Open Season?

On April 15, 2015, self-proclaimed white hat hacker Chris Roberts tweeted a sarcastic joke about hacking into the crew-alerting communications system of a United Airlines aircraft via its in-flight entertainment system.

It was a tweet heard ‘round the aviation world.

Immediately detained and questioned by the FBI after the flight, Roberts allegedly claimed to have repeatedly exploited vulnerabilities in aircraft in-flight entertainment systems, including one occasion when he hacked into a plane’s flight controls and made it move sideways.

Was it possible? Most cybersecurity experts are skeptical, but according to former U.S. Air Force Capt. Carl Herberger (‘91, DB), now vice president of security solutions at Radware, that’s not the most important question.

“The question is whether or not one day it will be true,” says Herberger. “I think the answer is, it’s inevitable.”

As airplanes and aviation systems get “smarter” and rely more on digital interconnection through Internet- and satellite-based technologies, they are increasingly in the crosshairs for cyberattacks, which overall have grown tenfold from 2006 to 2013 (5,503 incidents to 60,753), according to a 2015 U.S. Government Accountability Office report (GAO-15-370).

“The fact is the bad guys are already out there,” says Gary Kessler, professor of cybersecurity and chair for the department of security studies and international affairs at the Daytona Beach Campus. “[They] have access to all of these tools and [they] are using them.”

Herberger believes the potential for a hackers’ open season on aviation—while maybe not imminent—is possible. “Among the black hat [hacker] community, the sexier Internet of Things discussions relate to transportation systems,” he says. “If we know that somebody has motive and we know that somebody has means, and there’s a vulnerability, then you would think to yourself, ‘Why wouldn’t the aviation industry be a natural target?’”

Target: NextGen

Experts say the developing Next Generation Air Transportation System (NextGen) is rife with potential cybersecurity vulnerabilities. Replacing a radar-based air traffic control system with one that connects aircraft and controllers using data and satellite links is inherently more susceptible to cyberattack.
“It will all be computer to computer communications,” explains Jon Haass, associate professor of cyber intelligence and security at the Prescott Campus. “Guess what they forgot? They forgot cybersecurity.”

Digital Airport Security, a Growing Need

SP2016_Coverstory_cyber_Airport-Security-Sidebar_Stock-art

SP2016_Coverstory_cyber_Airport-Security-Sidebar_Stock-art-hcrop

As the commerce hub for the aviation industry, airports are increasingly targeted by hackers looking to make a profit or an ideological statement, or to simply disrupt operations. The effects—long lines, delays and grounded airplanes—are never good for passengers or airlines.

For example, in June 2015, a distributed denial of service (DDoS) attack on LOT Polish Airlines crippled its ground operation systems. The airline was left unable to create flight plans, and outbound flights from Warsaw were temporarily grounded—along with more than 1,000 passengers at Warsaw’s Chopin Airport.

Airports are a complex web of computerized systems, which makes them particularly vulnerable to cyberattacks, says Jon Haass, associate professor of cyber intelligence and security at the Prescott Campus, who co-authored the Airport Cooperative Research Program Report 140: Guidebook on Best Practices for Airport Cybersecurity. “An airport is like any other large company in the sense that it has payroll, accounting, supply chain, product and credit card handling,” he says. Baggage handling, fueling, providing flight data to the crew and flight crew assignments are all computerized and subject to malware, adds Haass.

The X-ray equipment used to screen passengers and baggage by the Transportation Security Administration (TSA) and the kiosks where people can check-in and buy airline tickets are also vulnerable and visible targets for hackers, says Steve Dedmon (’94, WW), associate chair and professor of law in the aeronautical science department at the Daytona Beach Campus.

Haass agrees. As global terrorism grows, airport systems can also be hacked to facilitate the travel of would-be bad actors. “Just this fall [2015], the terrorist watch list went out for four hours, and all around the country no airport had their automated system available to look for terrorists,” Haass says. “Could somebody have slipped through? Yes.”

Dedmon recommends that all commercial airports incorporate a cybersecurity professional into their staff. “We need someone specifically looking at these issues for airports, as either a full-time or corollary responsibility,” he says.

The GAO acknowledges the growing risk. In its 2015 report, it affirms that NextGen’s Internet-technology-based, interconnected system “increases cybersecurity risks,” and that “significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.”

