Alaska Airlines' Jessica Ferguson speaking at Global Connected Aircraft Summit 2018 in San Diego.
Alaska Airlines is no longer an airline.
That’s according to Jessica Ferguson, Alaska’s director of security architecture. It’s now “a technology company that flies planes.”
Delivering a keynote speech at this week’s Global Connected Aircraft Summit in San Diego, Ferguson was discussing company culture in the age of connectivity. Particularly for an 85-year-old company that purchases planes expected to last decades, a major mindset change has been necessary.
While an airframe may stay in service for a quarter century, software can become obsolete in a few years, and needs constant updating, refreshing or replacing. Further, a model of decades-long forecast cycles is unrealistic in the IT world because changes are too sudden. According to Ferguson, who worked in terrestrial IT and network security until joining Alaska in 2017, the industry has to embrace far more flexibility.
That change is becoming more important than ever in light of current industry priorities.
“Everybody wants the data. It’s not just from a security perspective security. GE wants it from the engines; our maintenance people want the maintenance data. It’s really becoming a Big Data issue,” Ferguson said. “But our legacy IT and security teams are not equipped to handle that. … We need to bring data security practices into the aircraft.”
Ferguson said that as planes become, essentially, flying IoT devices, the number of potential exploits and failure points rises exponentially.
“There are lots of customized solutions, homegrown stuff, all being integrated,” she said. “There are roughly 200 applications at work just to push back from the gate; everything from selling tickets to processing reservations, above the wing, below the wing, they all have to work together like the gears of a watch. If any of those cogs break, things can come down easily.”
One such breakdown occurred for the airline in the wake of the company’s acquisition of Virgin America shortly after Ferguson joined in early 2017. An advanced persistent threat hacker from a Chinese group exploited a vulnerability in Java and got access to a system that held technical manuals for the airline’s Airbus fleet.
Unfortunately, Ferguson said, the government needed access to the system, so Alaska wasn’t allowed to deny the bad actor access by taking it offline, and it couldn’t remove the vulnerability by updating Java because that would have left it unsupported by its vendor. The result is that her team could actively watch the actor try to attack the system without a way to put a stop to it for months. It cost the company $2.5 million dollars, not including the time people spent working on the issue.
Somewhat unique to airlines is that most of their business happens in the public eye. “My product is out there. You can go fly in it — in fact, I highly encourage it,” she said.
That means that failures and breaches tend to be seen and publicized, putting a premium on optics. Ferguson referenced the attention paid in the wake of Chris Roberts’ public claims that he had hacked into plane engines through IFE systems and the more recent claims by hacker Ruben Santamarta that aircraft can be hacked from the ground through satcom systems.
Also speaking at the summit, satcom expert Peter Lemme said that the software in question was already designed to prevent what Santamarta did, but it experienced a failure that was not repaired until later, which is what created the vulnerability. The issue, in that case, was the system monitoring procedures, not the security of the software itself.
“When they lock up a building, they send a security guard around to rattle every door,” Lemme said. “We need that for network security. You can’t just design it and say you’re secure.”
Another quality endemic to the commercial airline industry is the small ecosystem of vendors.
“We all fly Boeing and Airbus and Embraer and Bombardier,” Ferguson said. “We’re all using Sabre, we’re all using Jeppesen.” That is a double-edged sword; it contributes to industry-wide problems and a slower adoption-cycle of improvements. For example, she said that the airline is forced to use a more-vulnerable Windows XP operating system for compatibility reasons with airports, and it has to do so for compatibility with other operators; essentially, everyone has to upgrade certain things at the same time.
But there are also benefits: The fact that everyone shares problems and “there are no secrets” mean that there is a lot to be gained from working together.
Ferguson, who is an alternate board member for the Aviation Information Sharing and Analysis Center (ISAC), is a big proponent of teamwork when it comes to cybersecurity.
“I don’t win if Delta gets breached,” she said. “Together, as an industry, we win.”
That goes for vendors as well as operators. “Obfuscation and hiding is not an option anymore in 2018,” Ferguson said. “I’ve had vendors tell me, ‘I can’t tell you my security vulnerabilities because if I do, that’s a security vulnerability.’ No. Doesn’t work anymore. I will personally kill any request to buy a system where a vendor tells me that.”
One proposal Ferguson said ISAC is working on is a cyber-equivalent to the FAA’s no-fly list. The idea is that some of the worst bad actors are known or predictable and can be preemptively blocked instead of just dealt with reactively. As a step beyond that, there are ways to automatically track and learn good and bad behaviors that should and should not trigger red flags.
Ferguson said her impression from talking with regulators is that “the cavalry isn’t coming.” The industry has to take care of itself when it comes to cybersecurity. She said: “We have to own the security. I own the security at Alaska. If anybody asks, it’s me. And I take that very personally.”