In August 2013, the American Institute of Aeronautics and Astronautics (AIAA), the professional society for the field of aerospace engineering, convened a civil aviation conference in which cybersecurity was discussed at an industry level. Upon completion of the conference that was attended by foreign carriers, A Framework for Cybersecurity Aviation was published that provided a strategic path forward by identifying key focal areas such as common cybersecurity aviation standards, developing and implementing a cybersecurity culture, understanding cyber risks and being able to communicate them to bolster situational awareness, and strengthening the defensive system. Since that time, several international conferences discussing aviation cyber security have been held.
Given the global nature of civil aviation, the framework is an important document addressing many of the concerns that impacts the international civil aviation community.
But what has been done since then to improve the cybersecurity of civil aviation? Since the framework was produced, some notable incidents have occurred:
- At a 2017 conference, the Department of Homeland Security (DHS) asserted to have successfully conducted a “remote, non-cooperative, penetration” of a Boeing 757 in September 2016, a claim that Boeing has since refuted.
- In 2016, the Director of the European Aviation Safety Agency (EASA) revealed that aviation systems were subject to an average of 1,000 attacks each month.
- Also in 2016, Ukraine’s airport was victimized by malware suspected of coming from Russian attackers. Similarly, in June 2017, other malware caused flight delays and impacted flight schedules.
- In 2015, a researcher was kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways. He also claimed to have accessed in-flight networks about 15 times during various flights but only explored the networks and observed data traffic crossing them.
As aircraft become increasingly more connected, more potential entry points are available for enterprising and innovative threat actors seeking to exploit weaknesses inherent in an environment that spans from aircraft design, supply chain issues, aircraft production, and airport security. Since it was announced that most civilian aircraft would be adopting the Automatic Dependent Surveillance Broadcast (ADS-B) system as part of the U.S.’s Next Generation and Europe’s SESAR project, concern has mounted over the security of these systems since they were unencrypted and susceptible to attack. Instead of requiring bolstering the security of such a critical aircraft technology, guidance by Europe’s International Civil Aviation Organization (ICAO) has cited “considerable alarmist publicity regarding ADS-B security” is disconcerting.
Granted, the costs associated with fixing problems in cybersecurity aviation can become an expensive endeavor. According to one source, the cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. The same source indicates that if a cyber vulnerability was identified in a particular aircraft on which an airline depended on for its fleet, it could potentially bankrupt it. Nevertheless, such a reality necessitates that technologies need to be developed with security in mind prior to their production, and not hope they won’t be exploited, or try to fix them after their exploitation has already occurred.
There has been some promising headway in addressing aviation’s cyber security problem. In the United States, two senators reintroduced legislation that would require the disclosure of information relating to cyberattacks on aircraft systems and maintenance and ground support systems for aircraft. The bill would require the Transportation Department to collaborate with DHS and the Federal Communications Commission, and the Director of National Intelligence to incorporate cybersecurity aviation requirements into the requirements for obtaining an air carrier operating certificate or a production certificate. Similarly, Europe’s Network and Information Security Directive is set to be implemented in March 2018. The Directive focuses on organization, protection, security monitoring, and response and recovery, and is to be applied across critical infrastructures, including the aviation sector.
To be sure, these are positive developments. However, what bears noting is that these efforts appear to be occurring in parallel rather than being developed collaboratively. This bears noting because civilian aviation is not regulated to domestic flights but includes international flights as well. As such, it does not matter if an aircraft is secure in its own home environment if it must travel into another destination that may have lesser security standards in place. The civilian aviation ecosystem is expansive and too large to secure holistically, thereby requiring a risk management approach. While such an approach would likely be implemented differently depending on the individual organization (e.g., airports), the policies driving security considerations can be standardized among international stakeholders. And that requires getting governments and airline organizations on the same page as they set and implement cybersecurity aviation strategies. That is still a challenge that remains to be met.
This is a guest post written by Emilio Iasiello.