Cyber attacks on the aviation industry are becoming a sensitive issue. Considering that cyberspace provides a low-cost haven for carrying out a broad range of disruptive activities, it is reasonable to conclude that hackers will consider the aviation sector as one of their targets.
Also, because of lower risk, cyber terrorism is replacing the bomber and hijacker and becoming the weapon of choice when it comes to attacks against the aviation industry.
Hosting one of the most integrated and complex ICT systems, and with increasing inter-connectivity, the aviation industry faces threats on multiple fronts from adversaries working in anonymity.
Cyber threat actors conduct attacks focused on theft of personal data, malicious intent, financial gain, hacktivist national and political motivations, and physical damage. Therefore, adopting a risk-informed cyber security roadmap derived via threat analysis to strengthen the aviation industry’s resilience against cyber threats is of utmost importance.
Owing to onboard and offboard computer systems, navigation systems and prevalent use of data networks, cyber attacks and data breaches are perceived to be growing threats for the aviation sector. The following are some of the leading threats faced by the industry.
Phishing attacks have already been successful against victims employed in the aviation industry. Last year, CIS (Center for Internet Security) reported that 75 US airports were the targets of advanced persistent threats (when unauthorised groups or individuals gain access to an organisation’s network). A public document listing email addresses of the targeted airports was listed as the root cause of the attack.
This is when an attacker injects a ghost flight into the air traffic control system to alter the projection and mapping of airplanes, or delete their position from the radar screen. The attack can have dire consequences as the hackers compromise the accuracy of data provided to the aircraft management, such as speed, location and direction of nearby airports and other planes.
Security flaws in communication technologies utilised in the aviation industry enables hackers to remotely attack and control in-flight and on-board systems. A hacker has demonstrated how the flight management system (FMS) could be attacked, which can open a gateway for cybercriminals to attack other critical systems such as flight controls, engine and fuel systems, navigation receivers, surveillance systems, aircraft displays, and others.
DDoS and botnet attacks
Distributed-denial-of-service attacks have grown in popularity to carry out a range of malware injection activities. Within such attacks, hackers utilise botnets of compromised networks to flood air traffic control and other critical systems with traffic, which results in a crash of the platform. Attackers may also ask for a ransom amount from the authorities to prevent disruption of flight management and control systems.
IOActive’s consultant discovered vulnerabilities in the onboard system that could allow hackers to use the onboard Wi-Fi signal or in-flight entertainment system to hack into the plane’s avionics equipment, and disrupt or modify satellite communications. It is also believed that after the hack, the plane could be landed successfully via a remote control. A framework of code injected by cyber terrorists can get into the plane’s system and override security implementations.
Ensuring secured aviation systems and staying ahead of these threats requires the aviation industry to collaborate with manufacturers, governments, airlines and airports. It is also important for the sector to establish a cyber security culture and develop mitigation and prevention strategies after threat analysis.
A proper security framework should understand the risk and nature of the threats, conduct research and development, and communicate the risk and ensure situational awareness. It should also take necessary measures to strengthen the defense system and design mitigation strategies, and ensure the industry and government are working together to keep threats at bay.
The industry must learn from successful collaborative examples of industry and government to design aviation cyber security solutions. An example is CAST (the Commercial Aviation Safety Team), which created a risk management model to reduce cyber risk as well as initiated new safety and government initiatives.
Additionally, the aviation sector can reduce the risk of cyber threats being successful through the following implementations.
1. Share data with the government
It is important for the industry and government to share data to address sensitive aviation cyber risks. The current means for industry stakeholders and the government to address such issues is the CIPAC (Critical Infrastructure Partnership Advisory Council). And as cyber threats may cause ramifications at an international level, mechanisms must be in place to exchange data so that both the government and the aviation industry works together to mitigate damage when attacked.
Both these industries can also consider integration of threat intelligence feeds that notify when control systems are attacked and point out the location of threat actors. This data can be used to curb the damage and prevent risks in the future by making appropriate security implementations.
2. Implement cyber education policy
To prevent threats such as phishing scams, organisations in the industry should implement a cyber education policy for everyone attached to the organisation. Employees should be educated about detecting malicious emails and to avoid opening any links that look suspicious. The policy can also include social networking best practices as employees may upload credentials to social networks that may give hackers clues to their official email accounts.
Two-factor authentication should be implemented where possible to prevent access to official accounts even if credentials are breached. As an SMS code needs to be entered as a second step to gain access to an account, hackers without physical access to an employee or management smartphone won’t be able to use the account to gain more information. The aviation industry heavily depends upon cloud services, which usually provide the option of two-factor authentication.
3. Use NED and IFE systems
Another important measure the aircraft industry should take is to start using NED (network extension device) solutions. These solutions enable data transfers between IP-based equipment (such as IFE systems) and avionics systems. The NED solution will enforce network security through firewalls, as well as manage high-speed datalinks and communication systems to provide connectivity between ground/satellite networks and an aircraft.
And although IFE systems are generally difficult to use to conduct cyber attacks, the companies in the aviation industry should ensure that the vendor of the IFE system has integrated a degree of built-in security in the solution, which would add another layer of security apart from the security provided by the NED or aircraft working equipment.
4. Secure vulnerable bottlenecks
Which parts of the control network can become a weak link or a bottleneck in a cyber attack? Is it the wireless system? Or a network load balancer? The aviation industry needs to secure all vulnerable bottlenecks with the latest security implementations available. For example, if a network is discovered as vulnerable, aircrafts can use VPNs (virtual private networks) to separate several networks in an aircraft. VPNs are generally considered as somewhat safe from cyber threats.
While it is not feasible for aviation cyber security authorities to check every single bottleneck, they should be able to provide guidance regarding common vulnerabilities and how cyber issues should be mitigated if an attack takes place. Such guidance must evolve to encompass theoretical cyber issues as well so that the aviation industry can prevent cyber attack-led damage more swiftly.
5. Establish a common cyber security standard
With the aviation industry now hosting one of the most complex control and ICT systems around the globe, it needs to develop a common cyber security standard that should be followed by every organisation associated to the industry. Applying common practices or standards can help provide mitigation against cyber threats.
For instance, applying encryption standards to communication would reduce the risk of man-in-the-middle attacks and other cyber threats in control and aviation systems. The full implications of the increased ICT dependency and connectivity need to be understood to ensure establishment of common cyber security standards in light of evolving cyber risks.
Lastly, international aviation organisations should act in harmony to formalise a common front against the cybercriminals, hacktivists, hackers and terrorist groups to stop malicious attacks that are aimed at general disruption and theft of information to potential loss of life.
Cyber signatories should proactively share critical information such as risk assessments and risk assessments within and outside the industry to promote a robust cyber security culture for the benefit of all actors in the sector.
Sourced from Dan Virgillito, Infosec Institute