In the age of advanced technology, the world of aviation is facing a new kind of threat. Cyberattacks in the aviation industry are very real, with hackers working around the clock to infiltrate the systems of airlines, airports, aircraft manufacturers and even satellites and space stations.
Just in January last year, there were more than 30 cyberattacks as reported in Eurocontrol’s Think Paper #3. Some of the attacks have been relatively low level, but occasionally there have also been massive data breaches.
One need to look no further than the case of international airline Cathay Pacific, a target of a hack in November 2018 that caused the leak of over 9 million people’s personal data.
At the Thirteenth Air Navigation Conference by the International Civil Aviation Organization (ICAO) in 2018, aviation was said to be a ‘system-of systems’. The systems are so interconnected, causing a significant risk of new security threats that could pose a great concern for the safety of aviation.
What are the risks?
The risk of aviation actors being hacked in the cyber sphere is very high. However, those attacks are generally very small-scale.
IT consultant Phil Kernick from CQR Consulting reported that Australian airports are being attacked on a daily basis. Airports in Israel, by way of another example, also reported fending off 3 million attempted attacks everyday. The European Aviation Security Agency, furthermore, reported a monthly average of 1,000 airport cyber attacks.
A common method hacker use are distributed denial of service (DDOS) attacks which try to lock operators out of their own systems, and then only let them back in once they’ve paid money.
Cyber security expert at McAfee Rodman Ramezanian provides some insight into the complexities of cybersecurity in the aviation industry:
Aviation’s most complex security challenge is attributable to the range of parties invested in the functional operation and their high levels of integration, including aerospace supply chains, manufacturers, airports, carriers, regulatory bodies, and, of course, passengers. The aviation industry is dependent on distributed architectures for delivery of efficient services, including distributed networks and interdependent physical and cyberspace functions. The industry also abides by governance constructs involving multilevel authorities, responsibilities, and regulations.
Nevertheless, cybersecurity breaches can have more dire consequences and the industry needs to understand these risks. In August 2018, Air Canada reported a breach affecting the personal data of 20,000 people. In September that year, British Airways announced that they had suffered a breach potentially affecting 380,000 people.
The risk extends to more than just privacy of people’s personal information. GE Aviation announced that China had tried to steal trade secrets from them in order to give the nation an advantage over the U.S. in the aerospace arena.
In 2006, the U.S. Federal Aviation Administration (FAA) shut down a portion of its Air Traffic Control systems after an unexpected cyberattack. A subsequent audit found that the use of commercial software and Internet Protocol-technologies in a bid to modernise operations had placed the system at a high security risk as operations were not properly secured to prevent unauthorised access.
One survey found that only 35% of airlines and 30% of airports see themselves as properly protected from these cyber risks.
What can be done to stop and prevent such threats and how can we improve the cybersecurity of aviation?
From Education to Installing Safety Measures
First and foremost, education is needed. From top senior management to technicians, everybody needs to be introduced about the phenomenon of cyber threats and get familiar with the ways of how cybersecurity needs to be implemented.
Digitisation brought a lot of convenience into everyday tasks, and while we mostly welcomed all these changes, we have not been diligent when it comes to installing safety measures. It is of great importance to set up prevention but to also know the procedures if it comes to the cyberattack. Responding and recovering from it is the most important aspect post-attack.
Payment cards, passports, personal details – all of that is at risk. Travellers are entrusting airlines with their information, but once it gets leaked, it would be almost impossible to gain their trust back. That is why having functioning security measures is an important part of protecting the reputation in the business, as well.
IT Sector as a Vital Organ
Strengthening your airline or your airport’s IT department is the first step towards implementing the most effective measures. You need professionals for this kind of job and hiring more experts in this area is today a necessary move.
We asked Rodman Ramezanian at McAfee where aviation should start. He said:
For any industry, assessing and mitigating each participating entity’s cyber risks improves that industry’s collective protection of its critical processes. Each entity must understand its proverbial “crown jewels,” along with their potential attack surfaces, vulnerabilities, and impacts. With that information, security practitioners can determine an entity’s current risk level and recommend minimisation and mitigation strategies.
For example, an airport could identify air traffic control as a critical function, with security practitioners identifying commonly used protocols and communication platforms as an avenue for manipulation. Enterprise servers housing sensitive and proprietary aircraft design documents would be deemed highly valuable and may require stringent vulnerability assessments and security measures in place.
Data feeds from radar and satellite equipment may be prone to Man-In-The-Middle attacks and threats of data corruption, requiring fault-tolerant and scalable security solutions to ensure the confidentiality, integrity, and availability of such sensitive information.
Amalina Jumary from Avlaw Aviation Consulting notes that a general consensus in the industry is to have a harmonised approach in managing threats from cybersecurity which includes all stakeholders from aircraft manufacturers, air traffic control systems, engineering companies that fit the different systems onboard like Thales and aviation safety regulators.
For example, Individual organisations like the European Aviation Safety Agency (EASA) have made amendments to make it mandatory for manufacturers that are seeking certifications to provide evidence that threats leading to unauthorised access of electronic information or systems are addressed. Similarly, Boeing is establishing a Cyber Technical Centre to support the cyber security needs of its customers.
IT is a field that is developing at an incredible pace and only a selected few can keep up with it. Hire professionals who have a proven track record of stopping data breaches and who can think like a hacker and predict their next step.
Ramezanian stresses that “to reduce unnecessary impacts, it is imperative for cyber security to be integrated into business operations and innovations, and not implemented as an afterthought”.
Risk Prevention and Assessment
From choosing stronger passwords to more sophisticated safety programs, remember that the first step to improving the security is to educate and train your employees. Also, the more new technological innovations are introduced, there are more chances for cybercriminals to attack.
El Al Airlines, Israel’s national airline, has introduced an anti-malware system developed by Nyotron known as PARANOID. This system aims to stop malware trying to corrupt and delete your data, working closely with your command and control servers.
You need to detect vulnerabilities and work on them. These include installing systems to detect vulnerability exploits as well as zero-day attacks. Coming up with a prevention plan for every aspect of checking-in, onboarding the passengers and getting them safely to their destination needs to be revised. The same goes for air traffic controls and other communication channels.
Each program and gadget that has a connection to the Internet can be used as a pathway to entering the system and causing havoc. That is something that not many people are aware of.
Bright Future for Aviation Ahead
The good news is that the problem is noticed and that air companies are fully aware of it. While travellers are enjoying the perks of digitized flying experience, like faster boarding and online reservations, in time airports and airlines will be able to vouch for their technology and promise safety.
For more information about cyberattacks in the aviation industry, check out the Atlantic Council’s in-depth survey and report on this topic named Aviation Cybersecurity: Scooping the Challenge. More resources on the subject matter can be found on the IEEE website, which deals with cybersecurity in general.
If you need more information, feel free to contact AvLaw Aviation Consulting Agency at any time.
The views and commentary expressed by Rodman Ramezanian contained herein strictly belong to Mr Ramezanian only, and do not necessarily represent McAfee’s positions, strategies or opinions.