Enterprises are hit by cyber attacks, on average, once every 1.5 seconds, twice as often as a year ago, according to the FireEye advanced threat report. It’s not just banks, retailers, healthcare providers, educational institutions, and government agencies … aviation systems, including aircraft, are vulnerable. Rick Adams analyzes the risks.

There’s a meme attributed to a champion boxer that seems apt for the issue of cyber security in aviation: "Everyone has a plan until they get punched in the mouth."

Consider these “punches” which represent just a handful of the publicly known threats and breaches of digital information systems and networks worldwide:

  • Credit and debit card information for more than 40 million customers of retailer Target was stolen in a Thanksgiving weekend data theft.
  • The contractor-managed web portal for the US Department of Homeland Security was breached, exposing information such as bank accounts for more than 100 vendors.
  • An Australian 16-year-old alerted Public Transport Victoria (PTV) to a security flaw in their website. PTV manages the trains and trams in and around Melbourne. In return for raising this “white hat” alarm, authorities are considering charging the kid with a cyber-crime.
  • The US Transportation Security Agency (TSA) Pre-Check expedited screening system was reportedly storing passenger information in a barcode with no encryption. This opened the system to the possibility of fake boarding passes, which attackers could use to gain access to aircraft.
  • A University of Texas research team demonstrated how control of a remotely piloted vehicle could be hijacked using a miniature helicopter to feed alternate coordinates to the drone. They could then change the drone’s course to wherever they wanted it to fly … or crash.
  • Israel Airports Authority computer systems were broken into in January, and hackers acquired information on flights, flight routing software, maps, and flight briefs used by control towers and pilots.
  • A group of terrorists took over the air traffic control tower of Washington, DC’s Dulles International Airport. A flight from London Heathrow, low on fuel, was given priority to land. However, the fake controller re-set the instrument landing system (ILS) to 200 feet below ground level. A catastrophic crash resulted.

Okay, that last example did not actually happen. (The other examples are all real and recent.) The Dulles crash scene is from the Bruce Willis movie, Die Hard 2. However, the scenario is probably more plausible today than it was 24 years ago when the film was released. The International Air Transport Association (IATA) has warned airlines to “remain on their guard,” noting that cyber terrorism is “no longer merely a fictional scenario.”

According to Andrew Kemmetmueller, France-based managing director of AvIntel, an aviation consultancy which specializes in information technology issues, “There has been no documented cyber-attack to date” against commercial aircraft. “That doesn’t mean it doesn’t happen. It takes somebody to say something for an incident to get into the press.”

Capt. Jeroen Kruse, KLM pilot and a member of the security committee of the International Federation of Air Line Pilots’ Associations (IFALPA), said, “All incidents that I am aware of have reached me through confidential channels, not public ones.”

Kruse added, “Most incidents that have taken place are 'collateral damage,' meaning that the malware causing the incident was not specifically targeted against the aircraft or even the aviation industry. Instead it was just trying to spread for other goals (e.g. gathering of private data), and as a side effect had an impact on the systems on board an aircraft.” Generally, if you have information that can be leveraged to steal money or secrets, for extortion, to instigate mischief, or to create terror, you may be a target for cyber-attacks. Aviation fits all these criteria.

Qatar Airlines was a collateral factor recently in a Twitter hack attack on FC Barcelona of Spain. Qatar uses the football club in its advertising. The attack came from a group which calls itself the Syrian Electronic Army (SEA), which supports the embattled regime of President Bashar al-Assad. The SEA also attacked Forbes magazine, complaining about comments they’ve printed, and numerous other online sites.

Insecure Systems

One area of concern, like the movie, is the physical security of air traffic control facilities. In a position paper issued last year, IFALPA advocated for identity verification and vetting, similar to what pilots go through entering the secure area of an airport. National aviation authorities “need to ensure that individuals allowed access to [ATC] facilities … must be fully trusted and have strict access controls, preferably using biometric access protocols.”

As worrisome is the lack of security for key data transmission systems onboard commercial aircraft, particularly the aircraft communications addressing and reporting system (ACARS) and ADS-B (Automatic dependent surveillance - broadcast), part of next-generation navigation systems but already deployed or installed on many of the world’s planes.

The satellite-based ADS-B uses global positioning system (GPS) signals to transmit the aircraft’s location to ground receivers, which relay that information to controller screens and to the cockpit displays of other aircraft. Unlike radar, ADS-B enables pilots to see other aircraft in the sky, as well as weather cells and terrain.

“ADS-B is using unsecured messages over an inherently broadcast medium. It is well known in the aviation community that … ADS-B has not been developed with security in mind and is susceptible to a number of different radio frequency (RF) attacks,” stated University of Oxford researchers Martin Strohmeier, Vincent Lenders, and Ivan Martinovic in their 2013 technical paper, “Security of ADS-B: State of the Art and Beyond.”

Security consultant and trained commercial pilot Hugo Teso demonstrated the shortcomings of ADS-B a year ago by “hijacking” an airplane using a simple Android software application. Teso’s demo was featured at the Hack in the Box conference in Amsterdam, The Netherlands. Using a mix of actual hardware systems and flight training-adapted systems, Teso showed how messages could be delivered via ACARS (which IFALPA calls “notoriously insecure”) to an aircraft’s flight management system (FMS) “to take complete control of the aircraft.”

