The aviation industry is renowned for its intense focus on safe working practices and is frequently held up as an example to be emulated. But in an increasingly digitised world, there are new challenges to overcome
“Statistically speaking, flying as a passenger on a commercial flight is one of the safest ways to travel,” says Nigel Stanley, chief technology officer at Cologne-headquartered technical services company TUV Rheinland.
In 2017 there were no fatalities on passenger jet flights. According to the International Air Transport Association’s (IATA) Annual Review 2018, the likelihood of a fatal accident is one in every 6.7 million flights.
“That is a quite an achievement – especially for an industry facing tremendous growth in demand for commercial flights,” Stanley observes.
But although its safety standards are high, unfortunately (like every other industry), the aviation sector is facing cybersecurity challenges as it moves away from isolated, bespoke solutions, and becomes increasingly connected and digitally enabled.
Airports have become complex mini-cities that operate around the clock, 365 days a year. Accommodating thousands of passengers and hundreds of flight movements requires logistical perfection, as even a small delay can have significant international ramifications.
In December 2018, for instance, the apparent sighting of drones (unmanned aerial vehicles) near London’s Gatwick Airport triggered the diversion or cancelation of more than 1,000 flights during a single 36-hour period.
Stanley points out: “Innovations are being designed to offer advanced solutions for passenger and baggage check-in, document checking, flight rebooking, boarding and bag recovery. This is taking place alongside developments in smart, risk-based security solutions, designed to be as hassle-free as possible for passengers.
“All of these innovations come with an associated risk: for anything that becomes connected to the Internet, digitised, or automated, a new avenue of attack opens up for cybercriminals looking to cause havoc.”
Physical security has always been a high priority for airports, and it is clearly visible to any traveller. Yet ironically, the addition and interconnection of more systems, such as CCTV, building management, power, runway lighting and door controls, has increased the opportunity for digital incursions and disruption.
Some airports are evaluating the use of Remote Tower Services (RTS). Relying on very high-definition cameras and imaging equipment, coupled with additional radios and sensors, they replace the traditional control tower with one located many miles away.
According to Stanley: “From a business point of view, enabling air traffic controllers to conduct operations from a remote site offers potential savings, especially for less busy airports who may not need full-time staff.
“But, RTS also creates new challenges when it comes to ensuring that cybersecurity risk is well managed. Existing controls and measures, that may have adequately addressed localised risk, will need to be re-examined in the light of an RTS deployment.”
Stanley feels that cyber-attacks in sensitive locations like airports tend to be under-reported to the media, but they are happening, and some stories do emerge. For example, in 2016 cyber attackers managed to compromise Hanoi’s Noi Bai and Ho Chi Minh City’s Tan Son Nhat airports in Vietnam, where they hijacked flight information screens and sound systems.
“So, while innovation improves efficiency, we must ensure that the drive to modernise is matched by an equal effort to design security measures into new technology from the start,” he stresses.
Also in 2016, a team from the US government, industry and academia demonstrated that a commercial aircraft could be remotely hacked.
Although the aircraft used in the test was a legacy Boeing 757, such airframes make up around 90% of the current worldwide commercial fleet. More modern airliners, such as Boeing’s 787 and the Airbus A350, have been designed with security in mind, so similar attacks should be harder to execute.
But while these aircrafts may be significantly more secure, substantial security challenges need to remain at the forefront of manufacturers and airlines, and should remain a top concern during both in the design and maintenance phases.
Modern aircraft are already huge, technically advanced systems, and they are becoming even more complex, Stanley says. Innovations such as ‘fly-by-wire’, which embeds computers in the control chain, have reduced pilot workload and improved aircraft safety. Boeing’s current issues with the 737-MAX series have highlighted the problems this may create.
At the same time, passengers are now demanding internet connectivity and multi-channel entertainment systems that would have not been possible 20 years ago, further increasing the complexity of the technology on today’s airplanes.
To cope, onboard networks have moved away from serial-based, industrial type installations, and are now increasingly TCP/IP-based. They are normally segregated, so each handles one of three key areas:
Aircraft control systems that enable the aircraft to fly safely
Aircraft information systems for non-critical aircraft services
Passenger information and entertainment systems (PIESD)
Stanley considers: “For safety and security reasons, these networks should be designed to operate completely independently, so that accessing or transferring data between them is impossible. After all, why would the PIESD ever need to connect to the aircraft control network?
“Operationally speaking, the answer is never. However, from a practical perspective, if such interconnectivity were possible, a hacker, cyber-criminal or terrorist could conceivably exploit it as a potential attack route.”
While airport security routinely searches for physical weapons or explosives that could be used to attack an aircraft, authorities never check electronic devices for logical weapons. A bad actor with a fully loaded ‘hacking’ laptop has plenty of time to experiment on a long flight, Stanley suggests.
He goes on: “In theory if they were able to compromise the PIESD, the hacker could then move laterally to other systems. Or attempt to escalate their privileges, from humble passenger access to systems administrator, and wreak havoc.”
Proactive network monitoring during flights is possible, but it raises an important question. If a cyber event was detected at 36,000 feet, what action would or could the crew take?
The risks are not entirely theoretical, as Stanley notes. “In February 2019 it was discovered that the built-in USB charging/data-transfer interface in an entertainment system installed on a British Airways Boeing 777-36N(ER), and possibly other aircraft, also supported USB keyboards and mouse devices. This was demonstrated by using mouse copy-and-paste actions to trigger a chat buffer overflow or possibly have an unspecified other impact.
“As a result, any attacker onboard could conduct unanticipated attacks against entertainment applications. This was subsequently highlighted as a vulnerability in the Mitre Corporation’s common vulnerabilities and exposures (CVE) list.”
Aircraft management and health systems monitor complex processes that produce large amounts of data. This information may be stored for later retrieval by engineers conducting routine maintenance or break-fix repairs, or captured in real time by one of the airline’s business partners, such as engine manufacturers as part of an engine lease programme.
Such a mass of data could also be a liability, if not protected appropriately.
“Rolls-Royce recently announced that it would soon be receiving more than 70 trillion data points each year from its in-service fleet of commercial aircraft engines,” Stanley says.
“There is a good chance that, along with engineering telemetry, this mass of data could also contain indicators of compromise that could help avert a targeted cyber-attack. The problem is finding them, and then deciding what action to take – i.e. divert the aircraft or make an emergency landing?”
The risks extend far beyond the airframe. Aircraft design and production is dominated by complex international supply chains. As well as leaking intellectual property, these extended supply chains can act as a conduit into an aircraft manufacturer for a targeted cyber-attack.
Smaller and less cyber-savvy suppliers or third parties may not even have considered cybersecurity risk in their plants or services – an oversight which could result in a security incident further up the supply chain. Many major manufacturers are now aware of this problem and enforce cybersecurity rigour in their supply chain contracts.
Cyber threats to the industry
“Everyone in the aviation industry should now be at least peripherally aware of cybersecurity threats and dangers,” Stanley says. “Separating key systems with ‘air gaps’ is no longer enough to prevent attackers accessing a system.
“For this reason, cybersecurity risk must be a major part of business planning, resilience and risk register programmes. This must include training and awareness for all employees, at all stages of the supply chain, as well as airport staff, pilots and airplane crews.
“Only with a concerted effort from the industry as a whole will the aviation sector remain an example of safety and security, and continue to thrive in an ever-more connected world, both digitally and geographically,” Stanley concludes.