change altitudes.
There was one problem, however: The clearance was intended for a different flight—one operated by the same aircraft hours before. A hardware issue interrupted the aircraft’s satellite connection, and the original flight crew switched to a different system, connected with controllers and continued their journey. During a subsequent flight, the satellite connection was reestablished and the hours-old controller pilot data link communications (CPDLC) message, which was time-stamped, was delivered. The flight crew apparently missed the time stamp, and the system—operating to all the specifications set forth by the FAA—was not configured to filter it out.
The situation illustrates the level of reliance that integral parts of the aviation ecosystem are placing on network connectivity, and the importance of ensuring those networks are both reliable and secure as the industry’s digitalization gains momentum.
Aviation’s emphasis on systems safety through risk identification and mitigation is well-established. In the case of the delayed delivery of the CPDLC message, satcom provider Iridium quickly introduced a fix that automatically filters out old, undelivered messages. While at least seven en route centers prohibited data link messaging via Iridium while the issue was being addressed, others determined that their protocols for quickly detecting flightpath deviations were reliable enough to render the risk negligible. As aviation’s connectivity gains momentum, experts say applying that same diligence and confidence to cybersecurity must be an integral part of the industry’s digital evolution.
“While the aviation industry’s move toward digital connectivity is understandable, the challenge lies in the fact that the systems involved are critical to delivering safe operations involving human life,” writes Pete Cooper, Atlantic Council senior fellow, Cyber Statecraft Initiative, in a recently released analysis of the aviation cybersecurity landscape. “Previously, aviation systems were relatively secure due to the bespoke nature of their design, isolation from other systems, and little in the way of communication protocols.”
This is no longer true—from manufacturing supply chains to airport ground services networks—all are digitally connected. Aircraft are becoming nodes on a network, with everything from a passenger’s smartphone to a sensor deep inside the engine capable of exchanging information with ground-based devices at any time.
“We have to admit that despite all of the benefits, we have increased the vulnerability of aircraft and the entire ecosystem to potential cyberthreats,” says Alan Pellegrini, CEO of Thales North America.
Two years ago, cybersecurity researcher Chris Roberts claimed he had “compromised” inflight entertainment (IFE) systems at least 15 times while flying as a passenger, according to an FBI affidavit. In one instance, he gained access to a thrust management computer (TMC) and changed its settings midflight. The assertion was never proven—Roberts later said that he did not actually take control of a TMC, but could have. Whatever his ability, it generated weeks of headlines about the man who, in the words of one major newspaper, “hacked a commercial flight.”
Despite the technical dubiousness of Roberts’ assertions—which he said he shared to “improve aircraft security”—they reverberated through OEMs and suppliers, including Thales, maker of at least one system Roberts allegedly compromised. “We took that very seriously,” Pellegrini says. “It was a bit of a wakeup call.”
Part of Thales’ response entailed underwriting Cooper’s report, produced by the Atlantic Council’s Brent Scowcroft Center on International Security. The study assessed potential cyber risks across the aviation spectrum, and sought a consensus on how stakeholders perceive those risks.
Among the study’s key takeaways: Aviation’s march toward an increasingly digital future is opening it up to significant cybersecurity threats, and the industry must move purposefully and quickly to ensure that systemic challenges do not increase an already formidable risk.
“The aviation industry is a complex, international ballet run by thousands of people using a multitude of different systems of differing maturities,” the Atlantic Council report states. “This system-of-systems was not designed with potential adversaries in mind and has grown organically out of a focus on safety, efficiency, margins, and managing disparate systems.”
Part of the challenge is a lack of consensus on the threat. Stakeholders interviewed by Cooper expressed a wide range of views on the problem’s scope. Some, say Cooper, dismiss the vulnerabilities as minimal. Others see impending doom. “It’s going to take the factory across the road burning down before they buy a sprinkler system,” one interviewee told Cooper.
“There is not a coherent aviation industry position on the cybersecurity risk it faces,” the report says. “Some stakeholders still declare that systems are impervious to attack. In the event of a successful attack, it may be difficult to recover from the shift in stakeholder perception and loss of trust.”
