Cybersecurity in aviation

Pablo Hernández

2020-10-22 18:07:41
Reading Time: 5 minutes

The aviation industry is quickly moving towards digitalization, introducing new technologies and concepts especially through non-aviation means (e.g. Cloud, 5G, WiFi, satellite communications and Machine Learning). This, in turn, further exposes the hazard of the current trend of cyber-attacks. We’re all more than familiar with the ransomware attacks that pop-up every now and then in the news. Attackers threaten to publish sensitive data or permanently block access to it unless a ransom is paid. Garmin has been the latest target of a cyber-attack, most likely by ransomware, though unconfirmed, that left its users inactive for five days. In 2017, the world witnessed a ransomware attack (WannaCry) that affected over 200,000 computers in over 150 countries. Another common type of cyber-attack is data breaches (or data leaks). These are attacks where confidential, sensitive, or protected information is exposed to unauthorized persons and shared without permission. Only in the first half of 2019, data breaches exposed a total 4.1 billion records. A study from the University of Maryland estimates that a computer suffers on average 2,244 attacks per day (one every 39 seconds). The aviation industry is not immune to this. The airline Cathay Pacific was the target of a data breach attack in November 2018 that caused the leak of over 9 million people’s personal data. EUROCONTROL reported more than 30 cyber-attacks on aviation the first semester of 2019. Not to mention, the cyber domain particularly appeals to terrorists due to being low-cost, anonymous and accessible—terrorists can attack from virtually anywhere in the world.

The cybersecurity risk is a relatively new challenge for the aviation industry. Air transport has always relied heavily on a variety of systems for safety and efficiency in operations. But, as an industry, it has often lagged behind the state-of-the-art, mainly for safety reasons and long certification processes. The average aircraft age is 11 years old and, up until now, most ground and airborne equipments were based on analog technology and proprietary legacy systems. Unlike with most modern systems, the main threat for analog technology is physical wearing or tampering, and proprietary legacy systems have very limited connectivity and can work primarily as standalone systems, making them difficult targets for cyber-attacks.

The aviation industry is making a great leap forward in terms of digitalisation. This revolution will bring great benefits helping tackle some of the main challenges the industry currently faces (efficient flight planning, reduced emissions/fuel consumption, delays, training or safety). But all this comes at a cost. E-enabled aircraft are turning airplanes into flying data centers. This rapid development towards fully digital aircraft with widespread connectivity capabilities opens the aviation industry to new challenges and vulnerabilities with unprecedented risks. For example, one of these vulnerabilities is the increased use of COTS (commercial off-the-shelf) software. This opens aviation systems to more hard-to-predict attacks and to attacks that do not require aviation-specific knowledge (aviation specific software and hardware). Another vulnerability is the introduction of aircraft wireless connectivity. This technology can enable pilots and maintenance crew to use Electronic Flight Bag (EFB) tablets, iPads, or a simple laptop, and, through WiFi, access and obtain critical flight data. Attackers could (as they already have) exploit this interconnectivity to not only have access to this data but manipulate it, thereby compromising the safety of a flight. It is important to keep in mind that these vulnerabilities do not only affect onboard systems. There are also major attempts to modernize Air Traffic Control Systems. Similar to vulnerabilities mentioned above, the digitalisation of ATC systems will open new avenues of attack to which the aviation industry must prepare for.

So, what are some of the challenges to the industry adopting security measures against such vulnerabilities? One such challenge is the the lack of a robust and mature security culture. Compared to the current Safety culture that has greatly improved air safety levels, the aviation security culture is dangerously underdeveloped. There is a clearer need for greater interaction among stakeholders in discussing cybersecurity threats and best practices. There is currently also a great lack of cybersecurity awareness training as well as operational training for pilots or air traffic controllers to help them recognize and manage possible cybersecurity incidents. Another important challenge is the current absence of the concept  of “Security by design”. During the OPTICS2 cybersecurity workshop held at EASA, one of the main conclusions reached by different experts was that cybersecurity in aviation is usually not by design but rather included as an afterthought. This could be due to the never ending increasing complexity of aircraft certification processes or the complex nature of regulatory bodies that make it difficult to adopt new regulations to counter new arising threats.

The good news is that the aviation industry is rising to the challenge. More and more stakeholders (manufacturers, airlines, ANSPs) are aware of the importance of cybersecurity and specific departments and services are being created to deal with the threats ahead. In October 2019, during the 40th Session of the General Assembly, ICAO adopted the Assembly Resolution A40-10 addressing cybersecurity in civil aviation and explaining the need for a more coordinated and proactive approach; ICAO urged member states to implement the ICAO Cybersecurity Strategy. In April 2019, IATA held the Aviation Cyber Security Roundtable (ACSR) in Singapore. Its aim was to better understand and manage cybersecurity risks in civil aviation by sharing knowledge and experience. IATA also delivers three day classroom trainings on aviation cyber security. EASA and the FAA are also taking an active role in promoting information sharing and awareness events as well as trying to adapt current regulations to the future challenges. By the end of 2019, aircraft and systems electronic networks and systems certification are expected to comply with the recently updated DO-326 and ED-202. These new updates seek to provide a more detailed and complete approach to the management of cybersecurity risks.

Finally, at Innaxis, we are well aware of the importance of cybersecurity in aviation. We are actively involved in two major projects that look to address some of the challenges of the aviation world: OPTICS2 and Engage. OPTICS2 aims to assess the progress of aviation safety and security research towards achieving Flightpath2050 goals. Among these, cybersecurity plays a very important role. As mentioned earlier, in 2018, OPTICS2 held a cybersecurity workshop at EASA with 50 experts from all sectors of aviation. The objective was to give a clear picture of the current state of aviation cybersecurity, the future challenges facing the industry, and the top research priorities to help protect aviation from cyber-threats now and in the future. Among the objectives of Engage are the “Engage Thematic Challenges”. These are new ideas suggested by the research community that are not already included within the scope of an existing SESAR project. The TC1, led by Innaxis, addresses “Vulnerabilities and global security of the CNS/ATM system”. Its aim is to bring researchers, technical experts and end-users together to debate and understand the vulnerabilities of the current system and the necessary actions to mitigate these vulnerabilities, moving towards a cyber-resilient system. In 2019, a first workshop was held and all findings were compiled in a document that serves as a reference for channelling European ATM research into safer CNS systems. A second virtual workshop is scheduled on November 10th of this year to further the discussion. If you are interested in assisting, please click on this link to see more information about the workshop, the agenda and to register.

I hope you have enjoyed this post and don’t forget to visit datascience.aero for more amazing and interesting blogs on data science and the aviation industry!

© datascience.aero