Chuck Weirauch investigates the nature of the cyber threat to commercial aviation operations and speaks to the Aviation Information Sharing and Analysis Center.

In recognition of the threat of cyber attacks on the global aviation system, in December 2014 the International Civil Aviation Organization (ICAO), Airports Council International (ACI), the Civil Air Navigation Services Organisation (CANSO), the International Air Transport Association (IATA) and the International Coordinating Council of Aerospace Industry Associations (ICCAIA) together signed a new cybersecurity agreement to work towards a global and “robust cybersecurity culture and strategy for the benefit of all actors in our industry,” according to ICAO Secretary General Raymond Benjamin.

Since then, the industry has held numerous cybersecurity awareness conferences to help promote the unified cybersecurity strategy for aviation. A key part of the strategy is to provide a mechanism to report cyber threats to industry and government so that action can be taken to help mitigate such threats. At its Annual Cyber Security Day this January, the Air Traffic Control Association (ATCA)’s Cyber Security Committee presented its White Paper “Forming a Strategic Initiative to Combat Modern Security Threats”. In this document, the ATCA stated that the reporting of aviation cyber security attacks and incidents “is critical to the safety and efficiency of aviation operations.”

The ATCA’s White Paper also calls for the entire aviation industry to collaborate in this effort to develop a policy that would create an action plan to mitigate the impact of such cyber attacks. The White Paper also cites the Aviation Information Sharing and Analysis Center (A-ISAC) as a key organization in the reporting of aviation cyber threats, referring to it as an entity that “has made great strides in cyber security.”

The A-ISAC To provide a better insight on the A-ISAC and how it is working with the US and global aviation industry and government to address the cyber security threat to the aviation sector of the country’s infrastructure, CAT magazine interviewed A-ISAC Executive Director Faye Francy. The A-ISAC was established in 2014 through the Aviation Sector Coordinating Council (ASCC), whose charter members are 12 US major national aviation industry organizations and the Boeing Company. The ASCC works with the Aviation Government Coordinating Council (AGCC), which jointly with the other groups provides aviation industry input on cyber security issues to the US Department of Homeland Security’s National Infrastructure Protection Plan.

