Information Sharing and Cyber Simulation in the Aviation Industry
The constantly evolving threat of cyber-attack is the paramount risk management concern facing the world today. The aviation sector has been slower than most to accept this but is learning that the threat landscape is changing faster than their technological response can keep up.
The urgency was highlighted in 2017 when the Pacific Northwest National Laboratory (PNNL), a US Department of Energy research laboratory, working on behalf of the U.S. Department of Homeland Security (DHS) reported that it’s “only a matter of time” before a cyber breach happens in the sector enabling cyber criminals to hack and remotely control an airplane.
That “time” has come…
In light of this statement, two well-publicized demonstrations of hacks into airplane networks are all the more alarming. In 2013, Hugo Teso, a security researcher and aviation enthusiast simulated infiltration of flight control and telemetry systems using commonly available hacking tools purchased on-line for around US$80. This was later disputed by the FAA.
Then in 2017 a team from the DHS told a meeting of cyber experts in Virginia that they had “accomplished a remote, non-cooperative penetration” of a government owned Boeing 757 while it was parked at a New Jersey airport.
More recently, in late December 2019, the RavnAir group, a small airline based in Alaska, reported a malicious cyber attack on its internal IT network resulting in a 24-hour grounding of all flights serviced by their fleet of Dehavilland Dash 8 aircraft.
More flights, greater risk
Air traffic has grown steadily over the past couple of decades; there are presently between 8,000 and 20,000 planes in the air at any given moment (depending on the time of the day). The trend predicts the number of flights likely to double again over the next 20 years, or even less, due to factors including but not limited to cheap airfares, increased competition brought on by “open sky” policies, and economic growth.
Increased digitization of flight control systems coupled with the growth in demand for flights derives in an ever-growing cyber attack surface, which continues to remain open to exploitation in this high-stakes and operationally tech-heavy industry. Existing solutions in the field are focused at defending networks, systems and databases from malicious activity. These solutions directly correlate with the industry’s safety and performance indicators and indirectly with airline service, reputation and financial health.
The power of information sharing
Mitigating attack means leveraging awareness and visibility to promote a deeper understanding of the lay of the land. Credible, actionable, real-time Cyber Threat Intelligence (CTI) takes things a step further by allowing organizations to maximize the value of their information security resources and allocating them to strengthen their security posture against the attacks most likely to actually occur. In many cases CTI can aid in uncovering attacks that have eluded their traditional defenses. Hence, critical information about a breach that has occurred, or which is predicted by threat intelligence as likely to occur, will be of great value to others if shared by those organizations that are ahead of the curve. Sharing this information confidentially, and if required, anonymously, provides the recipients with time to formulate a cogent and effective response.
The aviation industry already benefits from industry-wide knowledge sharing provides by A-ISAC, the Aviation Services Information Sharing and Analysis Center.
iShare, developed by IAI for the National Cyber Centers, takes aviation knowledge sharing above and beyond. It presents a secure, trust-driven platform for connecting cyber professionals and organizational stakeholders for the sharing of CTI information.
The iShare platform provides multiple channels for the exchange and validation of information using the industry-standard Traffic Light Protocol (TLP) to classify and manage the dissemination of information to restricted groups, anonymously if necessary. By leveraging a closed, secure, members-only social network of CERT and security professionals, the iShare platform utilizes a trust paradigm which ensures that information originates from highly reliable sources and is vetted to minimize the sort of issues that dilute the efficacy of other CTI systems, such as excessive alerts and false positives.
iShare features several channels for engaging with the Aviation community, which form the building blocks of the platform.
CERT alerts – timely information on current security issues, IoCs, vulnerabilities and exploits, including mitigation technique.
Publications, discussion groups & chats – members can initiate and participate in forum-type discussions to share their experiences or seek the input from community members.
Private Messaging – a richer email-style communication medium with all the benefits of replying-to-all, forwarding, marking messages unread and text search.
Threat intel repository – stores indicators of compromise such as IP addresses, email addresses, contaminated files, URLs, registry keys etc.
File attachment – upload of files to content channels or repositories for sharing with other members. All uploaded files undergo sanitation to verify they are not malicious using sandboxing and anti-virus tools.
Malware sharing and advisories – suspicious files can be uploaded for forensic examination through a secured upload path. iShare’s segmented topology mitigates these files from negatively affecting the platform. Files flagged as malware can only be downloaded by “researcher” users. Post analysis, researchers share findings with the wider community in the form of advisories.
Machine-to-machine data flow – secure API for developers allows consumption of published content from the platform and integration into 3rd party solutions such as SIEMs.
Flight Simulation, Cyber-Style
The aviation industry has long been at the forefront of simulation training, with early examples flight simulators used in the early 20th century. Today, simulation has spread to many other industries including the field of cyber security. Israel Aerospace Industries’ cutting edge TAME Range takes the latest and most destructive cyber threats and campaigns shared in the community, and recreates them in a hyper-realistic, virtual environment. These allows incident response teams to play out live attack scenarios in a controlled environment, in real-time and against the same ticking clock conditions that would govern their actions, communication, judgement and decision-making processes. In the aviation industry, delay, indecision and system failure can cost lives. It is therefore critical that teams undergo training and drilling so that when real cyber attacks strike, leadership, focus and swift recovery control the narrative.
We believe the world of aviation needs to adopt cyber security implementations, platforms and techniques well proven from the IT and ICS domains. iShare as well as TAME Range, provides advanced resilience, giving aviation groups the power to supplement their security teams and share the knowledge of industry-wide professionals battling the same threats on a daily basis to keep global airline passengers safe.