Not a day goes by without news of massive cyber attacks. Attackers have hoovered up valuable personal information on hundreds of millions, even billions of people. On-line communities, banks, credit bureaus, hotels, governments — and, yes, even airlines — have been hacked. Given years of escalating threats, what’s surprising is the unevenness of the aviation industry’s response.
Cyber threats emanate from entities like nation states, criminal organizations that may be funded by governments, and insiders. Successfully penetrating a company’s defenses is a lucrative business but wreaking havoc on governments and critical infrastructures is becoming an equally attractive sport.
People want to be connected all the time. But as soon as you connect to the Internet, “you’re going to have automated traffic pounding you,” says Kelli Wolfe, principal systems engineer with Collins Aerospace. She cites automated bots as an example.
The insider threat is perhaps the most difficult and insidious threat, she adds. Someone who has authorization to do a job is suddenly no longer on the same page with you.
Military aviation is an obvious target, but commercial aviation — with its huge traffic volumes and critical economic role — is in the cross-hairs, too. Even business aviation attracts hackers on account of its high-net-worth users.
Osprey Flight Solutions, a threat identification and risk assessment service whose database includes aviation incidents and events in 22 categories worldwide, tracked about 600 cyber incidents, or about two per day in 2017, says Matt Borie, Osprey’s head of analysis. Incident data – gathered from some 200,000 web sites – is entered into the database only after analysts have reviewed and multisource-verified the information, he says.
Nor are airports immune. The failure of flight information screens at the UK’s Bristol Airport in September was attributed to a ransomware attack, Osprey says. Russia’s Pulkovo facility experienced a “brief technical malfunction” affecting the airport navigation systems after email threats reportedly had been received, according to Osprey.
And London Heathrow was fined £120,000 after an employee lost a memory stick containing confidential information. If this incident had occurred after the General Data Protection Regulation (GDPR) went into effect in 2018, the fine probably would have been much higher, Borie says.
There are an estimated 300,000 professional hackers worldwide, costing the world economy more than half a trillion dollars a year and growing, estimates Oliver Wyman partner, Brian Prentice. Satcom Direct (SD), a business aviation connectivity provider, cites HP Enterprise to the effect that the mean time to resolution of a cyber attack is 46 days or almost $1 million.
Surveys by Frost & Sullivan (F&S) and Oliver Wyman suggest inconsistent levels of readiness. In a survey of 55 airlines globally in the summer of 2018 F&S found that 75 percent of them had assigned cyber responsibilities to the IT teams while only one in 10 had dedicated cyber security teams, says Diogenis Papiomytis, global program director for commercial aviation, aerospace, defense and security. At the same time, however, “almost seven out of 10 already had implemented or planned to establish a security operations center… .”
Oliver Wyman’s annual survey of some 100 airlines, MROs, and OEMs, asked about cyber security for the first time in 2018. While two-thirds of the respondents considered themselves well-prepared, only 47 percent had conducted a cyber security risk review in 2017.
Aviation consultant, Richard Brown, asserts that the issue of cyber security needs a higher profile. “I don’t think it is talked about enough and it needs to be better understood,” he says.
There is definitely a need for regulation in this area, Papiomytis says. “But it has to be a coordinated effort headed by the FAA and ICAO.” It also requires cooperation from entities such as the Department of Homeland Security, IATA, and foreign governments, he adds.
In March 2017 a bill known as the Cyber AIR Act was introduced in the U.S. Senate, “but this has not yet been put to a vote or passed,” he says. The bill would require “… the disclosure of information relating to cyberattacks on aircraft systems and maintenance and ground support systems … to identify and … address cybersecurity vulnerabilities” to commercial aviation.
The UK government by contrast has published an Aviation Cyber Security Strategy and is enforcing GDPR. “Look at what GDPR did in the EU,” Papiomytis says, “as corporations invest in securing customer data to avoid liabilities from data thefts.”
The supply chain is a major concern. While top airlines and OEMs are aware of the risks, some of the smaller players may be more vulnerable. Oliver Wyman asserts that the MRO industry — with its access to OEM and operator networks and its own global operations — makes it “a prime target.” The firm adds that “hackers may decide that access [to carriers and OEMs] through a vendor in the MRO supply chain may be easier to achieve than going directly at the targets.”
Security software provider Arxan Technologies also sees risk in the supply chain. Historically, cyber attacks start in one industry and as that target becomes hardened, the attackers move on “to the next easiest target,” says Rusty Carter, Arxan’s vice president of product management. So the aviation industry can expect to be more of a target “as other industries become less attractive for criminals” if it doesn’t beef up its defenses.
Arxan offers “white box cryptography” to protect application integrity. “We become part of the application, watching from within,” Carter says. Among other tools Arxan also employs “code obfuscation” to make an application harder to understand and reverse engineer.