“Anytime you continuously integrate and automate without commensurately securing, you’re allowing systems to be functioning at a level that if you take one cog out, it makes the whole thing fall down,” says Herberger. “I find that many of these newer technologies are coming at the expense of true isolated redundancy.”
Of those newer technologies at risk, Automatic Dependent Surveillance-Broadcast (ADS-B) rises to the top. A NextGen technology that is already widely adopted by the aviation industry, ADS-B allows an aircraft via satellite to automatically determine its position and then broadcast that information to other aircraft and ground controllers.

“It’s going to be compulsory to use [by 2020], and ADS-B is not secure,” says Remzi Seker, a computer science professor and M.S. and Ph.D. program coordinator for the electrical, computer, software & systems engineering department at the Daytona Beach Campus. There are privacy concerns with ADS-B information, which is accessible publicly using real-time computer flight tracking applications, and it’s also easy for hackers to spoof, or create “ghost” aircraft in the system, leading to confusion and potential havoc for pilots and air traffic controllers, he explains.

Another risk involves how the aircraft’s Electronic Flight Bag (EFB) connects to the Internet to communicate with the System Wide Information Management program (SWIM). SWIM is the data-sharing backbone of the NextGen system, providing a single connection point for aircraft and air traffic controllers to receive real-time, accurate flight, surveillance, weather and aeronautical information.

A 2014 report, co-authored by Seker with assistance from the FAA, identifies this vulnerability: When an aircraft’s EFB connects to the Internet through a cellular or satellite data link, it often shares its bandwidth with the passenger cabin’s Internet service, and that leaves it susceptible to cyberattack.
A denial of service (DoS) attack, for example, could disrupt the data link, Seker says. An EFB infected by malware could do this or someone in the passenger cabin could mount a DoS attack. “There are measures in place now to make sure throttling is not overcome. However, that is not to say this cannot be an attack vector,” Seker adds.

Another vulnerability with the data link: It will be used to replace voice communication between pilots and air traffic controllers. Brent Spencer (’83, WW), air traffic management program chair at the Prescott Campus, believes this would be easier to compromise than a traditional radio communication. “The data link could be hacked and instructions given to a pilot that the controller would not be able to hear or see, and have no way to correct. Human oversight and the ability to communicate directly and immediately is crucial to the safety and integrity of the national airspace system,” he says.

The FAA is taking steps to create an enterprise protection solution for its NextGen system, but according to Steve Dedmon (’94, WW), associate chair and professor of law in the aeronautical science department at the Daytona Beach Campus, there’s still work to do to put robust protections in place. A virtual point-to-point model is what the FAA is striving for, Dedmon says. “They hope to create [air traffic] systems that are individually secure, and secure the entirety from the outside with a big net around it, as well.”

Target: e-Enabled Aircraft

Electronic or e-Enabled aircraft, namely the wide-body Boeing 787 and the Airbus 380 and 350, add further cybersecurity concerns. These aircraft have systems that are networked to ground stations in real time, and that receive and transmit data that can influence flight operations including navigation, maintenance performance and airplane health management.

“One of the things that I think is most ridiculous, is that as part of an airworthiness certificate we’re not doing cybersecurity testing. Things are no longer mechanically controlled, and we don’t require any cybersecurity testing before we actually issue an airworthiness certificate. It’s amazing.”

Carl Herberger (’91, DB)

“The powerplant manufacturers now have direct access to the engines in flight, diagnostically and otherwise,” Herberger says. “Things have dramatically changed. It’s no longer proprietary. It’s interconnected, but not just to the transportation system, to manufacturing and other diagnostic information entities.

“One of the things that I think is most ridiculous is that as part of an airworthiness certificate, we’re not doing cybersecurity testing. Things are no longer mechanically controlled, and we don’t require any cybersecurity testing before we actually issue an airworthiness certificate. It’s amazing,” he says.

A Radio Technical Commission for Aeronautics (RTCA) committee has issued several aircraft certification standards that offer guidance for safeguarding aircraft against cyberattacks, as has the National Institute of Standards and Technology. But the standards are “vague” and not enforceable, Herberger adds. “There is a big difference between a standard and a test of airworthiness.”

Seker, who served on the RTCA committee that devised two of the current standards, agrees. “The aviation industry realized way too late that cybersecurity was important,” he says.

