Keeping hackers at bay
Apr 03, 2019
Cybersecurity threats to aircraft, ground and mobile systems are increasing. OEMs, maintenance companies and airlines need rigorous, multi-layered defences to protect themselves.
In 2017 US government researchers concluded that “most commercial aircraft currently in use have little to no cyber protections in place”. A year earlier the same researchers had taken two days to hack into unspecified systems on a parked Boeing 757 via its radio frequency communications, while their next project was to examine the vulnerability of wi-fi and in-flight entertainment (IFE) systems.
The results of that study are yet to be made public, but there are fears that more modern aircraft, where passengers, crew and many aircraft components themselves possess greater internet connectivity than on a 757, will prove even more vulnerable. In 2015 a cybersecurity specialist said he had moved an aircraft in flight via its IFE system, although his claims have met with huge skepticism and, even in the case of the more rigorous 757 research outlined above, it is unclear whether critical systems were accessed.
Even so, US Department of Homeland Security researchers believe it is only “a matter of time” before an aircraft cybersecurity breach occurs, while a 2018 survey by SITA of airline IT chiefs found that cybersecurity was their second-highest investment priority. For airport chief information officers it was number one.
Boeing says it is confident about the cybersecurity of its aircraft. “Multiple layers of protection, including software, hardware, and network architecture features, are designed to ensure the security of all critical flight systems,” a spokesperson tells InsideMRO, adding: “Boeing’s cybersecurity measures are subjected to rigorous testing, including through the FAA’s certification process, and our airplanes meet or exceed all applicable regulatory requirements.”
One example of those regulations is DO-326, which deals with the activities that need to be performed in support of the airworthiness process when the development or modification of aircraft systems and the effects of intentional unauthorised electronic interaction can affect aircraft safety. Companion documents set out various measure to achieve this.
And while the potential to access flight control and other critical systems is uncertain still, huge disruption could still be wrought. For example, it has been estimated that the cost of updating one line of avionics code can run to $1 million when one considers the implications of developing, testing and implementing a fix and – crucially – the time an aircraft might be out of service to do so. One need only look at the global grounding of the 737 Max fleet while Boeing changes certain software to imagine the havoc that computer viruses might cause.
Connected components
Also worth noting is the interplay between mobile devices and aircraft systems, particularly as flight and cabin crew take advantage of advances in connectivity to assist them. Often they use tablet devices to do so, presenting a risk that malicious software that finds its way onto the tablet could then jump on to aircraft systems. To lessen such risks airlines need rigorous systems in place to manage their mobile devices and who has access to them.
In theory, a more direct route into those systems potentially exits through connected components that form part of the ‘Internet of Things’. One example is the engine management unit (EMU), which collects, processes and transmits engine data. In the past, this was a one-way stream, but certain EMUs can also receive instructions. Rolls-Royce launched such a device with its Pearl 15 business jet engine and is intending to roll out the technology to other platforms in order to enable functions like remote testing. “Now we can now talk back to the engine while it's on the ground,” Rolls-Royce’s head of product management for digital services, Nick Ward, told Engine Yearbook recently.
Like Boeing, Rolls-Royce is confident that multiple security layers protect its components from interference, but that is not the case everywhere on an aircraft. SITA estimates that about 12% of aviation cyber attacks target navigation and air traffic control, with GPS proving particularly easy to undermine with cheap jammers and open-source ‘spoofing’ software. The effects already experienced by flight crews include loss of satellite position reception; an inability to report aircraft positions accurately; and being forced to perform go-arounds using back-up navigation.
Data security
Another layer of threat exists for ground systems. An airline’s passenger data security is beyond the purview of this publication, but OEMs and maintenance companies must be aware also of heightened cybersecurity risks, be they to internet-enabled components or the increasingly valuable data they generate. Keeping client data confidential is one priority, but manufacturers and MRO providers must also guard against intellectual property theft and other malicious actions by rival companies or even nation states.
“Access and authorization to data, whether from an individual airline or anonymized/aggregated, is either controlled by an identity management team or through integration with the airline’s ‘Single Sign On’,” says Jon Dunsdon, chief technology officer of GE Aviation digital solutions.
“GE monitors access to ensure only those employees or contractors authorized to view the data are allowed access,” he adds.
Rolls-Royce tells InsideMRO that it recognises cybersecurity “as one of the principal risks” for the company, and outlines several measures it takes to protect its own and its customers’ data, including: an information assurance board to approve cybersecurity architecture and access controls; cybersecurity risk assessment for new projects; security operations centers around the world with team focuses on cyber issues; pro-actively searching for weak spots across its IT systems; and co-operation with Microsoft to enhance the security of data stored in the cloud.
Lufthansa Technik has access to certain airline data via its Aviatar platform, although only what each customer is willing to share. As well as separating each customer’s data, the MRO provider also uses encryption throughout the Aviatar platform, both for data in storage and in transit. This is the last line of defence if other security measures – such as Aviatar’s firewall and automatic threat detection – fail.
At the same time, it is clear that cyber-threats will continue to evolve and proliferate, and that the defences of today may not suffice tomorrow. Therefore aviation companies must continue investing in security to stay ahead of the hackers.
SIDEBAR | Top 10 Cybersecurity Tips
1. Layer Security
A firewall presents little obstacle to determined hackers so multiple layers of security are needed, including system segregation and, ultimately, data encryption.
2. Encrypt All Data
Data encryption has become increasingly affordable and powerful. It is the last line of defence against hackers and, accordingly, airlines and other aviation companies should aim to encrypt all data, whether it be on aircraft, ground systems or mobile devices. Furthermore, keep control of encryption keys.
3. Monitor Suppliers
Malware can be embedded in systems coming new out of the factory so the cybersecurity of key suppliers is almost as important as one’s own.
4. Control Mobile Devices
Access on company devices must be controlled by a solid Mobile Device Management system, while companies must be aware that allowing staff to use personal devices at work massively increases security risks.
5. Search for Weak Spots
Employ experts to identify IT vulnerabilities before hackers do.
6. Use AI
Artificial intelligence can detect probes of data before a successful cyberattack.
7. Know Your Data
It is essential to keep tabs on all the data generated and stored by your firm, where it is, who owns it, how valuable it is and where and how often it is backed up. You need all this to set your data-protection priorities.
8. Cloud Security
Don’t just delegate security for company data stored in the cloud to the cloud provider. Also ensure security of data while it is being transmitted to and from the cloud. Data can be hacked in transmission as well as in storage.
9. Maintain Physical Security
Control who has access to data centres or other critical IT infrastructure and restrict the use of USB drives and other storage devices in such places.
10. Communicate And Enforce Data Security
A meticulous data-protection policy is useless unless it is followed by everyone involved with data. Hold managers accountable for compliance in their departments.