Can an aircraft be hacked? The answer would appear to be yes. It emerged last year that, in 2016, US Department of Homeland Security cyber experts had hacked into the avionics of a Boeing 757 obtained by the agency for testing.

The incident, widely reported in the technology press, happened on the ground, not in flight; it is notable that this breach was realised not in a laboratory but out on a runway, using the rather ordinary means of radio frequency communications. Also widely reported was that the weaknesses exploited were known about, or at least suspected, for years.

To talk to cybersecurity experts is to rapidly conclude that other, and newer, aircraft types should also be considered vulnerable. For one truism of cybersecurity is that no system, if connected to the internet, is truly secure. And, even if a system does not appear to be connected to the internet, or is designed with "airgaps" to insulate it from external connections, it probably is accessible via the internet. Moreover, the aviation industry is, like every other one, becoming increasingly reliant on digital technology – and hence becoming more connected.

Pete Cooper is a former UK Royal Air Force Tornado pilot and instructor who went on to advise the Ministry of Defence and international organisations on cyber operations and security and, earlier this year, wrote a report for the Atlantic Council think tank. He is clear that digitalisation is providing great benefits to aviation: efficiency, passenger satisfaction and better information to managers and pilots. But speaking to FlightGlobal, he observed that digitalisation is also creating "exponential" growth in the number of weak points – cyber experts call them "attack surfaces" – and the aviation industry, he says, does not really have an answer to the question of what to do about them. Attack surfaces are appearing throughout the supply chain, in air traffic control systems and even in jet engines, which often carry geo-enabled SIM cards.

In aviation, he says, there is a lot of talk about digital innovation but very little talk about cybersecurity. Among those who are discussing the subject, there is growing alarm at what they perceive to be an absence of urgency in the broader aviation business. Asked what it will take to push the industry to act, one industry figure close to security on a discussion panel led by Cooper put it thus: "It’s going to take the factory over the road burning down before they buy a sprinkler system."

But the fire analogy goes only so far, because no amount of protection of one’s own “factory” is sufficient in a connected world. The Atlantic Council report was underwritten by Thales, best known in aviation for its leading presence in air traffic control and in-flight entertainment and connectivity (IFEC) systems. Alan Pellegrini, who heads the French electronics group's North America operations, says research and Thales's work with aerospace majors points to it being "very, very unlikely" that attackers could hack into a flight control system and crash an aircraft: "I firmly believe that."

However, Pellegrini sees the aviation industry as in a difficult position over cyber protection. Airlines, manufacturers and organisations like IATA or ICAO are aware that cyber attacks happen, but at the same time are increasingly vulnerable, owing to digitalisation. Concrete action, he observes, is difficult because aviation and aerospace are very fragmented industries, with many connected actors and computer systems. It is not, he says, like a single company that might decide to take action to protect its own IT system.

That interconnectedness, he says, has each organisation relying on others – including Thales – to make their systems secure. But without a systematic, industry-wide concept of security each link in this chain is vulnerable. Thales, he says, would like to see a "collective approach", driven by one of the big industry organisations.

ICAO has not been ignoring the cyber threat. A working paper published in 2016 calls for "states and industry stakeholders" to identify threats, define responsibilities of national agencies, "encourage the development of a common understanding…of cyber threats and risks", share information and, among other things, "collaborate in the development of ICAO’s cybersecurity framework". That paper references 2013 resolutions, which, subject to resources, should be undertaken in 2017-2019. Cooper reckons that is too slow.


Meanwhile, a Thales document echoes Cooper in underscoring that, for all its benefits to operational performance, digitalisation is also giving aircraft "more appeal to attackers". The "rising interconnection between aircraft, service and data providers", it says, is causing "an expansion in threat vectors and has opened up the aircraft itself as a potential future attack surface".

Asked to identify attack surfaces, Pellegrini responds immediately with aircraft cabins. In-flight entertainment systems, he says, were not historically networked or connected – but today they are (hence the more recent term, IFEC). Those in-cabin systems increasingly handle financial transactions and passengers' personal data, and so represent an attractive target for hackers.

But while the IFEC system might be a highly improbably route for a hacker to reach the flight control system, improbable is not the same as impossible. The cabin as an attack surface is the focus of much work by two UK companies.

To grossly oversimplify, an aircraft cabin IFEC system works much like home wi-fi, with a router distributing data to and from mobile devices. Owing to their shape and the number of connected devices, aircraft have several routers along their length, often supplied by VT Miltope. And those routers can run software by RazorSecure, which uses machine learning algorithms to identify unusual activity; is the passenger in seat 28C streaming a movie or attempting to interrogate the operating system?

RazorSecure chief technology officer Lewis Oaten and VT Miltope business development director Markus Gilges describe this monitoring approach as a critical "active" step beyond "passive" security measures, such as firewalls and passwords. They cite work by Lockheed Martin, which has developed a concept called the "cyber kill chain", which recognises that most of the activity associated with a cyber attack happens inside the password-firewall barrier, and notes that the average time between a security breech and its discovery is 180 days – or six months.

