On April 15, 2015, self-proclaimed white hat hacker Chris Roberts tweeted a sarcastic joke about hacking into the crew-alerting communications system of a United Airlines aircraft via its in-flight entertainment system.
It was a tweet heard ‘round the aviation world.
Immediately detained and questioned by the FBI after the flight, Roberts allegedly claimed to have repeatedly exploited vulnerabilities in aircraft in-flight entertainment systems, including one occasion when he hacked into a plane’s flight controls and made it move sideways.
Was it possible? Most cybersecurity experts are skeptical, but according to former U.S. Air Force Capt. Carl Herberger (‘91, DB), now vice president of security solutions at Radware, that’s not the most important question.
“The question is whether or not one day it will be true,” says Herberger. “I think the answer is, it’s inevitable.”
As airplanes and aviation systems get “smarter” and rely more on digital interconnection through Internet- and satellite-based technologies, they are increasingly in the crosshairs for cyberattacks, which overall have grown tenfold from 2006 to 2013 (5,503 incidents to 60,753), according to a 2015 U.S. Government Accountability Office report (GAO-15-370).
“The fact is the bad guys are already out there,” says Gary Kessler, professor of cybersecurity and chair for the department of security studies and international affairs at the Daytona Beach Campus. “[They] have access to all of these tools and [they] are using them.”
Herberger believes the potential for a hackers’ open season on aviation—while maybe not imminent—is possible. “Among the black hat [hacker] community, the sexier Internet of Things discussions relate to transportation systems,” he says. “If we know that somebody has motive and we know that somebody has means, and there’s a vulnerability, then you would think to yourself, ‘Why wouldn’t the aviation industry be a natural target?’”
Experts say the developing Next Generation Air Transportation System (NextGen) is rife with potential cybersecurity vulnerabilities. Replacing a radar-based air traffic control system with one that connects aircraft and controllers using data and satellite links is inherently more susceptible to cyberattack.
“It will all be computer to computer communications,” explains Jon Haass, associate professor of cyber intelligence and security at the Prescott Campus. “Guess what they forgot? They forgot cybersecurity.”
The GAO acknowledges the growing risk. In its 2015 report, it affirms that NextGen’s Internet-technology-based, interconnected system “increases cybersecurity risks,” and that “significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.”
“Anytime you continuously integrate and automate without commensurately securing, you’re allowing systems to be functioning at a level that if you take one cog out, it makes the whole thing fall down,” says Herberger. “I find that many of these newer technologies are coming at the expense of true isolated redundancy.”
Of those newer technologies at risk, Automatic Dependent Surveillance-Broadcast (ADS-B) rises to the top. A NextGen technology that is already widely adopted by the aviation industry, ADS-B allows an aircraft via satellite to automatically determine its position and then broadcast that information to other aircraft and ground controllers.
“It’s going to be compulsory to use [by 2020], and ADS-B is not secure,” says Remzi Seker, a computer science professor and M.S. and Ph.D. program coordinator for the electrical, computer, software & systems engineering department at the Daytona Beach Campus. There are privacy concerns with ADS-B information, which is accessible publicly using real-time computer flight tracking applications, and it’s also easy for hackers to spoof, or create “ghost” aircraft in the system, leading to confusion and potential havoc for pilots and air traffic controllers, he explains.
Another risk involves how the aircraft’s Electronic Flight Bag (EFB) connects to the Internet to communicate with the System Wide Information Management program (SWIM). SWIM is the data-sharing backbone of the NextGen system, providing a single connection point for aircraft and air traffic controllers to receive real-time, accurate flight, surveillance, weather and aeronautical information.
A 2014 report, co-authored by Seker with assistance from the FAA, identifies this vulnerability: When an aircraft’s EFB connects to the Internet through a cellular or satellite data link, it often shares its bandwidth with the passenger cabin’s Internet service, and that leaves it susceptible to cyberattack.
A denial of service (DoS) attack, for example, could disrupt the data link, Seker says. An EFB infected by malware could do this or someone in the passenger cabin could mount a DoS attack. “There are measures in place now to make sure throttling is not overcome. However, that is not to say this cannot be an attack vector,” Seker adds.
Another vulnerability with the data link: It will be used to replace voice communication between pilots and air traffic controllers. Brent Spencer (’83, WW), air traffic management program chair at the Prescott Campus, believes this would be easier to compromise than a traditional radio communication. “The data link could be hacked and instructions given to a pilot that the controller would not be able to hear or see, and have no way to correct. Human oversight and the ability to communicate directly and immediately is crucial to the safety and integrity of the national airspace system,” he says.
The FAA is taking steps to create an enterprise protection solution for its NextGen system, but according to Steve Dedmon (’94, WW), associate chair and professor of law in the aeronautical science department at the Daytona Beach Campus, there’s still work to do to put robust protections in place. A virtual point-to-point model is what the FAA is striving for, Dedmon says. “They hope to create [air traffic] systems that are individually secure, and secure the entirety from the outside with a big net around it, as well.”
Target: e-Enabled Aircraft
Electronic or e-Enabled aircraft, namely the wide-body Boeing 787 and the Airbus 380 and 350, add further cybersecurity concerns. These aircraft have systems that are networked to ground stations in real time, and that receive and transmit data that can influence flight operations including navigation, maintenance performance and airplane health management.