CAT: Let’s start off with an overview of the mission of the Aviation Information Sharing and Analysis Center in addressing aviation cyber threats, and with whom you are partnering with in the industry, government and academia. Francy: We started looking at the cyber area in aviation about the 2012 timeframe. A few companies got together to examine cyber security, and to determine whether we needed to do anything from the aviation perspective. As we looked at other ISACs, and understanding the threat against critical infrastructure here in the United States as well as globally, we recognized that aviation probably would become a target as we know it already is for physical security. And recognizing that they (hackers) were hitting many of the other sectors quite hard, we determined that it would be prudent for the aviation sector to come together to operate and cooperate in the formation of a risk management model for cyber security. CAT: We are aware of the 2015 cyber attack on Poland’s LOT Airlines’ information systems affecting passenger flight records and flight schedules, but how much of this type of attack really has been taking place domestically and internationally? Are we seeing a major increase of such incidents? Francy: Certainly the LOT Airlines incident was one that we did look at. And we worked with our government partners at the DHS, who reached out to the Polish CERT (Computer Emergency Response Team) and we reached out to the airline to understand exactly what happened. The details were never fully confirmed, but it was obviously a Distributed Denial of Service (DDoS) attack against the ground systems that manage the flight plan. So airplanes can’t take off if they don’t have their flight plan approved and ready to go. That DDOS attack is very commonplace across the board, and yes, we have had other DDoS attacks in aviation, including against airports and other airlines. This one was interesting because it hit the airline information system, not the Web site. I don’t know what has happened since then, but certainly DDoS attacks have hit many public Web sites across the board. And this is a common form of attack in cyber security. CAT: With such vulnerabilities of ground-based airline information systems to attack, what steps might an airline take to help mitigate such risks? Francy: Certainly our approach for cyber security across aviation is number one; namely to educate and bring awareness to all of our aviation partners to ensure that they are building a resilient cyber secure system. As we know today, everything connected can and probably will be in the attack vector. Obviously having said that, many aviation systems are built on proprietary systems, and there certainly is a great deal of scrutiny on these systems. We work to promote awareness that such systems are properly secured, and that we can prevent, detect and respond to cyber attack incidents. And we work together to share what others are doing, and what works to assure that we can mitigate that threat. CAT: And it’s not just the airline IT personnel who need to be watchdogs against cyber attacks. Such attacks can be directed via the Internet, so other airline personnel need to become more aware of such threats as well. What type of cyber awareness programs does A-ISAC advocate for such personnel? Francy: So the industry and the manufacturers are examining what to do about that. Regarding “bring your own device” onto the aircraft, one of the most important points, with every airline, is that they cannot connect it to the flight management system. So that’s really a critical point. Those vulnerabilities are reduced by virtue of the fact that they do not connect with the flight management system. Having said that, I still think that caution needs to continue to ensure that everyone is vigilant in this area because of the potential risks, and the capabilities of all of these different devices that folks bring into the aircraft. CAT: There seem to be a lot of rumors floating about the Internet and elsewhere about people saying that they can hack into onboard airliner flight systems. Can we put these rumors basically to bed, or what is the real potential for such incidents? Francy: It’s obviously something that the industry must be concerned about. We are vigilant in looking at this, and every manufacturer, as well as every airline operator is examining this potential and ensuring that they are putting up the different security controls that support good cyber hygiene. So there is a lot of vigilance in the industry, but most if not all of the claims of such successful attacks have been proven to be somewhat overstated. So we do not know of anyone actually getting in to a flight management control by an in-flight entertainment system. It just hasn’t happened. Actually, the stories about people claiming to do so is a good thing, because it keeps us all vigilant. The manufacturers are looking at this themselves, trying to assure that they do have the right security controls placed to mitigate threats to their product and service that they provide to the aircraft. ATC systems have been historically proprietary and are fairly secure, but as you have already mentioned, with enough time, energy and money, nefarious actors can find a way. CAT: In spite of the efforts to increase awareness of the cyber threat to aviation, a 2015 AirInsight survey revealed that many airlines still do not have a cyber security plan for their pilots’ electronic flight bags. Is this indicative of where the industry is as far as implementing cyber security programs, or has the industry moving well beyond this point as far as improving their cyber security efforts? Francy: Clearly anything that connects into the aircraft needs to be looked at and examined by the manufacturers, the operators and the suppliers. This is being examined, and security controls are being put into place. And there needs to be education activities to make sure that there is a level of understanding and to help to mitigate any threat potential in this area. CAT: Several aviation organizations, including ICAO and IATA, have been calling attention to the global cyber threat to aviation. How is the A-ISAC working with such entities? Francy: We do not work directly with ICAO, but many of our members do. We are working with IATA. We are very familiar with their approach and what they do. They have established their position on cyber security. The three pillars of their strategy include risk management, advocacy by making sure that we are looking at security by design and adding it into everything we do, and that we work with the regulators to look at a risk-based approach to cyber security. CAT: Boeing, in particular, has been calling attention to such risks, and the company’s John Craig has been calling for airlines to develop a ‘security culture,” which I assume might be like the already established airline safety culture. Is this the kind of holistic approach to mitigating the cyber threat that A-ISAC may be calling for? Francy: John is a great spokesman for the aviation industry, and he does promote moving aviation culture from a safety and efficiency culture to a safety, efficiency, secure and resilient culture. And I think that’s where we all need to go, that secure and resilient piece is what we are really focused on in the A-IASC. So we want to be sure the aviation sector knows what secure and resilient looks like. In other words, how do we put in the right security for what may need to happen or change or be implemented to ensure that security. And then in the event that (an attack) does happen, how are we able to get back up and operating - how are we able to ensure that we can be resilient in the aviation sector. CAT: IATA has developed a Cyber Security Toolkit and conducts Cyber Security courses. As a part of its cyber awareness efforts, has the A-ISAC Security Awareness Training Committee been involved in the development of any similar training and educational documents and courseware? And would you please outline the focus of this Committee? Francy: We have not published anything at this point. What we have done so far is that we are really focused on our members in a tactical sense in sharing information. We do publish information to our members. And we recommend to our members the IATA Toolkit, because it is very good material for folks that are coming up to speed, and may need some additional educational material. CAT: It may be that a cyber awareness element could be introduced into any area of aviation professional training documentation or courseware. How the industry might take the initial steps in this direction, or are we well underway towards this goal? Francy: We have the Education and Awareness committee. We have just done a survey of our members about what sort of material do they think would be beneficial. We are hoping that the analyst’s teams will develop organic working groups to focus on specific areas that may be of concern to the aviation sector, such as securing EFBs. We believe that this effort will result in what we would term best practices. For more information on the A-ISAC and its cyber awareness activities, please go to www.a-isac.com and/or contact Faye Francy at ffrancy@a-isac.com.