Part of the reason for the disconnect is the immense scope of aviation’s digital integration. Manufacturers are sharing digitized product design data, such as what is used in additive manufacturing, while in-service equipment is communicating everything from sensor data to geographic position. The connected aircraft—for passengers as much as operators—is another major growth area.
While each is at risk for cyber adversaries, Cooper highlights airports as an especially vulnerable link in aviation’s chain.
“The main objective for airport management and security is to safely dispatch and receive aircraft, passengers, baggage and cargo. As such, the airport is the focal point for a large proportion of aviation operations and on the front lines of securing against adversaries,” Cooper writes. “As a federated management system with numerous interdependent service providers, deficiencies in airport cybersecurity may allow bypass, subversion and eventual breaches of physical security.”
Airports are not ignoring the threat. Many large airports have long been early adopters of information technology (IT) to support such disparate, public-facing efforts as common-use kiosks for airlines and baggage systems with radio-frequency identification readers. They were also on the front lines of cybersecurity targeting.
In a 12-month stretch that ended in mid-2011, Los Angeles World Airports recorded 2.9 million attempts to hack its infrastructure. The vast majority were HTTP exploits, in which an application targets a server and attempts something nefarious, such as slowing it down. SQL injections, which try to introduce malicious code into databases, were next on the list.
Such examples have motivated airports to invest in cybersecurity initiatives. In a 2015 Airport Cooperative Research Program guidebook, prepared for airport executives and sponsored by the FAA, nearly 80% of airports surveyed reported having an established cybersecurity program. However, less than 40% reported having formal response-and-recovery plans—a statistic that underscores where all of aviation should focus.
Revelations such as the alleged Roberts hacks, and a more recent one by the U.S. Department of Homeland Security (DHS) that says it gained access to a department-owned Boeing 757’s systems in a nonlaboratory setting during routine intrusion tests last year, generate plenty of headlines. But the consensus among cybersecurity experts and aviation IT specialists is that, while secure systems are the goal, breaches are inevitable. That places the onus on recovery.
“The nature of cybersecurity makes assurance of complete security impractical,” explains Jane Holl Lute, CEO of security systems provider SICPA North America and former deputy secretary of the DHS. “The focus therefore should be on building resilient systems with the capability to detect breaches and recover from attacks quickly.”
Aviation’s inherent interconnectivity means this will require significant stakeholder collaboration.
“The complex multiple suppliers and service relationships on both the aircraft and across the industry make it challenging to know who holds responsibility where,” the Atlantic Council study says. “As more providers bring more services and complex relationships and communications onto aircraft, airports, or alongside critical services, clear accountability for safety and security must be assured. An opaque multistakeholder committee will not be sufficient.”
Industry should start by establishing clear leadership on the issue, Cooper writes, with several International Civil Aviation Organization (ICAO) initiatives serving as the most logical foundation. In late 2014, ICAO joined the International Air Transport Association (IATA), Airports Council International, the Civil Air Navigation Services Organization and the International Coordinating Council of Aerospace Industry Associations in committing to a cybersecurity “road map.” That led to the creation of a working group, a common ICAO approach to unifying industry on major issues that call for near-term action.
Below ICAO’s top-level initiatives, industry sectors are working to develop standards and share best practices. The airports have several guidebooks, including the Airport Cooperative Research Program document, and IATA has developed two versions of a cybersecurity “toolkit” for airlines, airports and service providers.
Earlier this year, IATA formed a partnership with the Aviation Information Sharing and Analysis Center (A-ISAC) that created a tiered dues structure to help make the center’s services more affordable to smaller aviation organizations, from airlines to fixed-base operators. Formed five years ago, the A-ISAC grew out of a two-decade-old concept that helps critical infrastructure stakeholders share both real-time threat information and best practices. In industries where they are well-established, such as financial services, which formed its IASC in 1999, the centers serve as critical parts of a cybersecurity first-line of defense.
