Today’s aircraft are increasingly connected – from passenger inflight entertainment systems through to flight deck and avionics connectivity and yet, as more and more data is being generated, transporting that to and from the aircraft expediently and securely to its destination is becoming increasingly important.
Sensitivity over data security has increased in the United States over recent months following the attack on Colonial Pipeline which carries gasoline and jet fuel from Texas up the East Coast to New York. While the company was not specific with the details, the White House and FBI disclosed it was due to a ransomware attack, in which criminal groups hold data hostage until the victim pays a ransom. This breach has heightened fears over the vulnerability of not only the nation’s energy infrastructure to cyber-attacks but the transportation sector too especially as the national aviation system starts to ramp up operations as the pandemic’s impact is harnessed.
In a June 2 open letter to corporate executives and business leaders the White House deputy national security advisor for cyber and emergency technology, appealed for business leaders to view ransomware not as a data theft problem, but rather as a threat to their core business – with the ability to halt operations and cut off the company’s revenue stream.
And it is by no means a national weakness. Florent Rizzo of the Toulouse, France-based CyberInflight intelligence consultancy points to the latest European statistics on the aviation cyber threat. The EATM-CERT (European Air Traffic Management Computer Emergency Response Team) which supports Europe’s air navigation safety agency EUROCONTROL as well as European air traffic management stakeholders in protecting themselves against cyber threats, demonstrates an ever-present danger.
Based on its research, the number of publicly known cyber-attacks on airlines, airports, air navigation service providers and other aviation stakeholders in 2019 was estimated to be below 100. Worryingly, a July 2021 report from the EATM-CERT clearly highlights the concern with cyber-attacks rising by 530 per cent between 2019 and 2020, with ‘startling impacts across market segments’.
Within that threat environment however, the proliferation of ransomware activities during 2020 is evident. In France for example, ANSSI which is the country’s national security agency, documented a threefold increase in the annual number of reported incidents from 54 in 2019 to 192 in 2020.
Regine Bonneau is CEO and founder of Winter Park, Florida-based RB Advisory, a security compliance and cyber risk management solutions expert that serves a client rollcall featuring many businesses that support the US Department of Defense. She believes that cyber security will only become more of a critical issue for businesses that have to convert the value of the data they collect to make it a meaningful business tool such as airlines. She warns however that those who fail to realize the critical value of data effectively leave the door wide open to attacks because a malicious cyber enemy will never be slow to spot and exploit your failure here.
Bonneau chronicles the key moment data became a critical element in the cyber security landscape. She says it started simply enough with the development of industry marketing platforms which started converting the customer contact rolodex into electronic databases that supported automated email and call targeting campaigns. And while those data driven analytics are now crucial to driving a business’s profitability, they also potentially have become its weakest link.
Bonneau advises that the first step is to classify exactly what data you as a business are collecting and its importance in terms of value and usability. “Really scrutinize your business and ask yourself, who has access to these data collections. Ask yourself who are they and why are they using this data.” Continuous monitoring is required here — and not only within your own organization but without too so considerations about a business’s supply chain will immediately come to bear. “If you don’t control who has access to your customer information, you are potentially handing over admin rights to your data,” Bonneau says. “Key to your approach should be control of your data outside your own organization to your supplier because that extension of you as a business represents your biggest risk.”
Then, Bonneau says, a business would be wise to look at what it collects in terms of Personally Identifiable Information (PII) which deals with any sort of sensitive information associated with a specific person, which can be used to identify or locate that individual.
“This is at the top of the value pyramid but do you have the technology to identify where this data is and how it can be encrypted? Can you ensure industry-standard ‘data privacy by design’ which is conducted through a close assessment of the sort of data that is being collected?” Bonneau asks.
Solutions: Digital Certificates
One facet of the aviation cybersecurity effort is the use of Public Key Infrastructure (PKI), which uses digital certificates for authentication, integrity, and encryption. Industry standards such as ARINC 842 and ATA Spec 42 provide guidance for securing digital assets in the aviation industry using PKI. Teledyne Controls, which was the first to introduce in the late 1990s wireless technology as a viable means to securely and automatically transfer large volumes of data between the aircraft and the airline’s ground network, has over two decades of experience in securing the delivery of its customers’ data to its final destination. The company’s popular Teledyne GroundLink Comm+ system, which is in service on over 10,000 aircraft worldwide, uses IPSec VPNs to provide secure transport for data from the aircraft to the ground and vice versa use ATA Spec 42-compliant digital certificates to provide authenticity, confidentiality, and integrity. Flight data payloads are encrypted to ensure confidentiality for data at rest. The IPSec VPN tunnels also protect data that is uploaded — for example with Teledyne groundlink dataloading, loadable software parts, navigation databases and application updates that are wirelessly distributed to the aircraft’s onboard data loaders, are protected. The GroundLink Comm+ also serves as an aircraft interface device (AID), enabling flight deck connectivity for Electronic Flight Bags while digital certificates are also employed to ensure only authenticated devices can connect to the AID.
