Human factors — such as relying on automation, adapting to an ecosystem or trusting standards — likely will play a role as crucial to aviation cybersecurity (CS) as to aviation safety, says an expert panel. Technological advances also may matter less than the human factors, said William R. Voss, president of the Washington branch of the Royal Aeronautical Society and the moderator of the February discussion.
Citing the unprecedented absence of any passenger airline fatalities in 2017, Voss added, “That happened not because the aviation system demands perfection — but quite the opposite. The system is probably more robust and tolerant of error than any other large-scale system built by mankind. Whenever talking about aviation in relation to cybersecurity, keep in mind that we’re working with resilient systems.”
Basic Concepts
Panelist Rob Segers, information security systems engineer for the U.S. Federal Aviation Administration (FAA), characterized security of data communication in aviation as a straightforward, yet multilayered, problem for engineers. “You have the physical connection, you have the link connection, the password and finally the software application,” he said. “The probability of a problem with cybersecurity between the end-user and the source is dependent upon networking. The approach we are taking is to ensure that interoperability is not sensitive to how the network communication is happening — whether over Inmarsat satellites, ARINC satellites or an ethernet cable. What matters is that the message that comes from the airline to an aircraft or from the air navigation service provider [ANSP] to an aircraft hasn’t been changed — that it can be trusted to have come from the right source.”
Aviation applications, therefore, can evolve as necessary because of the end-to-end security ensured by the network’s interoperable cybersecurity structures that will not need corresponding updates.
The CS community in the United States tends to use a simple breakdown of major adversary categories, said another panel member, Scott C. Simon, senior aviation analyst for the U.S. National Aviation Intelligence Integration Office.1
“State actors are going to continue to be a huge threat,” he said, using the term actors to refer to individuals or groups involved in activities such as data theft, data destruction, data disruption or system shutdowns. Some target the confidentiality, integrity and availability of data across all the networks, including those in the aviation ecosystem.
“For many countries, cyber capability is a viable tool for projecting their influence,” Simon said. “They remain undeterred in conducting reconnaissance, espionage and even physical attacks in cyberspace. They have very advanced offensive cyber programs, so we’re talking about conducting cyberattacks as opposed to cyber espionage.” Three cyberattacks by state actors in 2013 and 2014 — causing physical damage in the United States — involved a dam, a casino and data deletion at a major motion picture studio, he said.
Non-state actors include terrorists that use the internet to develop cyber-attack capabilities, including defacing websites, distributing propaganda and coordinating terror operations, Simon said. Non-state actors include criminals who develop sophisticated cyber tools such as ransomware to disrupt services and extort money from corporations. “Imagine you’re trying to get flight data downloaded [from airplanes in flight] and then the data are ‘hijacked’ with ransomware,” he said. “That can erode public confidence. That type of attack has happened to the medical device community, and the U.S. Aviation Information Sharing and Analysis Center (A-ISAC) at <www.a-isac.com> has had some lessons learned from the medical device ISAC.”2
Another example of criminal attacks is the theft of ciphers, the secret algorithms routinely used for data encryption and decryption. “Someone within your organization may have these ‘keys to the kingdom.’ Activists are using them for political goals that have economic consequences and physical consequences,” he said. “So CS is something we have to master.”
Threats vs. Vulnerabilities
Simon’s office focuses on identifying and understanding the most critical cyber vulnerabilities in civil aviation worldwide. Then, the office assesses threats in relation to those vulnerabilities.
“When talking about threats and vulnerabilities, I make a distinction,” Simon said. A CS technical glitch or an attack has to be considered a breach or exploitation of a vulnerability in the entire aviation ecosystem that results in physical disruption or damage, or in other serious outcomes.
“A threat is an adversary’s capability and intent,” he said. “What we have to do is ‘marry’ the information on that threat with our information on vulnerabilities to develop the overall risk assessment. We may see the press reporting cyber disruptions as ‘threats’ happening throughout the aviation industry. But certain things happen due to technical glitches.”
The National Aviation Intelligence Integration Office assigns cybersecurity issues in the U.S. National Airspace System (NAS) to categories called aviation ecosystem components: aircraft, airports, airlines, actors, airlift (cargo) and aviation management, Simon said. “There are complex interconnections between each major component. With those connections, you have massive amounts of data and various types of data.”
Aviation management means elements such as NAS operations and air traffic management (ATM). Across all elements of the ecosystem, the CS experts expect all aviation professionals to understand the importance of practicing cyber hygiene, roughly equivalent to preventive and predictive measures within aviation safety.
Simon said, “I’ve heard that about 85 percent of cyberattacks can be prevented by cyber hygiene. Cyber-related incidents can be mitigated or stopped — or the risk of them can be pushed down — with simple cyber hygiene measures.”
Cyberattacks recently have become more common against aircraft, whether to systems located aboard the aircraft or physically external, he said. Targets have been internal flight planning systems at airlines, including electronic flight bags, external flight planning services and other services from third-party providers. Some airline–airport data networks and flight tracking systems for ATM also have been affected.
