[Avionics Today 06-12-2015] Experts from Zodiac, Cobham Satcom and Intelsat came together earlier this week to speak to the increasingly intense topic of aviation cyber security. During the 2015 Global Connected Aircraft Summit, at the “Cyber-Security: How Can a Connected Aircraft Manage This Threat?” session, the panelists addressed how fear and the progressively complex avionics and Air Traffic Control (ATC) landscape are making managing cyber security an ever more difficult obstacle to concur.
Moderator Bob Gourley of Cognitio, who has an extensive background in cyber security and is currently publisher of both CTOvision.com and ThreatBrief.com, kicked off the session by laying out the intense landscape of cyber threats, which is becoming ever more scrutinized amid Government Accountability Office (GAO) reports indicating lacking security both for ATC and avionics platforms.
“Hackers and hacktivists, terrorists and criminal groups, and nation states are attacking enterprise continually and consistently. And they’re also the threats to the connected aircraft,” said Gourley, noting that while attacks are occurring on a daily basis, they are not to be taken lightly.
“We can look at history and see what those threats are capable of doing. They penetrate enterprises on a daily basis. You can read the news on this and every single day there’s another attack,” he continued, referencing several recent attacks including the penetration of health insurance agency Anthem that compromised the health records of more than 80 million U.S. citizens. “Attacks against the aviation industry are also occurring on a daily basis and we can expect thatr as the connected aircraft grows in popularity there will be more and more and more attacks there too,” said Gourley.
In traditional terrestrial cyber networks, IT companies set about structuring a company’s information network in what Gourley calls “contained ways.” This way, when hackers attempt to penetrate the network, they can’t access the company’s most precious resources. Gourley notes that the aviation industry has attempted to follow this structure, but he and other panelists pointed to the complex ecosystem involved in setting up cyber security in the aviation landscape and in the time of rising In-Flight Connectivity (IFC).
“When you look at how we’re looking at supplying transit and the [aviation] pipeline, essentially to the planes, it’s not the same gamut that you have with traditional terrestrial implementation. You’re supporting mobility; you’re supporting gateways on the fly without losing connectivity. It’s an extremely complex ecosystem and when you marry it to what’s happening onboard the plane, you have quite a large attack surface that’s exploitable, essentially, to the threat actors [Gourley] mentioned,” said Vinit Duggal, director and chief information security officer at Intelsat.
This is made even more complicated by the different aviation stakeholders that become responsible for cyber security in their own segment of the ecosystem. With airlines managing one aspect, system providers another, and In-Flight Connectivity (IFC) providers yet another, the question becomes how to bring all areas of the aviation landscape together to manage threats effectively.
The constantly shifting landscape of aviation also poses more questions and exposes more chinks in the armor, with initiatives such as NextGen and Single European Sky ATM Research (SESAR) to modernize airspace taking hold as well as the digital age revolutionizing entertainment and connectivity aboard the plane.
“To have flight ops and in-flight entertainment connected together is a scary prospect because you could secure something at a given point in time, so today we can secure something and lock it down but that threat environment can change within a few days, so how are you patching that from an operations perspective a system updates perspective. When you have to update something on an airplane we’ve mentioned many times here how complex the certification model is,” said Duggal. “Technology moves so fast, security sometimes gets left behind because you’re trying to get to the consumer, you’re trying to give them what they want, and sometimes when you try to address security after the fact you add complexity to the mix.”
And, according to Axel Jahn, managing director and vice president of business development for connectivity at TriaGnoSys, a Zodiac Inflight Innovations company, even when you want to keep up, technology moves too fast, oftentimes, to cover new threats.
“What has been established is going to be outdated as soon as you publish it so we need to maybe have a new philosophy on how we are installing things in an aircraft,” said Jahn.
But outside of technology lays another threat, one that Gourley identifies as FUD: Fear, Uncertainty and Doubt. “If you want to manipulate someone into buying something, you scare them. And unfortunately in the cyber security community you see FUD too frequently. People come up with incredibly scary scenarios, they twist the truth, they lie to sell you something.”
Gourley also touched on ethical hacker Chris Roberts who earlier this year claimed to have hacked into the Thrust Management Computer during flight through the IFE system on board a United Airlines aircraft, issuing a climb command that caused the airplane to briefly change course. While it’s impossible to speak to whether Roberts’ intentions were malicious, narcissistic or in good will as Roberts himself has insisted in recent tweets regarding the subject, Beers expressed a certain amount of gratitude to the hacker, who was kicked off the flight after tweeting his allegedly successful infiltration into the system, for bringing the subject into the public eye.
To keep FUD from controlling the message of cyber security, however, Beers encourages education above all things. “You have got to educate yourself about what can and cannot be done,” said Beers, who stated that it was not possible for someone to hack into the IFE or IFC and “begin controlling the aircraft.”
When it comes to moving forward on managing cyber threats, however, the panelists seemed to think that all areas of the aviation industry will have to come together to mitigate it effectively.
“We are being proactive already to develop systems that address security threats in the future,” said Beers. “[But] we’re not the only system in that chain, we need to work together as an industry. I’m happy to see things like RTCA SC 216, ARINC 781 smaller satcom for safety services attachment 8, which is specifically security for an IP connection. There are a lot of good things out there, I think we’ve got a lot of positive things, but the industry is going to have to work together to make sure these cyber events don’t become too big of a problem.”