Despite a growing awareness of the cybersecurity threats, a regulatory remedy does not appear to be on the near horizon. Dedmon believes the delay is due to the complexity of the issue, as well as money. “It’s an expense, ultimately for the manufacturer and for the aviation industry,” Dedmon says. “The FAA can’t just arbitrarily make rules. Pursuant to executive order, the Office of Management and Budget must do a cost-benefit analysis before rules can be issued, so as to not potentially bankrupt the airline industry. Currently, they’re in a holding pattern. They started talking about proposing a rule covering avionics cybersecurity in 2013, but determined more research was necessary.” The rule-making process is expected to begin anew in 2016.

Corporate Makeover

Mike Gordon (‘97, ‘01, DB) says Lockheed Martin acknowledges its aircraft are flying computers, designing them at the onset with cybersecurity in mind.

SP2016_Coverstory_cyber_Mike Gordon_Lockheed-horiz — Mike Gordon (‘97, ‘01, DB) says Lockheed Martin acknowledges its aircraft are flying computers, designing them at the onset with cybersecurity in mind.

In the meantime, the industry is taking its own actions to be “cyber ready.” For example, in 2012, The Boeing Company asked the FAA to issue special conditions for the Boeing Model 777-200, -300 and -300ER series airplanes after realizing the avionics systems on these aircraft were vulnerable to cyberattack.

Of primary concern is the increased connectivity with external network sources and the interconnectivity of the aircraft’s networks and systems, such as passenger entertainment and information services, states a report about the resulting rule published in the Federal Register (FR Doc. 2013-27343). As a fix, Boeing engineered a network extension device that would further separate the aircraft’s information and entertainment systems from its controls network.

Older aircraft present their own challenges. Mike Gordon (’97, ’01, DB), director of cyber intelligence and operations for corporate information security at Lockheed Martin, says a big security issue is the modernization of legacy aircraft systems, which will require retrofitting to meet NextGen operational needs. According to a 2014 U.S. Department of Transportation report (No. DOT HS 812 075), the challenge will be properly mitigating and managing the installation and use of Internet Protocol-enabled external networks on aircraft not originally built for such capabilities.

“These systems were designed 20 to 30 years ago, before network security became what it is today,” Gordon says. “At Lockheed Martin, we understand the risks to these systems and ensure that our NextGen technologies are all cyber ready from the beginning.” Regarding new military aircraft designs, Lockheed Martin’s approach puts cybersecurity at the forefront, he says. “[For example] the F-35 is a flying computer and they designed it with cybersecurity in mind. We design our platforms with the idea that they are computers.”

According to Kessler, that’s how it should be. It’s poor or rushed design that creates cybersecurity vulnerabilities, he says. Take the renowned hack of Target retail stores in 2013, for example, where the point-of-sale terminal data was accessible to hackers via the air conditioning monitoring system. “That was just bad design, bad architecture,” Kessler says.

Building a Cyber Defense

So, how can the aviation industry protect itself from cyberattacks? “There is no one silver bullet,” says Raja Patel (’97, PC), vice president of cybersecurity products at Intel Security. “The implications of an attack or a breach on aircraft is higher, similar to any other critical infrastructure environment, but the approach to keeping up is comparable to the corporate world. We at Intel Security are building systems that take into account the full threat life-cycle, which consists of building in the best pro-active protection, but also recognizing that threats and environments change. There is a growing need to innovate with advanced threat detection technologies and innovations, such that if a threat does get in, we can reduce the time to detection and ultimately mitigate it before damage is realized.”

Security Solutions

Email Yoon Choi to learn how you can help Embry-Riddle create solutions to our nation’s cybersecurity challenges.

Knowledge sharing is also important. Gordon says it’s a priority for Lockheed Martin, which cofounded the Defense Security Information Exchange (DSIE). “We often say that a company should figure out who its biggest competitor is, and then become best friends in terms of cybersecurity. The same adversary attacking Lockheed Martin is probably attacking Boeing. Cybersecurity is a team sport,” says Gordon, who is a director on the DSIE Board.

For Herberger, the solution is simple, at least in theory: Create closed, proprietary aircraft and air traffic systems. “If you look at commercial aircraft, they’re using ‘open,’ they’re using ‘known,’ ‘standard’ and ‘convenient’ systems, and those are only foes to security. If I wanted to build a very secure aircraft system, it would be just the opposite of convenient. It has to maintain life. You want it to be challenged and authenticated frequently,” he says.

“I don’t think fundamentally that people really get the problem yet. I think it’s going to take something like a 9/11 event before people wake up to the fact and say, ‘We’ve known this all along and we really should have acted on it.’”

Professor Remzi Seker served on the Radio Technical Commission for Aeronautics committee that devised two cybersecurity standards for the aviation industry.

