SoS Musings #30 - Improving Cybersecurity for Aviation

SoS Musings #30
Improving Cybersecurity for Aviation

It is only a matter of time before an aircraft is significantly impacted by a hacking incident as indicated by recent discoveries made by cybersecurity researchers and the U.S. government. According to a report released by ResearchAndMarkets.com, titled Aviation Cyber Security Market - Growth, Trends, and Forecast, the aviation cybersecurity market is expected to grow at a compound annual growth rate (CAGR) of 11% from 2019 to 2024. Although the increasing connectivity and digitalization in the aviation sector has brought benefits in regard to better customer service, operations, and passenger flight experience, such advancements in aviation technology in addition to the growing connectivity of this technology has increased the vulnerability of the aviation sector to possible cyberattacks. The aviation industry is expected to invest more in technological advancements aimed at detecting and preventing cyberattacks on the aviation sector’s IT infrastructure and networks, which are critical for ground and flight operations. One key market trend is that North America holds the largest share in the aviation market with the U.S. investing mostly in the research and development of advanced cybersecurity systems. The 2018 Air Transport Cybersecurity Insights report highlights the current challenges faced by the aviation industry in regard to cybersecurity based on the results of a survey to which 59 senior decision makers at major airlines and airports, including CEOs, CISOs, VPs, and IT Directors responded. According to the report, there is a high level of awareness surrounding cybersecurity in the aviation industry. However, current challenges are hindering efforts towards great aviation cybersecurity advancements. These challenges include growing cybersecurity costs, lack of CISOs, and low empowerment of cybersecurity teams. The aviation industry also faces similar challenges to other industries when it comes to cybersecurity such as limited resources, inadequate staff training, network visibility, and a skills gap. As aviation technology continues to grow in Internet-connectivity, posing a greater threat to safety, it is important that research efforts and developments aimed at improving the security of this technology increases.

Researchers have conducted studies that highlighted the importance of improving aviation cybersecurity. Robert Hickey, aviation manager within the Cyber Security Division of the DHS S&T Directorate and his team of experts from government, academia, and industry demonstrated that it is possible to remotely hack a commercial aircraft. According to Hickey, he and his team were successful in hacking a Boeing 757 by accessing its systems through radio frequency communications, further highlighting the possibility of compromising an airplane without having to physically access it. IOActive industrial cybersecurity expert, Ruben Santamarta, brought attention to the vulnerability of the Boeing 787 to remote hacking as he discovered Boeing Co. server that was exposed to the internet. The server contained firmware applications for the aviation manufacturer’s 787 airplane networks in which he discovered multiple security vulnerabilities, including buffer overflow, memory corruption, stack overflow, and denial-of-service flaws. These vulnerabilities could be exploited by attackers to gain remote access to the plane's sensitive avionics network, which is also considered the crew information systems network. Santamarta found these security vulnerabilities by reverse-engineering binary code and examining configuration files in the firmware applications for the Boeing 787 airplane network. He also discovered the exposure of proxy servers, used by airlines to communicate with their 787 planes, to the public internet, which is another way an attacker can compromise the plane’s network. Santamarta was also behind the discovery of vulnerabilities in a commercial aircraft’s satellite communications equipment that could allow hackers to remotely spy on hundreds of planes from the ground. Using these vulnerabilities, hackers could compromise onboard systems, snoop on in-flight Wi-Fi, and perform surveillance on all connected passenger devices. According to presentations and risk assessments conducted by the U.S. government researchers, tests performed on an aircraft have proven the vulnerability of planes to hacking incidents in which flight operations are impacted and shown that cybersecurity protections for airborne vehicles are lacking. One presentation conducted by the Pacific Northwest National Laboratory (PNNL) indicated the lab’s attempt to hack an aircraft through its Wi-Fi Internet and information distribution systems. Researchers from Khoury College of Computer Sciences at Northeastern University in Boston demonstrated how aircraft instrument landing systems can be attacked and misguided into landing incorrectly. Instrument landing systems are precision approach systems that give critical real-time guidance pertaining to the plane’s alignment with a runway and angle of decent. Pilots rely on this radio-based navigation system to guide them in situations when visibility is low, such as when there is rain or fog. According to researchers, most wireless systems used in aviation are vulnerable to cyber-physical attacks as supported by the demonstrated spoofing of wireless signals to critical aircraft landing systems through the use of inexpensive software-defined radios (SDRs). The spoofing attacks demonstrated by the Northeastern University researchers involved the use of commercially available (SDRs), worth between $400 and $600. These SDRs were used in two varieties of spoofing attacks, one in which high-powered signals were broadcasted to overshadow legitimate signals sent by the airport ILS transmitter and another in which lower-powered signals were broadcasted to merge with portions of legitimate signals to cause a pilot’s course deviation indicator to give incorrect readings. The researchers also developed a real-time offset correction and signal generation algorithm to continuously adjust fake signals so that misalignments are consistent as the plane lands. If attackers are not sophisticated enough to perform seamless spoofing, they can still use malicious signals to execute denial-of-service attacks to prevent pilots from using instrument landing systems as they approach the runway. The U.S. Department of Homeland Secrurity’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a security alert in July for small planes following the discovery of a vulnerability that impacts modern flight systems. The ICS alert brought attention to a possible attack on a small plane in which a small device is attached to an avionic Controller Area Network (CAN) bus to allow an attacker to alter engine readings, compass data, altitied, and other critical readings. False instrument readings could cause a pilot to lose control of their aircraft, especially when a pilot depends on such readings. As such attacks pose a threat to the safety of an aircraft, efforts to reduce vulnerabilities in avionics systems must continue.

