The aviation industry is becoming unified to mitigate cyber threats of all types. Chuck Weirauch takes a closer look at how some industry players are progressing in this area.
With the US Senate voting to pass the five-year FAA Reauthorization bill (Aviation, Transportation Safety, and Disaster Recovery Reforms and Reauthorization - H.R.302) on October 3, the bill only needs to be signed by the President to become law. When signed, the Act will contain elements of cyber security measures that are designed to help meet the most current and future forms of software attacks on the country’s aviation infrastructure. Under the Title VII Flight R&D Act that is a component of the overall ruling, this Act “directs the FAA to establish an R&D program to improve the cyber security of civil aircraft and the system.”
Increasing Threat Recognition
Certainly by far not the only FAA cyber security effort, the establishment of these parts of the Act will be just the latest measures taken by many national and international governments, aviation authorities, associations and the aviation industry itself to thwart the reportedly more than a thousand daily cyber attempts to disrupt the critical global aviation infrastructure. The good news is that the global aviation community has come to recognize the threat to not just aircraft and airports, but to every element of the aviation supply chain, and is becoming unified to mitigate such a threat.
The aviation community has been focusing on cyber awareness education campaigns, improved methods of cyber-attack detection, and the international standardization of elements and procedures that would make up the most effective and universally adopted cyber security programs for the global aviation community. Whilst ICAO and IATA have been at the forefront of these initiatives, other organizations and industry groups are also heavily involved.
Although there have been numerous attacks on airline ground operations that have led to the disruption of service and data breaches, there reportedly have not been any successful attacks on commercial airliners while in flight. However, many cyber security experts are predicting that it is only a matter of time before such attacks occur.
The primary reason for this fear is that commercial airliners and business aircraft have become more computerized and network-connected than ever before - virtual networked flying IT systems - as ground operations have become as well. In fact, the business aviation community has asserted that in-flight attacks have already occurred on their aircraft, because business jets often incorporate the latest avionics and communications technology before they are adopted for commercial airliners.
Malicious software can intrude into aircraft in-flight entertainment systems from hand-held devices such as mobile phones and tablets in the cabin. Some can bypass cockpit firewalls and then pass into avionics and navigation systems. Such attacks can also possibly intrude into cockpit systems via unencrypted ACARS ground and ADS-B satellite data link transmissions.
Detection and Mitigation
Concerning cyber-attacks on the aircraft itself, there is a debate as to whether the pilot in command should be involved in the mitigation of the threat. The Airline Pilots Association (ALPA) has stated that “a well-trained and qualified professional pilot is a critical element for ensuring that aircraft security and the associated mitigations can be deployed, especially if a cybersecurity threat is identified during flight.”
Boeing Commercial Airplanes certainly seems to believe this to be true, as the company recently patented a simulation-based trainer that would train the pilot to take proper action in the event of such an attack. (Boeing did not wish to discuss this training device with CAT at the time this article was written). Raytheon also has taken the position that the PIC should be directly involved in the situational awareness and mitigation of the attack.
“Normally an intrusion detection system in a typical enterprise environment identifies the attacks inbound,” said Tom Goodwin, director of Cybersecurity at Raytheon’s Intelligence Information and Services Division. “It can then be designed to initiate interceptive or corrective actions automatically. This is how they normally operate. However, one of the things that we recognize is that you can’t have systems that would take on what should be the responsibilities of the pilot in command, with that pilot being responsible for the safety of that flight and the aircraft.”
Raytheon has created a software platform to detect when there are cyber threats to the aircraft itself, and in particular those that have been developed to affect how the aircraft is designed to perform. The intrusion detection platform sits on a data bus in the cockpit, checking for anomalies and suspicious behavior in the data streams to the aircraft. It then provides situational awareness of an intrusion to the pilot via a cockpit display once an attack is detected. So the pilot has the ability to manage the safe flight of the aircraft by his or her own actions, rather than relying on some automated system that takes on a containment action by itself.
The Raytheon cockpit intrusion detection device is currently undergoing a testing stage in its development “in collaboration with a US government customer,” Goodwin said. “It has undergone some field testing, and is expected to be integrated into the mission fleet in the very near future.”
Goodwin explained that the intrusion detection system was developed for the information exchange bus for military aircraft, but because of how Raytheon designed it, the device is operating on a common information bus. This means it can be easily modified for use on civilian aircraft, and civilian airframes have been included in a part of the test cycle. Once the military version of the detection system has been proven in military aircraft, Goodwin alluded that Raytheon may begin adapting the system for commercial and civilian aircraft.
“We are working on a training system for the pilot right now during our regular testbeds, with the aircrews as a very interactive part of that process,” Goodwin said. “We are taking their feedback, and using that as a part of our development cycle. Training will be a minimal part of routine training operations for the pilot.”
