With the public inundated with reports of an alarming number of computer hacks, the question in everyone’s mind is “what is next?” The aviation industry was the center of media attention when Chris Roberts, a controversial computer researcher, was detained by FBI agents after boasting that he had hacked systems while a passenger and took control of key aircraft systems. The boasting tweet that got him in trouble was:
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)
— 42… (@Sidragon1) April 15, 2015
First let me say what all professionals quickly realized, just because someone claims they are 133t does not mean they are.
Turns out he had previously been interviewed by the FBI and had previously made claims of hacking in flight systems and getting control of engines via the In Flight Entertainment (IFE) system.
Whether or not Roberts’ claims were true or whether or not his intentions were malicious, he brought to light the significant need to readdress aviation cyber security.
During the 2015 Global Connected Aircraft Summit, a session was dedicated to the topic of aviation cyber security: “Cyber Security: How Can a Connected Aircraft Manage This Threat?” Moderator Bob Gourley, publisher of CTOvision.com discussed this topic with panelists Axel Jahn, Managing Director, VP Business Development Connectivity at Zodiac Aerospace; Andy Beers, Director, Aeronautical Sales for the Americas at Cobham SATCOM; and Vinit Duggal, Director and Chief Information Security Officer at Intelsat. Gourley led the discussion centered around the intense landscape of cyber threats, stressing the lack of security for Air Traffic Control (ATC) and avionics platforms.
Cyber attacks are becoming a more frequent topic with the media with news of another attack emerging on a regular basis. With traditional terrestrial cyber networks, IT companies are going about structuring their information network in what Gourley calls “contained ways.” What this means is when hackers attempt to penetrate the network, they are unable to access the company’s most vital information. The aviation industry has attempted to follow the structure of the traditional terrestrial cyber networks, but it has not been successful. Due to the complex ecosystem involved in setting up cyber security within the aviation landscape and the increase in In-Flight Connectivity (IFC), the aviation cyber networking cannot mirror that of the terrestrial.
With multiple systems providers, airlines and IFC providers managing various components of an airplane, gaps are becoming more frequent in the aviation landscape. The question becomes how to manage the threats effectively. Vinit Duggal said the aviation industry is “an an extremely complex ecosystem and when you marry it to what’s happening onboard the plane, you have quite a large attack surface that’s exploitable, essentially, to the threat actors [Gourley] mentioned.” With the increase and demand for new in-flight technology, it has opened the Pandora’s box of weak areas exposed to potential hacks.
The increase of technology does not match the increase in technology security. Duggal said, “technology moves so fast, security sometimes gets left behind because you’re trying to get to the consumer, you’re trying to give them what they want, and sometimes when you try to address security after the fact you add complexity to the mix.” The threat level is increased when systems are not secured prior to installation. Security is often overlooked when ensuring for the consumer’s satisfaction with a rapid implementation and deployment. Making the consumers happy with the latest and greatest technology without first securing the systems before installation merely increases the threat level.
“Attacks against the aviation industry are also occurring on a daily basis and we can expect that as the connected aircraft grows in popularity, there will be more and more and more attacks there too.” Bob Gourley
Each panelist concluded the session with a consensus of opinion that each area of the aviation industry will have to work together to mitigate the cyber threats effectively. The last thing anyone wants is for our airplanes to have gaps where hackers can easily make their way inside and control an airplane from the safety of their living room couch. Beers said “ we are being proactive already to develop systems that address security threats in the future,” let’s hope we only become more proactive in thwarting a potential attack.
Read more here on Aviation Today and Apex.
Our view: the aviation industry, including everyone supplying any product or service or operating any vehicle, should track the threat and share not just indicators of compromise, but scenarios of failure, and use those to mitigate the very real risks.
Operationally, we most strongly recommend affiliating yourself with the aviation ISAC. This is providing a trust-based sharing venue available to the entire community.