The increasingly complex—and networked—nature of international civil aviation appears vulnerable to new dangers at a time the industry’s successful reemergence from the coronavirus pandemic ranks as its top priority.
Ever since 2017, the caseload involving cyber-attacks on airlines has evolved rapidly. Cathay Pacific, British Airways, Bangkok Airways, Air Canada, Singapore Airlines, and EasyJet have all fallen victim to highly costly and widely reported data breaches.
In recent years, the aviation industry has had to deal with a new breed of threats, which could center on penetration of the aircraft’s avionics using networks associated, for example, with communications or in-flight entertainment (IFE) systems. Benign hackers have documented many cases.
At the Future Aviation Forum in Riyadh on May 10, Professor Khaled Alghathbar, Saudi Arabia’s National Cybersecurity Authority governor’s advisor, told a panel on aviation security and safety that the industry faced increasing risk of cyberattacks and disruption.
“In the past few years, we have seen cybersecurity attacks on multiple fronts, mostly focusing on data breaches,” he said. “However, we have already started seeing threats further up the value chain, attacking the supply chain and broader ecosystems. It is a matter of time before that could go further into safety and availability to cause devastating disruption. All I can say is it is not a question of if, but when.”
AIN contacted representatives of three U.S.-based and four major international airlines on avionics security but did not receive a single acknowledgment of its interest in reporting the topic.
Tom Evans, a barrister at law firm DAC Beachcroft in London, said that in contrast to data breaches, new risk levels existed when it came to operational technology for airlines at aerodromes or air traffic control centers. “It’s not so easy to see the commerciality of that threat, whereas it is quite straightforward for a threat actor to hack into someone’s system, encrypt and exfiltrate their data, and then say: ‘Unless you pay me a ransom, I’m going to publicize all your data on the dark web,’” he said.
“If you are talking about hacking a networked piece of operational technology for the purpose of threatening physical damage, you are at a very different level of threat and risk to someone who’s just trying to steal something to make money. Inevitably, there’s far more of a political element, I think, to any of that kind of behavior, and you are probably verging more into the territory of terrorism.”
He said dangers to aircraft in flight were becoming an ever more realistic threat: “So much more of our technology, to make systems work, is networked, or connected in some way to the internet. That could be for fault diagnostics or safety monitoring, or because a third-party supplier monitors a particular piece of equipment for performance data. For all of those reasons, elements of operational technology are connected to a network that makes them inherently vulnerable.”
The doomsday scenario of someone hacking a network to remotely take control of an airplane or make it fall out of the sky or take control of a national air traffic control system appears some way off. At least outside of nation-state capabilities, such capacity has yet to become widespread, Evans believes.
“One of the few things that we can say with certainty, over the past 30 or 40 years of the internet age is that changes in technology happen very rapidly,” he said. “They can be fundamental in nature to the way that we do things and live our lives and can be unpredictable for laypeople. How the threat manifests itself is very difficult to predict, and because of that, we have to take it seriously.”
Ultimately, whether an inherent vulnerability in a network system would allow a bad actor to manipulate the system in such a way that it could cause physical damage stands as a crucial question. “I don’t have an answer about that,” said Evans. “You’d need to talk to the developer of the software, or the cybersecurity resilience people, who patch that software for vulnerabilities.”
One prominent benign hacker contacted by AIN refused to discuss his research, citing his recent report. AIN understands that airlines, OEMs, and others willfully attempted to discredit his findings.
Neil Haskins, co-founder and CEO of Ronin, a UAE-based data security services provider, imagines a scenario where bad actors obtain complete control of an inflight passenger aircraft with 300-plus people on board. “Imagine I’m a motivated, skilled threat actor, and my target is someone traveling on an airplane,” he told AIN. “Anything that happens must be seen as an accident, otherwise there will be hell to pay. I need to carry out three activities. One, I need the passenger manifest to know when my target is traveling. Two, I need access to the flight systems. Three, I need a way to hide all the evidence.”
In addition to several well-publicized data breaches, Haskins said various security researchers had managed to gain access to flight systems, sometimes causing unfortunate incidents. “It doesn’t matter if this is the opening sequence for the next spy movie or if it really is something that has happened,” he said. “What matters is what the airlines are doing to take this seriously.”
He cites a legacy case where hackers targeted a moving car, something the manufacturer had said couldn’t happen. “Fast forward a few years, and hackers from the same company use their research to gain access to IFE systems and find out that they aren’t quite as segregated from avionics as everyone thinks,” he said. “We don’t take a huge amount of pleasure when we find out how thin the line is for aircraft safety. Our goal is to highlight areas of risk and drive manufacturers to mitigate issues. I don’t expect the airlines to have security researchers of the caliber we do, but they do have the budgets to retain organizations like ours to carry out this work.”
He said a very real problem existed with the convergence of IT and operational technology platforms and the desire to enrich information to give passengers more insight and allow engineers on the ground to monitor a flight. “We have opened a remote entry point, to gain access to something that was once pretty locked down,” said Haskins. “The danger here is a cyberattack that causes a kinetic outcome. These things have already happened elsewhere, and lives have unfortunately already been lost due to these types of events.”
Haskins believes that if the traveling public starts selecting airlines based on their adoption of security and safety measures, more airlines would consider this a priority.
Rashad Karaky, an aviation cybersecurity officer at the International Civil Aviation Organization (ICAO), said recent developments in technology in the realms of safety, security, air navigation, and facilitation among national authorities and agencies, airlines, air navigation service providers, and ground handlers meant that civil aviation had become a “system of systems.”
“This exposed the sector to cybersecurity threats in which a successful cyber-attack might have negative impacts on financials, reputations, continuity of services, and even on the safety and security of people and assets,” he said. “Lately, the Covid-19 pandemic was also a catalyst for cyber threats in general, including on civil aviation. It entailed a change in technologies and processes that led to the increase of the cyber-attack surface.”
Aviation needs to analyze and address many cyber threat scenarios, making ICAO the ideal forum for that process, he said. “ICAO is more concerned about cyber threats that would have potential impacts on aviation safety, security, or continuity,” explained Karaky. “Such threats are not limited by national borders, as addressing them requires a global framework that is harmonized, consistent, holistic across aviation stakeholders and domains, and in line with global air transport priorities.”
In 2020, Michael Vanguardia, associate technical fellow for product cybersecurity at Boeing, gave a presentation called Operation Reverse Thrust—Boeing’s strategy for security researcher engagement. In it, he hinted that Boeing would like to improve dialogue with benign hackers.
He referred to a changing industry dynamic, with OEMs such as Airbus, Boeing, and suppliers like GE, Collins, and Honeywell coming together to work with researchers and regulators.
“In some cases, I think it’s going to lead to a more secure industry,” he said. “These technology threats are rapidly evolving. We have got to do something and we have got to stay ahead of the game. The message is we need to proactively collaborate with industry and the researchers, and this will likely lead to reduced cyber risk within our space. It is much easier to solve a problem when we’re working together than when we’re combative. I hope we can bring some more of you within this space to work with us on this journey.”
Despite the conciliatory note sounded by Vanguardia, Boeing declined to direct AIN’s request for comment on the topic to the appropriate officials on the eve of the Farnborough Airshow.