In 2015, cybersecurity consultant Chris Roberts claimed to have hacked an airliner while riding it, drawing the immediate attention of federal authorities while underscoring the need for comprehensive cybersecurity for airliners that even now are becoming more rather than less connected.
Lost in the rush to update legacy aircraft with state-of-the-art avionics and electronic cabin amenities like wireless internet was a focus on securing those systems against intrusion by bad actors.
“Airplanes were never designed to be connected, whatsoever, to the internet,” said Panasonic Avionics Information Security Officer Michael Dierickx. “What we did was make a giant [internet of things] device.”
It is important for passengers to feel safe when they fly, and they are, but safety and security are not the same thing, Dierickx said. Passengers should know the difference and airlines should focus on both, he said.
“It comes to end user training,” Dierickx said. “What the passenger really needs to be aware of is while the airline is offering you a better user experience, there is no difference between that wireless onboard an aircraft and going to a Starbucks. Wireless technology is wireless technology. Passengers will always confuse security with safety. If somebody hacks another passenger on an aircraft, someone thinks that means they can take over a flight-control system — and that’s absolutely false.
Roberts is less confident in system segregation as a safety mechanism and believes flight-critical systems are still at risk of intrusion, interference or disruption. The U.S. Department of Homeland Security has recognized those vulnerabilities and is working to prevent future hacking, he said.
“My concern is still valid,” he said. “There is too much of an attitude that we have segmented it. We have the perception of an air gap, so we should be fine. Nobody has hacked us yet, so why would they now? A lot of industries are realizing it is not the way to go.”
Traditional technology companies deal with a very different regulatory landscape than the one imposed on airlines by the FAA, EASA and other civil aviation regulatory and standards bodies. Aviation companies are forced to merge fast-paced, constantly updating software with hardware that deals in decades-long lifecycles, all while keeping airplanes connected and secure.
If the friction between hardware and software is poorly managed, the consequences are drastic: a relatively minor incident of a hacker exploiting vulnerabilities can cost a company millions. When you’re dealing with planes carrying passengers, serious issues are life-and-death.
Neil Adams, director of national defense at nonprofit defense research-and-development lab Draper, said interception of transmitted data is the most visible cybersecurity threat and therefore receives the most attention.
Ensuring software and upgrades to existing systems are free of bugs or defects also is important. That task is made more difficult when companies employ commercial off-the-shelf (COTS) products and customize them for their use, a fast and easy way to keep up with technology advancements at low cost, Dierickx said.
If a company is using heavily modified COTS products, the latest firmware update might not be compatible, and there is a long lag time before that can be addressed. Multiply that by lots of products all potentially receiving frequent updates and add in regulatory delays, and the risk of vulnerabilities increases.
It is difficult to maintain information and software assurance without securing and monitoring supply chain, especially when dealing with suppliers in countries known for counterfeit products like China, he said.
Finally, anti-tampering measures should be taken to ensure components are resistant to reverse engineering, signal processing and algorithm abuse, Adams said.
While information assurance gets by far the most attention, anti-tampering can be a real concern for particularly older components that are fundamentally unsecure. But the two bigger areas of concern, according to Adams, are supply chain integrity and software assurance. They are the industry’s biggest weaknesses, but neither get the attention required, Adams said.
Information assurance gets so much attention because it is a relatable problem. The fact that the data is being generated and transmitted is one of the major reasons cybersecurity is such a pressing issue. However, simply trying to intercept and de-crypt pieces of secure data is not one of the more reliably effective methods of accessing that data. Valuable data will usually be secured, and a better payoff for hackers will come from abusing component vulnerabilities to gain access to systems, from which point they can continually harvest data or wreak havoc.
Data security doesn’t change dramatically between the terrestrial and airborne spheres. Some of the biggest problems the aviation industry encounters in the other stovepipes come about because the traditional cybersecurity practices that would be used in terrestrial instances no longer apply in the same way, according to Panasonic’s Dierickx.