The crux of the problem, says Oaten, is that there is no such thing as total security. "Security is a delaying mechanism," he points out. Most locks, he observes, are pickable – but they are useful devices and widely used, because delay allows time for response. Cybersecurity should be seen in a similar light.

Oaten cites as an example another widely covered hack, of a Jeep Cherokee automobile in 2015. This was a controlled demonstration that severely rattled a Wired reporter riding in the vehicle while remote hackers took control of the throttle and brakes. Significantly, the hackers started with the passenger-facing systems and "picked locks" until they had access to the controls.

There is, says Oaten, no complete separation of IFEC from flight control. A successful attack on an aircraft's control system via the IFEC would, he is certain, involve attackers taking many flights to reconnoitre the system and probe weaknesses. Meanwhile, a system like RazorSecure would in principle be alerted to abnormal activity.

The important point is that by setting the bar high enough, a security system will thwart an attack by diverting attackers' attention to an easier target – not unlike domestic security; burglars are typically deterred by a locked door because they know some neighbour is likely to have left a window open.

Another weak point is in the cockpit, which Pellegrini notes is more and more networked. Tablet computers used as electronic flightbags, he says, are "an area of increasing concern". These are connected in real time, for example for weather updates, and so are points of vulnerability. Electronic flightbags are also used to calculate flight plans, says Cooper and an attack that fed in false data could be disastrous.

Communications generally is a danger zone. Thales understands air traffic control intimately, and Pelligrini sees hazards in the shift – again driving by increasing digitalisation – from air traffic controllers talking over the radio to pilots to cockpits receiving data directly from air traffic control computers.

A related concern is navigation; ground-based radar is increasingly being supplemented – or, over oceans, supplanted – by automatic dependent surveillance – broadcast. ADS-B relies on navigation satellite signals to tell each aircraft where it is and where other aircraft are, and informs air traffic control. That is, aircraft are effectively nodes in an automated network. US GPS and European Galileo signals are reasonably secure but receivers can be spoofed; indeed, RazorSecure offers a GPS anti-spoofing function as an add-on.

Even the aircraft component supply chain offers attack surfaces. Cooper's report includes the conclusion that the benefits of 3D printing – reduced component weight, less material waste in manufacturing and cost-efficient just-in-time on-site production of spare parts – comes with a cybersecurity caveat. If hacked, the software that directs a 3D printer to make a particular part could be perverted to produce a part "designed" to fail under load. And, he says, it's entirely possible that nobody would know of the attack until there was a crash.


But while hacking into the flight control system or air traffic control – remember Bruce Willis and the movie Die Hard? – and crashing an aircraft might be the "gold standard" cyber attack, there are easier ways to cause disruption that go far beyond that caused by the theft of passwords or credit card numbers.

Looking back inside the cabin, Gilges and Oaten flag up the disturbing prospect of an IFEC system hack that plays games with the moving map. Those maps, notes Gilges, may not offer access – at least, easily – to the flight control system, but they get their information from that system. If a hacker were to change the images or substitute a message – political or threatening – what would be the impact on passengers' confidence in their safety?

And, if passenger confidence were undermined, what would be the effect on the airline industry? Oaten warns that these attacks do happen. RazorSecure also has clients in rail, which run similar IFEC systems to airlines. One client, he says, was experiencing periodic gaps in passenger wi-fi, and when RazorSecure installed software to monitor the system it discovered that these dropouts were not technical glitches but, in fact, denial-of-service attacks.

A high-profile example of an incident that should have the airline industry worried was the May 2017 WannaCry ransomware attack that hit computer systems globally. One victim that suffered severe disruption was the German railway network, Deutsche Bahn; passengers were faced with station message boards that gave details not of train times and platforms but demands for payment to restore service.

Cooper is in no doubt that aviation needs to take very seriously its vulnerability to such attacks. Air transport, he says, "is a massive trust industry". Like other industries, aviation has gone digital without considering cyber security – and now faces the prospect of having to add in security features that should have been built in from day one.

Two critical changes are needed if aviation is to maintain that trust in the face of a cyberattack. One is a change of mindset. In his research, Cooper says he is repeatedly confronted by industry leaders who say, in effect, that their operations are secure so passengers can travel in confidence.

But that “is a very, very big statement” which leaves no room to respond to the disaster of trust that would follow an attack. Consider, he says, the response to 9/11. Increased security at airports and secure doors on cockpits were a visible signal that safety concerns were being addressed. No similar measures are available to respond to a cyber attack.

A second shift is for the industry to recognise that it cannot be truly, totally secure but it can be resilient. Resilience includes measures to protect timely and confident decision-making by appropriate human actors. This, again, is a question of trust. Pilots, for example, must be able to trust the flight-critical information they receive in the cockpit.

The mistake is to follow the typical approach to security concerns, which is to focus on technology; this method may tighten security but ignores resilience, which is about being ready to respond to a problem. Instead, says Cooper: “Focus on trust.”

Source: Flight International