Many industries have encouraged independent security researchers’ efforts to help make their systems cyber secure - but aviation has some catching up to do

Like most vehicles, including automobiles and spacecraft, the electronic “central nervous system” of a modern aircraft is a thing called the CAN bus; this Controller Area Network connects the control system and sensors to show pilots critical information such as altitude, airspeed, fuel level and oil pressure. In a digital aircraft – or indeed a car – this central connection replaces all the direct physical links between sensors and controls and the cockpit gauges visible to the pilot that characterised the architecture of earlier-generation machines with analogue instrumentation.

For obvious reasons of weight, mechanical complexity and performance, few pilots or engineers would return to the era of “steam” gauges. But there is one significant shortcoming to the modern layout: interconnected electronic avionics systems are hackable. That, anyway, is the conclusion reached by Patrick Kiley, the lead aviation researcher at Boston-headquartered cybersecurity specialist Rapid7. In a paper he published on the eve of the August 2019 DefCon cybersecurity convention in Las Vegas, Kiley explains how, “after performing a thorough investigation on two commercially available avionics systems, Rapid7 demonstrated that it was possible for a malicious individual to send false data to these systems”. That is, to deliver false information to the pilot.

The good news is that such spoofing would require physical access to the aircraft, either directly to the flightdeck or to an avionics panel or engine compartment. The bad news is that while the flightdeck is well “locked down”, other aircraft weak points can be reached with access to the airfield – not, says Kiley, such a high barrier.

And, he adds, where the automotive industry has put lots of effort into CAN bus security – the public is justifiably concerned, given that cars are just out on the street and easily accessible to malicious actors – aviation has tended to rely on the fact that “airplanes exist in a much more secure environment, which typically includes a lot of physical security controls… [which] may, paradoxically, be making them more vulnerable to cyberattack, not less”.

Kiley’s professional interest in aviation CAN buses dates from 2017, while building his own Burt Rutan-derived aircraft: “As both a pilot and a hacker, I figured we should probably take a look at aviation CAN bus implementations and see if they are on the same security path that automotive is,” he says. Some public relations professionals might have edited that Rapid7 blog post to read “as both a pilot and an independent security researcher”, but either way, the exercise highlighted an alarming security weak point in aviation; where the automotive industry has long engaged with hackers (or security researchers) to better understand and address its weaknesses, aerospace has stayed away from these people, who in any case have easy access to car parts but not to aviation systems.

Source: Underwood Archives/UIG/Shutterstock

Heavy, inflexible, hard to read - but impossible to hack

Weakness search

However, aviation is changing, and the DefCon gathering was a milestone event. The annual format sees representatives of many industries turn up and present visiting “hackers” with their systems and software, to let them probe for weaknesses and discuss their findings.

Last summer’s DefCon was the first to include an “aviation village”. Most big names in aerospace were absent, but the event was actively supported by the US Department of Homeland Security (DHS), the US Air Force, the Department of Defense’s Defense Digital Service and, essentially alone among its peers, Norwegian Airlines.

Pete Cooper is a former Royal Air Force Panavia Tornado pilot and instructor who has gone on to advise the UK Ministry of Defence and international organisations including ICAO on cyber operations and security. He has just published a follow-on to his landmark 2017 report on aviation cybersecurity for the Atlantic Council think tank – and helped set up the aviation village exercise at DefCon 2019, where the objective was to “build bridges” across a historically strained relationship between “good faith” researchers and the aviation community.

Those bridges, he says, are crucial because independent research means more eyes on a hugely complex system. That notion of more probing and testing being a good thing underscores one of Cooper’s key themes: there is no absolute security in a digitised, connected system, so aviation must strive to ensure that its systems are resilient. Ultimately, he says, working with “hackers” such as Rapid7 should help aviation reduce risk by turning unknown vulnerabilities into known vulnerabilities that can be addressed.

Having the DHS participate at DefCon was important, adds Cooper, because the department – like the European Union Aviation Safety Agency – has a formal reporting path for individuals or companies to disclose discovered vulnerabilities.