Solutions: Business Aviation Monitoring
The significance of cyber security for the owners and operators of corporate business jets is acute. Josh Wheeler, director of customer services at Satcom Direct, a business which is a leader in cyber security support for aviation. Its ecosystem is built on an open architecture platform which means third party providers can plug into the SD Pro digital dashboard to help customers manage data transmission from third party organizations through a single platform.
SD is an ISP in its own right so can provide services that ensure data never touches the public network and combines technology with best-in-class cyber security expertise to help create a virtual flying office supported by a whole set of experts monitoring for abnormal data patterns in addition to a SD Incident Response Team. Should SD’s system flag a critical breach it automatically blocks the data transmission and the flight department will be called to take care of the device in question
“Five years ago, we spotted the vulnerability of high-speed data systems but the industry was not really aware of their security weakness. Hackers, after all, don’t understand that it is a corporate jet, they just see an IP address,” says Wheeler who explains that SD conducted a study before launching the service after being shocked to find highly valuable corporate data could be so easily accessed. “The more data you use,” he says, “the more vulnerable you are, and the most secure aircraft is the one that stays on the ground, offline. Altitude does not make you safe because if you can get on to the internet, cyber attackers can get to you.”
What the core SD cyber service actually is, is a series of firewalls and sophisticated tools, combined with human cyber expertise, to monitor data streams. SD also plans to launch in the third quarter of this year a service called Advanced Encryption which is purpose built for business aviation to further strengthen data security, offering a protective defense layer that essentially cloaks the entire aircraft network without compromising speed or performance. Using proprietary technology, it optimizes a secure accelerated tunnel through which encrypted anonymized data passes from the aircraft to the ground network and back – dispensing with the need for VPN on personal digital devices.
SD offering essentially centres on stackable, tailored services on a turnkey availability basis and this has been driven by charter outfits that do not have a big corporate backbone but who wish to ensure secure and completely anonymous communications for their customers. That’s not surprising since the industry is witnessing an explosion in ransomware attacks which have bypassed security protocols with a lot more breaches via mobile phones rather than laptops.
Solutions: Scanning for Visibility
Todd Carroll is chief information security officer with Paris, France-based CybelAngel which has developed a digital risk protection platform that constantly scans for keywords on behalf of its clients using Machine Learning techniques.
CybelAngel’s platform has the ability to process data gleaned from billions of documents readily accessible on the internet. Carroll recounts how one of its aerospace engineering manufacturing clients was developing a brand-new turboprop engine and was using a Taiwanese manufacturer to make the mounting components to attach the engine on to the wing which meant it had to send detailed drawings over the internet.
As part of a routine security protocol requested by the business, CybelAngel’s scanning technology revealed how the engine manufacturer’s confidential designs were wide open to public scrutiny. Carroll says he has been amazed at the things his business has also exposed as vulnerable in the areas of airport security such as details of air marshal identity and assigned flights, security badge design templates that could be easily duplicated by bad actors and critical infrastructure plans showing aviation fuel supply routes.
CyberInflight’s Rizzo says that not only have companies become better at detection since 2019 but also the information sharing landscape has evolved positively with Information sharing not only increasingly accepted but also seen as an important mean of improving the resilience among aerospace stakeholders.
He cites the increasing participation of more and more stakeholders in information sharing communities such as the Aviation ISAC, the Space ISAC and Boost Aerospace in Europe. A series of events has also shown an increasing interest from the aviation industry for onboard cyber security. In August 2019, the DEFCON conference held its first Aviation Village event which gathers aviation and security experts, government agencies and industry leaders. Here the US Air Force (USAF) allowed a small team of pre-selected security researchers to perform tests on the data transfer system of an F-15 military jet and was sufficiently convinced by the results to renew its presence with a different challenge every year.
For the 2020 event, the USAF and the Department of Defense gathered more than 1,300 researchers and hackers and set them the task of penetrating an actual satellite orbiting around earth. The popularity of this collaborative approach seems to be spreading with the link between cyber security researchers and the industry becoming stronger through the use of more vulnerability disclosure programs such as those launched by Boeing and Thales. “It is now easier for cyber security researchers to find this process on the internet; clear guidelines are given to researchers with a step-by-step process to follow and with a dedicated email address,” says Rizzo.
Various international institutions and associations such as the AIA, the Aerospace Industry Association, are also working to increase the awareness regarding the regulations and standards of aviation systems with its published industry assessment and recommendations establishing cyber security regulations and standards for avionic systems in which it recommends that the next revision of ARINC 628 incorporates security appropriately in particular for IFE interface systems.
In July 2020, EASA which is ensuring safety and security in civil aviation in Europe also amended rules related to the product certification to mitigate the potential effects of cyber security threats to reflect the state of the art of the protection of products and equipment against cyber security threats.
Independent cyber security consultant Rob Hill is a passionate evangelist for aviation cyber security. He salutes these first invitations from the primes to invite the research community to collaborate. “
All the many teams of engineers that work on cyber security are highly competent but they just do not share, they need to be telling everyone where the weakest point could be,” he says. “The risk level is higher in aviation simply because no one talks about cyber security and there are no open conversations as a result. When do we change…when the pain of not changing exceeds the pain of doing anything?”