“One of the things that I think is most ridiculous, is that as part of an airworthiness certificate we’re not doing cybersecurity testing. Things are no longer mechanically controlled, and we don’t require any cybersecurity testing before we actually issue an airworthiness certificate. It’s amazing.”
“The powerplant manufacturers now have direct access to the engines in flight, diagnostically and otherwise,” Herberger says. “Things have dramatically changed. It’s no longer proprietary. It’s interconnected, but not just to the transportation system, to manufacturing and other diagnostic information entities.
“One of the things that I think is most ridiculous is that as part of an airworthiness certificate, we’re not doing cybersecurity testing. Things are no longer mechanically controlled, and we don’t require any cybersecurity testing before we actually issue an airworthiness certificate. It’s amazing,” he says.
A Radio Technical Commission for Aeronautics (RTCA) committee has issued several aircraft certification standards that offer guidance for safeguarding aircraft against cyberattacks, as has the National Institute of Standards and Technology. But the standards are “vague” and not enforceable, Herberger adds. “There is a big difference between a standard and a test of airworthiness.”
Seker, who served on the RTCA committee that devised two of the current standards, agrees. “The aviation industry realized way too late that cybersecurity was important,” he says.
Despite a growing awareness of the cybersecurity threats, a regulatory remedy does not appear to be on the near horizon. Dedmon believes the delay is due to the complexity of the issue, as well as money. “It’s an expense, ultimately for the manufacturer and for the aviation industry,” Dedmon says. “The FAA can’t just arbitrarily make rules. Pursuant to executive order, the Office of Management and Budget must do a cost-benefit analysis before rules can be issued, so as to not potentially bankrupt the airline industry. Currently, they’re in a holding pattern. They started talking about proposing a rule covering avionics cybersecurity in 2013, but determined more research was necessary.” The rule-making process is expected to begin anew in 2016.
In the meantime, the industry is taking its own actions to be “cyber ready.” For example, in 2012, The Boeing Company asked the FAA to issue special conditions for the Boeing Model 777-200, -300 and -300ER series airplanes after realizing the avionics systems on these aircraft were vulnerable to cyberattack.
Of primary concern is the increased connectivity with external network sources and the interconnectivity of the aircraft’s networks and systems, such as passenger entertainment and information services, states a report about the resulting rule published in the Federal Register (FR Doc. 2013-27343). As a fix, Boeing engineered a network extension device that would further separate the aircraft’s information and entertainment systems from its controls network.
Older aircraft present their own challenges. Mike Gordon (’97, ’01, DB), director of cyber intelligence and operations for corporate information security at Lockheed Martin, says a big security issue is the modernization of legacy aircraft systems, which will require retrofitting to meet NextGen operational needs. According to a 2014 U.S. Department of Transportation report (No. DOT HS 812 075), the challenge will be properly mitigating and managing the installation and use of Internet Protocol-enabled external networks on aircraft not originally built for such capabilities.
“These systems were designed 20 to 30 years ago, before network security became what it is today,” Gordon says. “At Lockheed Martin, we understand the risks to these systems and ensure that our NextGen technologies are all cyber ready from the beginning.” Regarding new military aircraft designs, Lockheed Martin’s approach puts cybersecurity at the forefront, he says. “[For example] the F-35 is a flying computer and they designed it with cybersecurity in mind. We design our platforms with the idea that they are computers.”
According to Kessler, that’s how it should be. It’s poor or rushed design that creates cybersecurity vulnerabilities, he says. Take the renowned hack of Target retail stores in 2013, for example, where the point-of-sale terminal data was accessible to hackers via the air conditioning monitoring system. “That was just bad design, bad architecture,” Kessler says.
Building a Cyber Defense
So, how can the aviation industry protect itself from cyberattacks? “There is no one silver bullet,” says Raja Patel (’97, PC), vice president of cybersecurity products at Intel Security. “The implications of an attack or a breach on aircraft is higher, similar to any other critical infrastructure environment, but the approach to keeping up is comparable to the corporate world. We at Intel Security are building systems that take into account the full threat life-cycle, which consists of building in the best pro-active protection, but also recognizing that threats and environments change. There is a growing need to innovate with advanced threat detection technologies and innovations, such that if a threat does get in, we can reduce the time to detection and ultimately mitigate it before damage is realized.”
Knowledge sharing is also important. Gordon says it’s a priority for Lockheed Martin, which cofounded the Defense Security Information Exchange (DSIE). “We often say that a company should figure out who its biggest competitor is, and then become best friends in terms of cybersecurity. The same adversary attacking Lockheed Martin is probably attacking Boeing. Cybersecurity is a team sport,” says Gordon, who is a director on the DSIE Board.
For Herberger, the solution is simple, at least in theory: Create closed, proprietary aircraft and air traffic systems. “If you look at commercial aircraft, they’re using ‘open,’ they’re using ‘known,’ ‘standard’ and ‘convenient’ systems, and those are only foes to security. If I wanted to build a very secure aircraft system, it would be just the opposite of convenient. It has to maintain life. You want it to be challenged and authenticated frequently,” he says.
“I don’t think fundamentally that people really get the problem yet. I think it’s going to take something like a 9/11 event before people wake up to the fact and say, ‘We’ve known this all along and we really should have acted on it.’”