Cyber Threats to the Aviation Industry
There are 5,000 planes in U.S. skies at any given time, and most aircraft operations rely on software. As the air travel industry has become dependent on information and communication systems, more cyber threat access points have been created that could lead to malfunctions or compromise customer data. Aviation stakeholders need to boost cybersecurity efforts to ensure customers have a safe travel experience.
Digital technologies are used by air traffic management, airports and supply chains for efficiencies. For instance, aircraft systems connected to ground services with live monitoring allows for quicker and more cost-effective identification of service issues while airborne.
More airports plan to roll out systems that permit greater airspace flexibility and higher traffic densities. While higher productivity will be the result, more shared users on interconnected platforms translates into additional access points for cyber threats.
As Bob Delorge, Vice President of Transportation and Support Services at Raytheon, explained at the recent U.S. Chamber of Commerce Aviation Summit, threats from cyber are not visible and are always evolving. Many citizens take for granted how digitally connected we are.
Wi-Fi on aircraft is increasingly offered because it provides customers with entertainment and a method of communication in the air. Wi-Fi also allows airlines to engage with patrons and capitalize on services.
However, Wi-Fi on a plane is not secure. This means anything done on a laptop or phone using the aircraft’s network could potentially be hacked. One fellow passenger read emails accessed by a reporter using the plane’s network during a flight.
One failure in the airline industry could cause terrible cascading effects, such as the mass grounding of planes and cancellation of flights. Customers’ confidence in the industry would decrease, and serious financial implications would result. The August 2017 Delta Airlines outage that lasted for only five hours resulted in 2,000 flight cancellations and cost the company $150 million.
Cyber vulnerabilities of the aviation industry have been demonstrated many times in the past. Experts at the Department of Homeland Security hacked into the avionics of a parked commercial plane last year as part of a test.
A computer virus spread to air traffic control systems, and the Federal Aviation Administration (FAA) had to shut down operations in Alaska as a result. In another attack, adversaries took over FAA network servers and gained access to about 48,000 FAA employees’ data.
One particular vulnerability amongst aircraft and airline operators is the Aircraft Communications Addressing and Reporting System (ACARS), a digital air-to-ground communication network. It is an unencrypted openly transmitted messaging system that lacks security.
Cyber threats that successfully penetrate ACARS could provide bogus flight plan updates, false weather information and fake messages between aircraft and ground controls. Furthermore, many aircraft have ACARS connected to the Flight Management System, which directs navigation routes, databases and airfield details. Linking these systems transmits flight plans efficiently, but they are also more exposed to risks since unauthorized parties could potentially access data.
An encryption standard for ACARS exists, but it is not consistently adopted. Encryption is important because it encodes information so that only authorized parties can access that information. ACARS on all flights should implement the encryption standard to block cyber threats and prevent critical data related to plane navigation from being manipulated by a hacker.
According to Delorge, cyber is a domain where multiple layers of architecture are involved. Stakeholders must understand that no one solution provides cybersecurity. This is why it is critical for all aviation sector participants to work together to identify threats and risks.
Since networks today are widely shared and interconnected, aviation systems need to be created with the expectation that failures and intrusions will occur. It is necessary for stakeholders to have the ability to detect intrusions and implement appropriate responses after discovery.
Raytheon is developing an early warning system that will notify pilots when digital systems appear to be compromised. It will scan communication aircraft systems that control, monitor and transfer data between aircraft for anomalies. After detection, a response can be implemented to contain a threat and prevent it from spreading to other systems.
In addition, databases owned by aviation stakeholders need to be distributed in multiple locations as backups. This ensures that one catastrophic event does not compromise data and allows for safe contingency operations and rapid recovery from failures and malware.
The aircraft supply chain is also exposed to cyber risks. Manufacturers often outsource production to other countries to reduce costs and deliver projects quickly. Systems belonging to multiple stakeholders are usually interconnected and thus are more vulnerable to cyber risks.
One example is 3D-printed parts that are widely used on aircraft today because they are lighter and stronger than traditional components. Since 3D printing is digital, adversaries could compromise the printing process by disrupting or deleting firmware, software or product designs, stealing design files and modifying the printing process to weaken products.
While it is difficult to track who has access to each system at all times, supply partners need to work together to develop trust and identify and solve cyber risks. Senior management support is necessary to harden aviation systems because budget resources are required to identify, analyze and remediate technical vulnerabilities and minimize exploitable weaknesses.
Stakeholders can try their best to prevent cyber threats from penetrating their networks, but it is likely that a malicious attack will enter systems at some point. Identifying the threat and implementing an appropriate response is key to limiting the amount of damage any one attack can cause. Aviation industry stakeholders must continue to work together to prevent and respond to cyber threats to guard their businesses and maintain customer confidence.
Constance Douris is Vice President of the Lexington Institute. Her current research interests include energy, the electric grid, ballistic-missile defense, nuclear strategy, European security, and the Greek financial crisis. You can follow Constance at @CVDouris and the Lexington Institute @LextNextDC.