Some critics challenge Teso’s assertions because the aircraft he “took control of” was virtual rather than real. However, he explained early in his presentation that he would not intrude on a real-world aircraft for safety and ethical reasons. KLM’s Kruse confirmed to me, “Inserting ghost aircraft is actually possible.”

In describing how he acquired the various components for his mini-lab (such as an ACARS on eBay for US$10), Teso advised, “Learn to love the salesman. They try to give you as much information as possible.” Training vendors, for example, would proudly claim, “We use the same software code as the aircraft.”

Plan in Progress

So absent a “punch to the face,” as yet, what’s the plan in the civil aviation sector for preventing or responding to cyber threats? The short answer is that a lot of people are working on it.

The International Civil Aviation Organization (ICAO), the United Nations’ consensus guidance providers, noted in a working paper at their 12th Air Navigation Conference in November 2012, that “numerous industry groups are making standards in their own areas of expertise but there is no overall oversight so there is the potential for gaps, overlaps, and inconsistencies. Also, there is no overall global framework within which these groups can work.”

A “cyber security task force” was proposed at the conference, and ICAO is in the process of “finalizing” the group’s composition. Meantime, other organizations are raising the visibility of the issue.

Last August, the American Institute of Aeronautics and Astronautics (AIAA) stated, “Currently, there is no common vision, or common strategy, goals, standards, implementation models, or international policies defining cyber security for commercial aviation.” The group released a proposed “framework” for designing solutions to address cyber concerns.

James Albaugh, AIAA’s president-elect and former president and CEO of Boeing Commercial Aircraft, declared, “Only a vigilant, unified, and coordinated approach will allow us to craft the best possible defenses against the sophisticated and ever-evolving range of threats we face. This will require that we reach beyond the aerospace industry, and incorporate experts on the front line of the cyber threat, as well as those from industry sectors who support the avionics and communications systems that enable a seamless aerospace system, in order to establish our best possible defenses against the threat.”

IATA plans to release cyber security recommendations to its airline members later this year. Tony Tyler, director general and CEO, speaking at the group’s AVSEC World conference in Istanbul, Turkey in November, said, “We must work together to share best practices, identify known threats and vulnerabilities, and develop guidance, mitigation strategies, and training efforts.”

IFALPA issued a position paper last June titled, “Cyber threats: who controls your aircraft?” The three-page paper, co-authored in part by Kruse, describes at a high level some of the issues which should be dealt with, and makes recommendations regarding hardware, software, data governance, aircraft design and operations, air traffic services, and training of flight crews.

For example, the paper advises that training should address crew awareness of security vulnerabilities, how systems can be attacked, what an attack might look like, precautionary measures which might prevent an attack (or at least minimize its consequences), and possible actions if a crew member suspects any part of the “aviation infrastructure” has been compromised. Areas of training should include the FMS, the future air navigation system (FANS), ACARS, controller-pilot data link communications (CPDLC), and electronic flight bags (EFBs)

Phishing for Passwords

Clearly, once the advocacy, guidance, and rulemaking bodies determine how to deal with the plethora of cyber concerns, training of pilots will follow.

Kruse says there is “hardly any training at this moment. Basically, we would like training to help crews to realize not all information can be trusted, how they can recognize an incident, and what actions they could take if they do.”

Basic computer common sense is a start – simple things like choosing a password that's hard for someone else to guess and never using the same password on more than one site.

Most malicious software (malware), viruses, “worms,” “bots,” scareware (ads which claim your computer is infected), and spyware ends up on your computer via the internet, email “phishing” schemes, downloading questionable files (music, videos, pornography, etc.), or through file-sharing such as USB hard drives.

When I was consulting on an IT project for a global chemicals company, an employee in China, where downloading of pirated videos is a notorious practice, introduced a virus into their work computer via a personal USB drive. The virus was fortunately confined to the local network; however, it became imperative to physically intercept a traveling company executive who had visited the China office … and was unaware of the virus. Had he plugged his laptop into the network in the US headquarters, the entire company might have been shut down for days or weeks.

Be careful, too, who you allow to access your computer or networks. The Target credit card breach is said to have started via stolen login credentials from a heating and air conditioning vendor who may have been granted access to Target’s network in order to monitor energy consumption.

One notorious source for malware is internet advertising, referred to as “malvertising.” Bromium Labs recently alerted that ads appearing on YouTube were passing along a “Trojan horse” virus. "The user did not need to click on any ads on YouTube; the infection happens just by viewing the YouTube videos," Bromium's McEnroe Navaraj blogged.

Even innocent-appearing games may be a risk. Fake versions of the popular “Angry Birds” and other games are laced with malware. RiskIQ said the number of malicious apps on the Google Play store grew by nearly 400% from 2011 to 2013. Now, more than 10% of the apps are considered malicious.

Indeed, there’s a nearly endless stream of dire cyber news every day. Hold Security warns that hackers have compromised more than 7,000 file transfer protocol (FTP) sites. Redspin says the so-called protected health information (PHI) of almost 30 million Americans has been inadvertently disclosed since 2009. RSA researchers have announced the cleverly named “ChewBacca” point-of-sale malware has been stealing payment card information from several dozen retailers around the world since October. Yahoo acknowledged in January that its email service, including usernames and passwords, had been compromised (that one got my attention).

If you’ll excuse me, I think I’ll go update my laptop’s virus protection software. And try to duck next time I see a punch coming.