A review of aviation’s initiatives suggests that stakeholders are on the right track. In the airport arena, for instance, the FAA-sponsored guidebook, IATA toolkits and guidance developed by the European Union Agency for Network and Information Security “broadly complement each other, showing that there is a degree of agreement on best practice that airports can implement as they go forward,” the Atlantic Council says.
Such common ground is important, considering the lack of globally accepted regulations or guidance. ICAO and civil aviation and security regulators are initiating efforts, but the pace of these processes means that industry will be leading regulators for some time.
“Global policy and regulatory framework for aviation cybersecurity are virtually nonexistent,” says Lute, the former DHS deputy secretary.
They are, however, in the works. DHS last year launched an aviation cybersecurity initiative, choosing six areas of focus, says Jeanette Manfra, the agency’s assistant secretary for Cybersecurity and Communications. DHS spotlighted remote-access pathways to aircraft, such as satcom; GPS vulnerabilities; airline and airport operations IT-related risks; air traffic management; ancillary gateways to key systems, such as electronic flight bags and airline reservations systems; and the “unknowns” of interconnectivity.
The agency’s focus goes beyond determining technical risks of specific systems or technologies, Manfra explains. It extends to understanding “systemic risks,” including how business is done, and how it can be disrupted.
“We look at critical services and build our strategy around them, with strong emphasis on recovery,” she says. “Then we look at how best to secure those assets.”
DHS has established a multistep approach in each focus area: general assessments and more targeted risk analyses, development and testing of mitigation strategies and constant engagement with stakeholders.
One factor that DHS is conscious of, Manfra says, is the long lead time that many aviation projects face. From upgrading networks at airports to developing the hardware for new aircraft, understanding today’s threats is of limited use to designers working on tomorrow’s deliverables.
“Once a type certificate is issued for an aircraft, according to policy, the design cannot typically change,” says Christian Espinosa, founder and CEO of cybersecurity consultancy Alpine Systems and a former White-Hat hacker. “How does this policy address cybersecurity issues in a timely manner, such as applying patches to aircraft systems to mitigate cybersecurity risk? And, what effect does a ‘patch’ to a component on an aircraft have against the entire system?”
The Atlantic Council report recommends “robust threat models” that factor in aviation’s long hardware-development lead times and increasing levels of interconnectivity. At the same time, industry must become more agile in its IT development and hardware/software updating, and boost the amount of monitoring it does on its systems, particularly those that become part of larger networks.
“Managing the entire supply chain of components and systems that are integrated into an aircraft is critical,” Espinosa says. “A vulnerable or compromised system from a supplier that makes its way onto an aircraft can be used to attack other connected systems on the aircraft. A risk-management framework should be established, followed and managed for all aircraft suppliers.”
Espinosa, whose firm works with some aviation manufacturers, says that cybersecurity testing protocol is hit-or-miss, even among top-tier suppliers. He advocates mandatory third-party penetration-testing protocol for everyone in an aircraft or engine supply chain.
Industry also should be more proactive in communicating clear, unified messages. Underscoring the risks industry faces—both in general and dynamically—is key to focusing stakeholders on the issues and the roles they can play in combating them.
“Awareness should start at the highest levels, but it also must extend even to the most minor players in the ecosystem,” says Lute.
While aviation’s foundation has inherent risks built in, it also contains several elements that translate well to combating threats. The most obvious: an unwavering adherence to safety. Aviation must leverage the trust it has built based on its safety record to assure the public that its cybersecurity risk-mitigation plans are both in place and similarly effective.
“Physical security and safety measures are often visible and tangible, making it easier for stakeholders to understand and develop trust in them,” Cooper writes. “The technical complexity of cybersecurity means that developing, communicating and protecting trust will be more difficult.
“If claims are made against an aviation system or aircraft, proving trustworthiness to all stakeholders may be difficult,” the report continues. “Arguably, if it takes weeks and millions of dollars to prove or regain trust, such as in the Chris Roberts case, then there is a considerable way for the industry to go.”