MROs have reason to be concerned. China, for example, hopes to sell its new jetliner all over the world. Obtaining IP is one thing. But getting airlines to buy these planes will require China to show data such as engine maintenance timelines, Borie points out. “For them to be able to compete, they have to be able to show … life cycle cost [data].”
Boeing and the engine OEMs have that kind of data but it might be easier to get it from a different source, such as the MROs, he says. That’s why it’s important for MROs to understand not only their vulnerabilities but also their threats. If you underestimate your threats, then you’re likely to underestimate your risk, Borie says.
Everyone talks about the security of onboard entertainment systems and ACARS communications, Papiomytis says. “But I think that rogue employees are high up there — that is the crew and engineers that have access to aircraft systems and critical parts and could install malware to bypass defenses.” The MRO industry is of concern, he says, particularly third-party maintenance that is outside the control of airlines and OEMs. “It is absolutely necessary for airlines to establish a cyber security audit function that sits within Tech Ops, whose job will be to audit external facilities, before sending their aircraft for inspections.”
The airlines spent approximately $1.3 billion on cyber security in 2017,” Papiomytis says. “The issue that we see today is that the cyber security budget is tied to the IT budget and therefore is growing at the same pace as IT” — roughly 3-5 percent a year. For operators that set up separate cyber security departments, with their own budgets, F&S estimates that spending growth is closer to 10-15 percent per year. Overall, however, the market is still growing slowly “and this is a concern.” In 2019 F&S plans to publish a white paper on the total market for cyber security across the aviation supply chain.
Regs and Standards
Others emphasize the guidance that already exists. “There are plenty of new standards, regulations, and frameworks in this area,” says Kevin Larson, AAR’s CIO. “You don’t have to dig too deep to find inputs on controls and data security best practices and security awareness training.”
“The U.S. government suppliers are probably aware of the focus on NIST Special Publication 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The Defense Department is recommending compliance with the NIST Standard along with another Major Regulation known as DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting. It is expected these standards and regulations will flow down to subcontractors making sure all elements of the supply chain have a proper the cyber framework, incident reporting, and security in place,” Larson adds.
The NIST guidelines, he explains, outline a key framework with requirements across 14 different “control families” to ensure a comprehensive approach. These control groups include features such as risk management, patching, and access control.
The FAA also is working on updating its rules, Wolfe says, with RTCA’s DO-356A, DO326A, and DO-355 as a basis. Wolfe also mentions FAA advisory circular (AC) 119, which requires monitoring of LRU log files.
The aviation industry already has a strong safety culture. But it needs to develop an equally strong security culture. Safety and security are very similar yet very different, Wolfe says. Almost any security issue that might be discovered has already been thought about from a safety perspective.
With safety, however, there’s a lot of focus on numbers such as mean time between failure. But with security it’s basically a zero-sum game. “It’s zero until it’s 100 percent.”
Collins produces a line of security-based server/routers, including IMS for business and regional aircraft and FOMAX for air transport.
But is all of this enough? Cyber security is the ultimate line of defense against cyber terrorists that are looking to disrupt air transport systems,” F&S’s Papiomytis says. “Yet there is no mandatory industry-wide collaboration on cyber security — just industry bodies and suppliers that set up task forces to educate and perform audits whenever requested.”
Audits are a must, Papiomytis contends. All airlines that outsource maintenance to third parties, domestic or foreign, should first audit the cybersecurity defenses of those companies, he says. “They already run financial and quality audits of suppliers — arguably cyber security is as important, if not more so.”
Back to Basics
Keep IP off your devices when you travel and stay at a hotel, whatever country you’re in, Carter advises. Although the “sources of attacks have gravitated in recent times in certain geographies, … ultimately they are worldwide.”
Attacks always take the path of least resistance, he adds, so password management, as well as multifactor authentication, are really fundamental. And access lists should be reviewed every six months or at a minimum, every year, Wolfe says. AAR stresses the principle of “least privilege,” whereby access is limited, based on a job-related need to know.
If you rely on the cloud, you should add your own security to the provider’s for defense in depth, Wolfe says. Monitoring of networks 365×24 is also important.
Another reason MROs need to examine their security is the industry’s migration to mobile devices, creating new types of issues, Borie says. Companies need to look at technologies such as virtual private networks and at “disabling any Bluetooth or Wi-Fi connectivity to these devices when they are not in use. Or perhaps they need to block public Wi-Fi networks from their facilities.
Every organization in the aviation supply chain, including MROs, should have a cyber security team and run frequent audits of their operations, Papiomytis says. They should also have action plans ready for different cyber attack scenarios, beyond data theft. And it should not be the responsibility of the IT department, as cyber requires specialized skills. “Training is key.”
Large MROs like AAR emphasize training. AAR also uses the “if you see something, say something” concept, Larson says. Employees are asked to forward suspicious emails to a special address where they can be quarantined and analyzed. Unannounced spear phishing-like emails are also sent out by the security team, but if an employee clicks on the email link, a training session pops up.