Aviation Cybersecurity: High Level Analysis, Major Challenges and Where the Industry is Heading
During recent years we have witnessed important attacks on large corporations, critical infrastructures of all kinds, governments and SMEs with different levels of sophistication and diverse severity in their impact.
As we might expect, the aviation industry is not an exception to this status quo. Nevertheless, there is a major difference with other industries like financial services, insurance or e-commerce to name just a few. In transportation and particularly in aviation there is a key life safety issue. A cyberattack, if successful, might end up in loss of numerous lives – resulting in a complete catastrophe. If that were not enough, it might also destroy trust and eventually the brand.
We might consider aviation cybersecurity as a subset of generic cybersecurity with the nuance of the referred possibility of losing lives.
Moreover, aviation and aerospace systems must support real-time behaviour and they require ultra-high reliability. Many of these systems are safety critical and require strong certification and rigorous cybersecurity controls.
Complexity is another ingredient and definitely a challenge as avionic software may have between 100 million and 1 billion lines of code. As a consequence, software verification represents an important cost and certification is a not a quick process.
Multiple systems that need to be protected
The aviation industry relies on a quite complex infrastructure integrated in multiple systems that need to be individually and holistically protected.
A thorough cyber assessment is needed involving aircraft and equipment manufacturers, air-traffic control, airports, airlines and all the other elements of the aviation infrastructure as an information system.
This should include penetration testing or red teaming where cyber experts try to gain access to the systems as well as vulnerability testing to look for flaws in security.
The key question is what makes a system vulnerable?
Two components are needed, a vulnerability and a pathway to attack that system or exploit that vulnerability. The suggestion that we do not need to patch a specific vulnerability unless there is a pathway is challenged by the possibility of not having identified an existing attack pathway.
Another very important element to consider is Insider threat. Reports show that Insider threat is on the rise, requiring employees to be educated in their role in mitigating such threats and adhering to cybersecurity policies and best practices. Processes and playbooks should be periodically reassessed and rigorously tested to ensure continuous improvement. In addition, access controls should be put in place to only allow the people who absolutely need clearance to certain areas to the airport or the aircraft.
Challenges for the aviation industry
During the last decade, the introduction of e-enabled or digital airplanes and widespread connectivity have increased the operational efficiency of the airlines. Nevertheless, this also involves increased interaction with many information systems that are outside the traditionally defined security perimeter.
Moreover, traditionally, one line of defence in aviation was the pretty specific knowledge needed by an attacker or cyber criminal due to the use of aviation specific software and hardware that was unavailable to the general public.
Important changes in recent years have created substantial challenges today:
-Increasing use of commercial off-the-shelf software and solutions that do not require the referred-to aviation specific knowledge to attack them.
-Smart aircraft with Flight-By-Wire (FBW) capabilities.
-Multiple interconnected systems: the security of the interoperation of all these systems needs to be tested from a red teaming perspective.
-The aircraft of the future is heading to software updated on the fly, which also creates important additional challenges.
-Bring Your Own Device (BYOD) into the cockpit.
-Aircraft certification is becoming more complex and it is likely that the strategy of issuing “Special Conditions” to harden the systems which might be at risk, may not be enough as they cover neither the whole interoperation of the systems nor its adaptability.
-There are two ongoing initiatives to modernize Air Traffic Control Systems:
-The Next Generation Air Transportation System or NextGen is the FAA-led modernization of America’s air transportation system, which calls for the information systems to be networked with IP technology into an overarching system of interoperating subsystems.
-The Single European Sky ATM Research or SESAR is the technological pillar of the Single European Sky and aims to improve Air Traffic Management (ATM) performance by modernizing and harmonizing ATM systems.
This upgrade makes sense from a management, communications and modernization standpoint, but it also opens air transportation to unforeseen vulnerabilities.
As we add new functionality, we also add attack vectors that need to be properly analysed.
But there are also other factors that pose serious risks to the aviation industry:
-Lack of budget of resources for example in small airports or developing countries
-The existence of multiple regulations: this makes it very difficult to adapt the speed of the new regulations to the quickly evolving threat landscape.
-Multiple stakeholders: there are countless stakeholders in the mix and data flows constantly back and forth between numerous internal and external systems.
-Complex business relations and important geopolitics at play.
Elements vulnerable to attacks
As previously mentioned, the introduction of digital or connected airplanes as well as the airport of things, brings new vulnerabilities to the table. The key elements vulnerable to attacks considering the whole system are:
- Access, Departure and Passport Control Systems
- Cargo handling and shipping
- Reservation Systems
- Fuel gauges
- Hazardous Materials Transportation Management
- In-Flight Entertainment (IFE) and Connectivity Systems
- e-Enabled ground and onboard systems
- Electronic Flight Bags (EFB)- an electronic information management device that helps flight crews perform flight management tasks easily and efficiently.
- Cabin crew devices
- Flight traffic management systems: Primary and Secondary Radar, Automatic Dependent Surveillance-Broadcast (ADS-B), Global Navigation Satellite System (GNSS), including GPS, GLONASS, GALILEO, BEIDOU and some other Regional Satellite Systems IRNSS(India), Zenith (Japan) and Compass (China).
- Airplane Information Management System (AIMS), including among others, the Flight Management System, the Thrust Management System, the Data Communication Management (Datalink) / Aircraft Communications Addressing and Reporting System (ACARS), the Central Maintenance System and the Flight Data Acquisition System.
Where is the industry heading?
The industry is aware of the cybersecurity challenges and is working very hard to address them. In the current climate, with increasing concerns about cybersecurity in all the different areas of our life, including financial transactions, internet, personal data and privacy, the aviation industry needs to show leadership and needs to be at the forefront of cybersecurity.
We are going to see initiatives that take a holistic approach to this complex system, not only its individual components, as well as analysing its vulnerabilities and attack vectors.
Strategies like micro segmentation are going to be used to divide networks into multiple micro segments and to apply separate access privileges. This approach contains any compromise or data breach to its specific segment.
Artificial intelligence and, in particular, machine learning as its subset will also have its applications in aviation cybersecurity. A weaponized AI in the hands of cyber criminals is a very worrying scenario. However, it also highlights the importance of investing heavily in AI-defence and research. Emerging machine learning models will create greater protection against these sophisticated and complex threats.
With AI, systems will have the ability to learn patterns and identify deviations in a way that traditional systems or analysts could only dream of.
The use of encryption is, and will continue to be, critical to the aviation industry to help protect both air traffic control and flight traffic management systems’ information as well as customer and employee information which might include payment cards, national IDs, passport number, bank accounts and other Personal Identifiable Information (PII) and privacy.
Finally, Big Data and Predictive Analytics will also play an important role as we are entering a new age of aircraft sensors and processors the will add the “Big” in aviation data throughout all the aviation ecosystem, including connectivity, operations or predictive maintenance to name just a few.