Aviation cybersecurity has become one of the top concerns for the nation. Raytheon, a U.S. defense contractor, is building new technology aimed at alerting pilots in the event that their planes are being hacked. The lack of security in the design of avionics systems and the U.S. military’s expectation that adversaries will hack a plane as major tactic in warfare, prompted Raytheon’s development of the Cyber Anomaly Detection System. This system will provide details to the pilot about a hacking incident in real time, which enable them to quickly make decisions as to what needs to be done to address the incident. According to Fry, a cyber-resiliency product manager at Raytheon, the serial data bus to which important electronics and avionics systems are connected in most aircraft lacks security in many U.S. military planes. Fry also stated that the implementation of more technology and commercial products to an aircraft increases the plane’s attack surface. DEF CON 2019 featured an Aviation Village, which security researchers and representatives from the U.S. Air Force and the U.S. Department of Defense Digital Service gathered to explore and discuss how on-board airplane electronic device communicate and operate as well as the security vulnerabilities contained by such devices that could be exploited by malicious hackers and efforts to discover these vulnerabilities. However, there was little involvement by airplane manufacturers and other commercial airlines at this event, calling for increased participation and efforts from these entities to work with security security researchers. Gerard Duerrmeyer, chief information security officer at Norwegian Air Shuttle, who was the only representative of a commercial airline to attend the Aviation Village said that he is looking to the automotive industry for lessons on how to improve the security of avionics systems as efforts to secure connected vehicles are improving. The Department of Homeland Security (DHS) decided to revive its efforts toward bolstering aircraft cybersecurity via a program. This decision followed a recent incident in which the European aerospace and defense giant, Airbus, experienced state-sponsored cyberattacks through its third-party supplier chain’s VPNs. The program will examine and test actual aircraft with help from the Pentagon and Transportation Department to identify and mitigate cybersecurity risks facing the aviation industry and improve the cyber resiliency of critical public infrastructure. Security researchers will need to further explore the major security holes contained by the avionics CAN bus system in order to develop countermeasures against potential attacks against this standard. According to Chris King, a cybersecurity expert who has conducted vulnerability analyses of large-scale systems, the CAN bus was never designed with security in mind in that there is no way of validating whether the source that is telling the system what to do is legitimate. The Cybersecurity and Infrastructure Security Agency (CISA) recommends that manufacturers of aircraft review the implementation of CAN bus networks in avionics and evaluate safeguards such as filtering, whitelisting, and segregation. There must be an increase in collaborative efforts among experts in government, academics, and private industry to develop methods and technologies for improving aviation cybersecurity.