Hill says the single most important action by the industry should be to get the word out that avionics need to be monitored and protected from possible intrusion. “Most aircraft operators and owners are not monitoring systems now because there has been no ability to monitor avionics or cabin WIFI on board the aircraft,” he says, “but that issue has been resolved and now the equipment and services to proactively monitor and thwart attacks on avionics and cabin WIFI are readily available.”
He believes the greatest concern and one that is frequently overlooked is the role of the honest mistake by an employee or vendor and when it is a matter of business jet clientele that simple mistake can cost big time. “Around 86 per cent of attacks that occur are financially motivated and let’s face it, a business jet is the biggest billboard going and you only have to give me five minutes and I’ll work out who is using the aircraft.”
For Hill the perfect safety net is having an onboard firewall which does two things – monitors cabin wifi plus 429 Bus monitoring – the avionics data feed “That’s got to be the gold standard,” he says. He does not however discount that there are bad actors working within aviation in charge of avionics upgrades who have all the certifications and authorizations to access aircraft avionics systems although judges the chances of any attack being perpetrated remotely slim. “It is the employee mistakenly uploading or opening a file that can bridge the aircraft’s avionics which is very real,” he says.
Hill touts another alarming statistic – the fact that it takes between six – 18 months before a breach is noticed and points as best practitioners those businesses in the IT and pharma industries as they truly understand what they need to protect in terms of data assets. “It is the mid-size business jet operator with small IT teams which are the most vulnerable,” Hill says, adding that he has seen flight departments of up to 100 people which are still far from perfect in terms of cyber security protocols.
“The worse thing for business jet cyber security is the surprise visitor into the cabin – often a celebrity’s friends and even children of the aircraft owner. Let’s face it, there is a lot of bad stuff on children’s gaming sites. They’re often not all that they seem and hackers will target children to get malware into the system. Invariably, the point of entry is human.”
He suspects that across many Fortune 500 businesses, there is a culture of acceptance as some of the weaknesses that cyber attacks lay bare are just too expensive to fix and it is cheaper to pay the ransom.
Data sharing concerns
Strengthening security measures does come with challenges, and in many cases requires increasing cooperation between various organizational departments. For example, while the data itself may be used by the flight operations or maintenance engineering departments, securing the data may be the responsibility of the IT/infrastructure departments. Use of PKI also comes with the additional overhead of digital certificate management although here, Teledyne Controls says it provides support for its products to customers who wish to enable the connectivity of their fleets while operating them securely.
Another challenge worth mentioning is data ownership. OEMs want data from the airlines, but airlines as the data owners may only want to share with them the relevant data. Teledyne’s Data Delivery Solution (DDS) addresses this issue by providing the means for airlines to control what data can be distributed to OEMs for prognostics, maintenance, health management, etc. As a fully managed cloud-based service, DDS quickly establishes automatic flows of airline-owned full series data directly from the aircraft into the OEMs data platforms. The airlines retain full control over the sharing of their data by selecting what data parameters lists they agree to share with what data consumer.
Another challenge that the industry faces is patch management. Vulnerabilities are being discovered at an ever-increasing rate. However, hardware and software installed on aircraft must go through a certification process and cannot easily be updated in an expedient manner in the same way that ground-based systems can be. As Rob Hill points out, a comprehensive penetration test to ascertain whether systems are sufficiently robust could even render the warranties and certification of some aircraft systems void. There is increasing acknowledgement that airlines, OEMs, and suppliers now need to work with regulators (FAA, EASA, etc.) in order to establish requirements and guidelines for ensuring the continued security of connected aircraft.
This issue of baked-in compliance for Bonneau is important as the weakest links can often be found within the older venerable names in the aviation manufacturing and operational landscape as their older legacy systems are frequently just not equipped to deal with the infuriating litheness of today’s cyber threat environment. “It’s not really about the technology it’s about compliance. The thing you need to ask yourself is,” Bonneau says, “have you driven your security approach to the end point in all the layers yourself and have you incentivized your supply chain to do the same?”
Once this process is complete, a business then needs to examine its resilience. Here, it is not a question of when, but a question of how, Bonneau says: “Ask yourself, what do I have in place to contain an attack and how quickly can I re-establish the business?”
All this requires continuous security assessment. There also has to be a frank acknowledgement that a business will never be 100 per cent protected and for Bonneau, it’s all about layers, about being prepared and ready at all levels with that layering of maturity applying equally to your sub-contractors. It’s a case of “we learn, we assess our status, we understand the gaps and we work towards a future goal – and this is a continuous process.”
CybelAngel’s Todd Carroll echoes this, recommending that businesses ensure that vendor and suppliers contracts are watertight. “It has to be a case of continuous and layered monitoring. You need to know where your critical data could be potentially exposed leaving your business vulnerable. Essentially, you need to be proactive here or else someone will steal your R&D. Ask yourself, ‘who are your cyber security suppliers? are they the ones you have had for decades and you must ask yourself, are they still up to the job? You need to put resources into this, conduct an RFP on today’s requirement, and really ask yourself, do your existing suppliers meet the challenge?”