The National Aviation Intelligence Integration Office’s specialists ask stakeholders to consider questions such as: How resilient is your network? Can the network operate through an attack if it goes down? Are there recovery plans in place for backup operations? What are the critical nodes of that ecosystem? Where are your areas of greatest risk? How do you prioritize that risk?
Internet of Things
Simon said that CS vulnerabilities and threats also have begun to show up in the Internet of Things (IoT) — a concept that has become familiar to many U.S. consumers through the marketing of home-management systems.3
“The Internet of Things, with its connection of personal and industrial devices, represents a key aspect in CS complexity for aviation,” he said. “The IoT brings a host of benefits to the aviation industry — improved product quality, improved customer experience and greater efficiencies for [aircraft] operators — but it certainly brings its own set of challenges. First and foremost, it creates huge attack surfaces for adversaries to go after — all of those devices and their transfer of data.”
The IoT mainly has raised this concern because of an accelerating pace of technological advances and limited radio frequency (RF) bandwidth. “Cybersecurity and regulatory policy practices don’t seem to be able to keep up with the advancements in technology throughout the Internet of Things,” Simon said. “We need to better understand this problem … because we’re not going to be able to protect everything.”
Another impetus for stronger physical and technical security mitigations is that computer-dependent and RF-dependent systems “open opportunities for greater manipulation of data [by adversaries], to degrade or deny service” and increase risk of RF interference.
GAO Assessments
For more than two decades, the Government Accountability Office (GAO) has conducted research for the U.S. Congress on cybersecurity initiatives. Gerald Dillingham, GAO director, aviation issues, said, “Dozens of GAO reports focus on some aspect of cybersecurity. It’s been on our high-risk list since the early 1990s.”
He cited three examples from reports in recent years. One study looked at CS information controls in ground facilities within the FAA air traffic control (ATC) system, and included secondary findings about physical security deficiencies at entry points to ATC facilities. Another study assessed proactive CS implementation efforts in the Next Generation Air Transportation System (NextGen), specifically in sensing aircraft in the new ATC system. The third study covered Department of Defense (DOD) concerns about FAA’s plans for deployment of automatic dependent surveillance–broadcast out (ADS-B Out) in NextGen.
Regarding the second report mentioned, Dillingham said, “Initially, when FAA started on NextGen, we found a lot of [instances of] ‘Put the cybersecurity in after the fact’ instead of building [CS into systems] as they went along. NextGen has been going on now for a decade. We still see some of that, but we also see progress in integrating cyber controls and cybersecurity as systems go forward.”
The issue with ADS-B Out was that military aircraft and other government aircraft conduct missions requiring secrecy as part of protection against cyberattacks, physical attacks, espionage, etc. The aircraft theoretically could be identified by actors or the general public using commercial off-the-shelf ADS-B receivers to access real-time flight data and/or detailed records of flights.
Dillingham said, “Basically, DOD expressed concern that if they were to equip their aircraft with ADS-B Out, they would be visible to the bad actors as well as to ATC. This situation was a little bit frightening when we reported [the concerns] to the Congress. Aircraft could be located anyplace on the globe, and, in fact, that’s what was being done. Almost anybody can go [to private-sector networks of ADS-B websites] on the internet to track aircraft and to have a tracking history.”
GAO also found, however, that DOD had not been fully involved in ADS-B Out integration because of its level of participation in NextGen planning, he said. “One of our findings was that, although a mutual discussion started back in 2007 … with the U.S. Air Force part of the NextGen planning organization along with FAA, the National Aeronautics and Space Administration and others, nothing much had happened since 2007 with regard to that integration. … The military was not very proactive in being part of the long-term planning.”
In general, GAO found continuing challenges, he said. “In almost every part of the aviation ecosystem, more often than not, [government agencies] did not implement mitigations, or did not fully implement them, or they were not implemented in a timely fashion,” he said. “All of us who participate in the aviation ecosystem have to be sure that we keep filling in those gaps so that we are ahead of the game.” Sometimes FAA resources were inadequate; other times the issue was having the most appropriate workforce while CS planning was relatively new to the agency, he added.
Global Interoperability
Jerry Hancock, director aviation cybersecurity, Inmarsat, said that aviation cybersecurity now generates a high level of interest in many countries, compared with five to 10 years ago. “Today, we have created an environment that is both safe and secure for airlines and for the people who support the airlines,” he said. CS is important but aviation professionals differ in their safety, technical, financial and political perspectives.
Large commercial jets in air transport and ground infrastructure such as NextGen have a lifespan beyond advances in digital technology. “When you install technology into an aircraft, it’s there for a while. When the time comes to change it, airlines have to understand the [aircraft CS] risk to mitigate and the value that they will get,” Hancock said. He also cited the possibility of new flight operations risks.
Segers said another contextual issue is how automation-related changes to airplanes, driven by factors such as growth of passenger airline traffic, will affect the cybersecurity landscape. Unresolved factors ahead include unmanned aircraft systems (also known as remotely piloted aircraft, drones or by other terms) and the future autonomous operation of large aircraft.
