A group of security, defense and aerospace experts are releasing a report today to highlight the threats that exist to aviation cybersecurity, underscoring the need for a clear vision to protect against those threats as technologies advance rapidly. Washington think-tank the Atlantic Council brought together airlines, airports, air traffic management specialists and other stakeholders to develop the report, Aviation Cybersecurity—Finding Lift, Minimizing Drag, which finds that preventive measures act as a deterrent, but “declarations of fully secure systems are unrealistic.”
Aviation systems in the past were relatively secure from cyber threats due to the “bespoke nature” of their design and their isolation from other systems, the report notes. “But air traffic management (ATM) is no longer isolated, and ground services and supply chains are becoming fully integrated into an interconnected digital world.”
The report points to vulnerabilities associated with emerging capabilities, ranging from additive manufacturing to unmanned systems, and warns that “their novelty may obscure the cybersecurity risks these technologies introduce.” A shift from legacy radar to GPS and ADS-B greatly improves accuracy and reliability under normal conditions, the report states, but it adds that those systems “...remain susceptible to degradation by environmental hazards or manipulations by hostile actors.”
Airports, which are susceptible to physical breach, are another area of concern, says the report, pointing to numerous other vulnerable areas, such as connectivity systems on aircraft, electronic flight bags and remote towers.
Concerning to the report’s authors is “the speed of innovation, technological advancement and adversary capabilities potentially outstripping policy and regulatory development in many areas of the aviation ecosystem.”
The report offers numerous recommendations for shaping a cybersecurity vision, with a need to focus on international collaboration on managing risks and developing resilient systems. Recommendations range from reinforcing standardization, developing a common understanding of cyber safety and developing robust threat models, to designing systems to capture relevant cybersecurity data and training for safety. Another recommendation it makes is to “incorporate cyber perspectives into accident and incident investigations.”
The aviation community needs to develop a cohesive vision for addressing cybersecurity as rapidly advancing technologies increasingly put aircraft and air traffic management systems at risk for cyber threats, a new report released last week in Washington, D.C. states.
The Washington think-tank Atlantic Council brought together airlines, airports, air traffic management specialists and other stakeholders to develop the report, Aviation Cybersecurity—Finding Lift, Minimizing Drag, which finds that preventive measures act as a deterrent, but “declarations of fully secure systems are unrealistic.”
Aviation systems in the past were relatively secure from cyber threats due to the “bespoke nature” of their design and their isolation from other systems, according to the report. “But air traffic management (ATM) is no longer isolated, and ground services and supply chains are becoming fully integrated into an interconnected digital world,” the report adds. “Aircraft, be they airliners, UAS or helicopters, must now be considered nodes on multiple networks, whether they are airborne or not. Multiple claims of opportunity and vulnerability must be met with more than dismissal.”
A shift from legacy radar to GPS and ADS-B greatly improves accuracy and reliability under normal conditions, the report states, but adds those systems “remain susceptible to degradation by environmental hazards or manipulations by hostile actors.”
ICAO guidance has cited “considerable alarmist publicity regarding ADS-B security” and has said that “to a large extent, this publicity has not considered the nature and complexity of ATC,” according to the report. ICAO further has said its assessment of security policies in use for ADS-B provides a more balanced view. Other officials have maintained that the security has been assessed, a plan is in place, and systems are monitored.
Authors of the report conceded they could not comment on the assessment, since it had only a limited distribution for security reasons, and security efforts are not revealed. Even so, the report worries that the guidance is dismissive of the inherent risks associated with ADS-B. According to the report the main researcher concern about ADS-B is that it is "an open system with no encryption, authentication, or integrity checks" and therefore "ADS-B signals could potentially be eavesdropped on, blocked, or transmitted by adversaries.”
Further, the report expresses concerns that ADS-B hardware is fitted and networked with other aircraft systems, providing a potential entry point for adversaries. “Already, many ADS-B units available for sale have both Wi-Fi and Bluetooth connectivity to permit uploading software and to link with electronic flight bag [EFB] software on portable tablets,” the report says. “The recent report of an ADS-B transceiver with a permanently open Wi-Fi hotspot, despite having a technical standard order authorization (i.e. design and production approval) from the FAA, demonstrates that there may be more challenges to come.”