Closing the Gap: Educating Future Cybersecurity Professionals

Education is imperative to the cybersecurity solution formula, especially as it relates to growing the pool of skilled cybersecurity professionals, says Gary Kessler, professor of cybersecurity and chair for the department of security studies and international affairs at the Daytona Beach Campus.

Presently, more than 200,000 cybersecurity jobs in the United States are unfilled, and postings are up 74 percent over the past five years, according to a 2015 analysis of the Bureau of Labor Statistics by Peninsula Press, a project of the Stanford University Journalism Program. That demand is expected to increase, with a 1.5 million shortfall of available cybersecurity professionals projected by 2020.

Embry-Riddle is at the forefront of the education effort, Kessler says, and is leading the way with regard to research and knowledge sharing.

Researchers at the Daytona Beach Cybersecurity and Assured Systems Engineering Center are developing cybersecurity solutions, and the Prescott Campus is a member of the first cross-sector regional sharing network, Arizona Cyber Threat Response Alliance (ACTRA). “Our students are actually working with ACTRA. They are doing research and briefing the FBI on their findings,” says Jon Haass, associate professor of cyber intelligence and security at the Prescott Campus.

Learn more at erau.edu/degrees/computers-technology.

Are you a Cybervillain?

What type of cybersecurity hero are you? Take our quiz and find out!

Anonymous – A prominent hacktivist group.

Black Hat Hacker – A person who exploits weaknesses in a computer system or network without permission and for unethical or illegal ends, such as stealing information for personal financial gain.

Cyber Armageddon – A cyber catastrophe that impacts world markets and economies and/or infrastructures that starts with a mouse click.

Cyber Hygiene – Doing sensible things to prevent a cyberattack, e.g. updating security software on your computer, creating new passwords on a regular basis, etc.

Dark Web or Dark Net – A network of Internet sites that can only be accessed using specialized browsers or languages like Tor, “The Onion Router,” which was created in the mid-1990s by U.S. military researchers to allow intelligence operatives to exchange information anonymously.

Deep Web – Areas and information on the Internet that don’t require specialized software to view, but which are not typically found using common search engines like Google. The student-run Eagle Eye Intelligence organization at the Prescott Campus scours the Deep Web for open source intelligence, which it publishes in its news wire, Eagle Eye Intel: http://www.eagleeyeintel.com/.

Denial of Service (DoS) – A type of cyberattack that slows or stops data passing through a network by introducing more traffic than the network or server can accommodate. A Distributed Denial of Service (DDoS) attack is an attempt to do this from multiple locations at once.

Digital Pearl Harbor – A possible catastrophic act of war against the United States using digital means to disrupt multiple fronts to include infrastructure, businesses, citizens, government and/or economies.

Hacktivism – hacking into a website, computer system or network to cause harm as a means of ideological protest.

Internet of Things (IOT) – the network of physical objects and sensors connected to the Internet. This includes Internet-connected electric meters, cars, home thermostats, entertainment systems and jet engines that communicate with other physical objects, computers and devices.

Linear Optical Quantum computing — a possible future digital reality, whereby silicon photonic chips will compute and shuttle data with light instead of electrons, significantly increasing the power and speed of supercomputers, servers and the Internet of Things.

Malware — any software that is intended to damage or disable computer systems.

Phishing — sending emails that lure recipients to compromise their security, either by attaching files or embedding links that install malware enabling the bad actor to capture personal information and gain access to computer files; or by pretending to be a business with which the recipient is associated and directly asking for personal information.

Ransomware — a type of malware that is used to extort money by preventing users from accessing their computer or device until payment is made.

Script Kiddies – People with limited knowledge of computer systems, networks or websites who use scripts or programs developed by others to launch attacks.

Shoulder Surfing – when potential bad actors look over the shoulder of an unsuspecting individual as they are typing a password or an access code into a keypad. Some sophisticated actors use long-range cameras and may even work in teams to accomplish their goals.

Spear Phishing — a special type of phishing targeting specific individuals with elevated access rights or decision-making authority. For example, an actor may obtain information from a public or compromised source, such as a supervisor, senior manager, or trusted organization. They then use this information to send what appear to be legitimate emails to individuals within the targeted organizations.

White Hat Hacker – a person who exploits weaknesses in a computer system or network with the intent to help improve its security.

Share this Article:

As the aviation industry gets 'smarter,' cybersecurity vulnerabilities threaten the nation's airspace.