Security strategy

Gerard Duerrmeyer, Norwegian’s chief information security officer, echoes Cooper in calling for research and disclosure as a security strategy. His airline was alone at DefCon, reflecting an industry that struggles to reconcile security with openness. Las Vegas was successful, if only in setting the bar high for 2020.

In Duerrmeyer’s view, aviation must build a united front in cybersecurity, to learn from other industries that have established good practices in physical security, and to “mature” to handle disclosure and co-operate with hackers. And, he says, aviation needs to discuss cybersecurity with the public.

“I would start by saying I feel very confident [in flying],” he adds. But he believes the future could bring new concerns, so aviation must be as rigorous about cybersecurity as it is about physical security.

The complexity of that future challenge is illustrated by an example. Today, says Duerrmeyer, it is not possible to fly a commercial aircraft by remote control. But in future we might want someone on the ground to be able to land an aircraft safely in case of emergency.

So, what next? Aviation will feature at the 2020 DefCon, again in August in Las Vegas, and broader signs of a new era in industry-hacker co-operation are good. Another DefCon participant, Ken Munro, based in the UK with Pen Test Partners and also a pilot, says he was surprised to learn how much cyber work is done in house by the aviation industry, and was pleased to meet in-house cyber professionals. So, he hopes the industry will be seeing the hacker/researcher not as an enemy but as somebody to work with.

However, he stresses, the cost and rarity of aviation systems makes independent research extremely difficult – and all but impossible in defence systems – so the industry should, in its interest, work with them. “Hug a hacker,” says Munro.

Cooper’s latest Atlantic Council report drew on a global survey of aviation professionals and interviews to conclude that “despite ample challenges, there are some glimmers of hope”. Respondents, the report concludes, are clear that there is much more to be done about information sharing and there is “a clear desire for increased objectivity regarding aviation cybersecurity risk”, along with “strong agreement that good-faith researchers were a positive thing for the aviation industry” – though “perspectives on guidance, legal clarity, and ease of vulnerability disclosure all remain unclear or difficult to navigate”.

Discussing the findings with FlightGlobal, Cooper stresses that this idea of a “second view” on vulnerability from independent research is standard practice in safety engineering, so it feels natural to do the same in cybersecurity.

Uniform standard

Aviation, though, has several hurdles to clear if it is to create a robust cybersecurity culture. In the industry’s favour, ICAO is set in 2020 to publish a cyber strategy that should apply globally and will, says Cooper, eventually bring all regions up to a uniform standard of security: “We can lift all regions up rather than disappear down rabbit holes [of local practices].” Moreover, technology evolves faster than practices, so stable principles are needed to underpin good practice – and, says Cooper, this is exactly what the ICAO framework provides.

Enacting such a strategy, however, needs a change of mindset in most aerospace companies. As DefCon participants agree, dialogue is critical but not standard practice. And, adds Cooper, companies need to bring cyber policy into board-level management: boards of directors, he notes, tend to focus on financials but “it would be amazing” to have board members hold their companies to account on cyber. What is at stake, says Cooper, is confidence in the company – for example, in its handling of passengers’ personal data.

Changing mindset is one thing – but Cooper also sees aviation companies struggling to find qualified people to fill cyber-focused roles. Aircraft operations are different, he says, from normal enterprise IT security, and today cybersecurity tends to be viewed through an enterprise prism. So, most aviation companies are going to have to find an operations expert with the passion about cybersecurity to go through an “upskilling” process. Cast the net wide, he suggests – some of those people might be independent researchers – and remember that the resilience in security should help a company be more flexible generally, which can only be of benefit.

Whether or not those independent researchers – hackers, if you like – end up joining the company, aviation should at least try to embrace them. One of Kiley’s Rapid7 colleagues, Jen Ellis, points out that the company knew of the CAN bus weakness 18 months before publishing its paper last summer. In another exercise, it showed a vulnerability in an insulin pump and worked closely with the vendor to send a message to medical professionals and patients. As a consultancy, she says, the goal is to “build confidence” – not spread fear.