While considerable effort is underway to improve the detection and mitigation of cyber-attacks on the aviation industry, most of the focus over the past few years has been on cyber awareness. Aviation employees’ lack of understanding of how cyber-attacks can infiltrate the aviation infrastructure is a primary reason why such threats have seen such growth, according to Gary Kessler, Professor of Cybersecurity and Chair of the Security Studies and International Affairs Department at Embry-Riddle Aeronautical University’s Daytona Beach, Florida campus.
“A lot of the security problems that we are having in the aviation industry are due to a lack of user training and user awareness, and certainly when it comes to the basic things like cybercrime and cyber fraud being perpetrated into the aviation industry,” Kessler said. “That’s all issues of people not knowing how to respond to a cyber event.”
“When it comes to the planes themselves, a lot of cyber intrusion problems have to do with the integration of a lot of different systems from different manufacturers,” Kessler continued. “And while I think that we have a reasonably good understanding of the individual systems, many of the problems that can come into play are when you attach all of the systems to each other. And I don’t know if there has there been a lot of work to assure that the overall integrated system is secure.”
In an attempt to help improve cyber awareness for aviation industry employees, Kessler’s department began offering Continuing Education cyber security short courses for aviation industry managers this October. More information on the courses and when they again may be offered can be found by e-mailing email@example.com.
Several educational institutions are also beginning to offer such courses, as well as industry organizations ICAO and IATA.
“In our courses, we are trying to determine how the cybersecurity issues are unique to the aviation industry from the management and policy perspective,” Kessler said. “We want to explain how to integrate the cybersecurity issue into the consciousness of all members of the organization. One aspect of the course is how do you keep abreast of these problems, and how do you anticipate the problems that are going to be affecting your particular part of the world. Rather than teaching people statically about the current state of affairs, we are trying to teach them dynamically how they can stay abreast of what is going on. That’s all a part of the life-long-learning thing that we are trying to teach.”
Industry Cyber Awareness
One of the latest and most comprehensive industry cyber awareness publication efforts - sponsored and underwritten by Thales USA - is the Atlantic Council’s report on the impact of cyber-attacks on aviation entitled Aviation Cybersecurity: Finding Lift, Minimizing Drag. This report was authored by Peter Cooper, the Council’s cybersecurity expert. The publication can be downloaded at www.atlanticcouncil.org/reports. While the report outlines the threat not only to aircraft, airlines, airports, air traffic control and the rest of the interconnected aviation environment, it also advocates a way forward for the industry to work together to help mitigate the cyber threat.
Alan Pellegrini, CEO of Thales North America and an Atlantic Council Board member, provided an overview of the growing cyber issue at the launch ceremony for the report. His following quotes are taken directly from a recording of the event, which took place in November 2017.
“The problem is that the elements of the aviation ecosystem are becoming far more connected, with even the aircraft itself becoming the Internet of Things in its own right. But we have to admit that with all of the added connectivity, we have increased the technology vulnerability of the aircraft and its entire ecosystem to potential cyber threat or terrorism. But technology itself is not going to solve this problem. It is going to take all of us in this entire industry as stakeholders to really try to maximize the safeguards in this connected aviation ecosystem.”
Another recent and significant industry effort to combat the growing aviation cybersecurity threat was the launch of the joint Airbus and SITA Security Operations Centers, which the companies claim are the first of their kind “for the specific needs of the air transport industry”. However, it is important to point out that the centers in France, Germany and the UK are being operated by the Airbus Cybersecurity division and SITA, and not the Airbus Commercial Aircraft division.
According to representatives of both companies, the new incident detection services offered at the Centers will provide airlines, airports and other air transport industry stakeholders with information about unusual cyber activity that may impact their businesses. François Lavaste, head of Airbus Cybersecurity, said that the Centers’ standard solution mainly combines real-time monitoring services for applications and communications dedicated to air transport and incident response services. One of the tools the division employs is a CyberRange training and simulation platform that is used to train aviation personnel in the fundamentals of cybersecurity.
As to Airbus Commercial Aircraft itself, the company declined to respond to specific CAT questions that inquired about what the company perceived as the greatest cyber threat to aviation, and what specific areas of cybersecurity the aircraft manufacturer was concentrating on. Rather, its response was that it was not at liberty to say because of security reasons.
“Airbus has robust systems and procedures in place for our aircraft and their operations, which we constantly review with the industry, to ensure security against any potential cyber-attacks,” said company spokesperson Martin Fendt. “We naturally do not discuss our security design and operations details in public. The security of a product is based on the principle of security in depth. Instead of having one line of protection, various robust layers of security are in place to protect our products from threats of all kinds.”
Published in CAT issue 5/2018