“Talk about landing airplanes virtually without a pilot … drives more command-and-control and automation and risk in our mission,” he said. “Automation comes with more information exchange. And because of the economic drivers, it’s not a proprietary world anymore.
“If you lock down [data communication with proprietary technology], it stays secure but you stop communication. You have to find a way to interoperate in a global way that is still secure. We are starting to adopt more internet-protocol standards. Commercial off-the-shelf software, although certified, enlarges the CS attack surface.”
Cybersecurity Culture
Hancock reiterated the earlier argument against “bolting on” CS functions to transport aircraft at the 11th hour. He said, “We have to really change that culture, to start integrating cybersecurity at the beginning of new aircraft development. Once we start to do that, then we can implement common standards across the board.”
Inmarsat is working with the International Civil Aviation Organization (ICAO) to develop standards that will streamline the process that allows CS teams — including technical experts, industry leaders and lawyers — to “play together” well during high-level design development and to interoperate.
“What’s really shocking is there is no global standard for how organizations equip and manage their network,’” Hancock said, even though many are highly integrated with others. “That’s just one piece of the puzzle. The other piece is establishing trust.”
Government and commercial organizations invest heavily in infrastructure to integrate and interoperate. “If we don’t develop minimum standards, that’s going to make it very hard to say, ‘This is the minimum level of trust that we want to interface with Airline A, Airline B and Airline C,’” he said. “How you leverage your cybersecurity standards is very much like how you leverage your safety standards. Cybersecurity is only as strong as your weakest link.”
Segers added that the political relationships of countries strongly influence their trust in other countries regarding aviation cybersecurity. “Different countries may have different approaches to how they secure information — what encryption level they want to apply and how they want to apply it,” he said. They will have to actually accept that whatever method they use to encrypt information must be trusted by the partners who will use a password to decrypt it.
Hancock added that some countries want to use only their own systems and methods. Others want only encryption methods that use a public-key design. Others do not want encryption.
The reality is that stakeholders have to come to a happy medium to be able to interoperate in a safe way, he said. “When an airplane has an intercontinental role, it has to be able to integrate with multiple air traffic systems — not just one.”
Segers said that the opposite approach — which he called “leaving cybersecurity up to each individual small committee, commission or panel to come up with a point solution to cybersecurity in their country” — works against interoperability and creates a larger global problem.
A global legal framework also is urgently needed, Hancock said, adding, “If we come up with a way to streamline this process across the global community — no matter what you do or in what country you are — we’re all going to agree to be governed by a common set of [CS] rules.”
As part of the envisioned global trust framework of cybersecurity (Figure 1), ICAO would be expected to play a fairly traditional role in terms of standardizing, provisioning and auditing stakeholders to assure that no malicious actors are admitted, Segers said.
Figure 1 — ICAO Aviation Trust Framework for Cybersecurity
ISO = International Organization for Standardization; NIST = U.S. National Institute of Standards and Technology
Sources: U.S. Federal Aviation Administration, International Civil Aviation Organization and Inmarsat
Security Clearances
Simon said that security clearances clear a path for intelligence agencies to work closely with specific FAA personnel who also hold appropriate security clearances — such as the people working on NextGen–CS integration.
However, Hancock added, “It’s great that FAA has cleared people, but we also have to think about getting information to the unclassified level. We must deal with people [in the aviation ecosystem] who do not have security clearances.”
Part of the solution to date has been the A-ISAC, which was created primarily to proactively engage airlines in awareness of CS incidents, issues and best practices.
“CS intelligence is a really hard problem,” Simon said, but forums like A-ISAC have been successful at sharing. “It’s great that we’ve started doing this [in the United States] but we are starting to run into problems on a global basis. We have to solve this problem from a more global perspective — with and without security clearances — to make information outreach broader.”
Segers said, “In every scenario, CS resilience is being addressed [by FAA] in terms of whether technical information can be trusted, what is the fallback and what is the backup. Tomorrow, as we go into a more automated world, we’ll need to be more resilient from the cyber perspective to make sure that we stay safe.”
Notes
- The National Aviation Intelligence Integration Office consolidates intelligence about the aviation community under the U.S. Office of the Director of National Intelligence. The community includes intelligence agencies, federal interagency groups and the private sector.
- The A-ISAC website’s description of its mission parallels that of the FAA’s Aviation Safety Information Analysis and Sharing (ASIAS) program in some respects. A-ISAC’s work provides a focal point for security information sharing across the aviation sector; enhances the sector’s preparations for CS threats, vulnerabilities, and incidents; and enables members to exchange information via a secure network.
- Home-management systems typically use WiFi and wired network routers to connect household appliances, switches, sensors, security monitors, timers and health/fitness–monitoring devices to smartphones, smart watches, tablets and home computers. IoT devices often have voice interfaces to artificial intelligence located on remote servers.
Featured image: © Vertigo3d | iStockphoto
Threats: © macrovector | VectorStock
Cyber security matrix: © Hilch | VectorStock
Worldwide air traffic: composite, Susan Reed; base, © photoraidz | VectorStock