ATM Challenges
The report looks at multiple air traffic management system issues, such as vulnerabilities with controller-pilot datalink systems and the System-Wide Information System. These systems contain similar challenges involving authentication, encryption, auditing and monitoring.
In addition to highlighting ATM, the report focuses on vulnerabilities with connected systems aboard the aircraft. EFBs must meet certain security criteria, and permitted data transmissions are limited for security reasons and must be isolated from other aircraft systems. Other efforts, such as firewalls, further improve security.
But the report still expresses concerns that “as their growth in popularity has increased, the variety of hardware and software used for portable EFBs has also increased. Diversity and platform complexity may make it harder to demonstrate assurance and deliver reliability.” The report notes incidents that have already taken place involving third-party applications crashing aircrew EFB tablets.
Other technologies such as maintenance monitoring and the Aircraft Communications Addressing and Reporting System (ACARS) create further susceptibility, along with the rapid growth of use of Wi-Fi aboard aircraft by passengers. “Modern connected aircraft have seen a rapid growth in the amount of data they produce,” the report said. “It is estimated that by 2026, the global growth in aircraft-generated data could reach 98 million terabytes. Much of this data is where evidence of adversary activity or intent will be visible. Being able to see into this data, protect it and quickly analyze it for weak signs of compromise will be essential.”
The report points to vulnerabilities associated with emerging capabilities, ranging from additive manufacturing to unmanned systems, and warns that “their novelty may obscure the cybersecurity risks these technologies introduce.”
Additive manufacturing, or 3D printing, was once a niche capability, but has become widely used for on commercial aircraft. The Airbus A350 alone incorporates more than one thousand parts produced though 3D printing the report finds. In 2015 the 3D printing industry was worth $11 billion and is forecast to reach $27 billion in 2019.
The report cites the benefits of 3D printing, including less weight, lighter and stronger parts. “Since it is digital, however, there is immediate potential for concern,” the report said, adding that such methods is open to compromise through multiple means.
These include disruption or deletion of firmware or product design; the compromise of intellectual property through the theft; or, sabotage of the printing process with the intention to weaken the products.
A number of research projects have examined cybersecurity vulnerabilities involving 3D printing. Research revealed the ability to compromise either the printer or the design in such a way that the product is weakened but the vulnerability is undetectable. Another research showed the ability to weaken the design of a propeller to the point that it failed catastrophically after two minutes of use. “Additionally, for this attack, the researchers were able to demonstrate an attack chain from an external threat into the printer, and also the ability to insert the exploit into a worm that could be given sets of constraints and instructions,” the report noted. “With increased growth and uptake of additive manufacturing in more and more critical areas, the risk of cyber adversaries seeking their own slice of value or disruption also grows.”
Airports, which are susceptible to physical breach, are another area of concern, says the report.
Concerning to the report’s authors is “the speed of innovation, technological advancement, and adversary capabilities potentially outstripping policy and regulatory development in many areas of the aviation ecosystem.”
The report offers numerous recommendations for shaping a cybersecurity vision, with a need to focus on international collaboration on managing risks and developing resilient systems. Recommendations range from reinforcing standardization, developing a common understanding of cyber safety and developing robust threat models, to designing systems to capture cybersecurity relevant data and training for safety. Another recommendation: “incorporate cyber perspectives into accident and incident investigations.”
Air Traffic Control Association president and CEO Peter Dumont, providing a perspective for the report, highlighted a need to ensure future technologies are designed to permit updates in real time. Dumont further expressed concern that security policies tend to be generic, while aviation systems must be specific.
“To ensure security and prevent potential disruption to the aviation system—while at the same time ensuring that the full potential of connectivity is achieved—requires a concerted effort from manufacturers, service providers and regulators,” said Aerospace Industries Association president and CEO David Melcher, praising the report for identifying issues and calling for a unified industry-wide approach to the emerging threat. “Publishing this report is an important first step; now we need to move into action.”