Intruder Alert: Industry Experts Weigh In on Cybersecurity Risks
Share
APEX Insight: Armed with a steadfast cybersecurity strategy, aviation industry stakeholders are ready to meet hackers head on.
Cybersecurity is front of mind more than ever, even casting a shadow over the recent US election. In aviation, claims of successfully hacking into an aircraft’s avionics system have surfaced – but are not yet proven. The Federal Aviation Administration maintains: “The FAA and industry have worked together on aircraft cybersecurity over the past 20 years, and there have been no US commercial accidents or incidents from intentional unauthorized electronic interaction with onboard aircraft systems.”
Despite the FAA’s assurance that no sign of a successful cyberattack has ever occurred on a flying aircraft, the threat looms. Non-US airports have been hacked, including passport control systems and baggage-handling networks. The industry isn’t taking any chances. It’s ramping up security and taking precautions for the day it detects an intruder.
Enter the Danger Zone
A security-minded airline, airport or in-flight connectivity company must begin at the beginning. Step one is about being aware of relevant cyber risks. “Organizational awareness will drive decision-making across the business, from budget allocation to cyber-risk management,” says Fred Schreiner, chief technology officer of Thales Avionics InFlyt Experience. “Good preparedness is a delicate balance between business priorities and cyber-risk management priorities, where awareness of threats in terms of frequency, intensity, target and magnitude of potential consequences is critical to understanding how priorities should be managed.”
“You need a good threat analysis for where you’re vulnerable to some sort of event that could disrupt your operations or cause some sort of malicious outcome.” €” RJ McLaren, Kontron
Joel Otto, VP of Strategy, Development and Technology for Information Management Services at Rockwell Collins, agrees. “You need a good threat analysis for where you’re vulnerable to some sort of event that could disrupt your operations or cause some sort of malicious outcome.” And that analysis is not an endpoint, but an ongoing process, says RJ McLaren, manager of Product Marketing at Kontron. “Make sure you have your equipment, especially servers and wireless access points, up to the latest standards – and those change quite rapidly.
The Villain With Many Faces
As the tech landscape changes, so do the mechanisms of a cyberattack. We’ve likely all heard of phishing – where a hacker tries to get the victim to willingly divulge compromising or valuable information – but what about “spear-phishing”? It’s the latest version, personalized just for you. “Modern phishing attacks leverage a huge trove of social media information, thereby making phishing e-mails appear relevant and legitimate to very specific users,” Sam Miller, product security officer at Thales Avionics InFlyt Experience, explains. It’s as if the hacker is already in your head, having gleaned information you may not have been aware you were leaking.
Otto says when you consider the fact that an airline and its network of operations are global – at least multinational – and how an airline needs to exchange information from aircraft to airports to customs and immigration and so on, distributed denial of service (DDoS) attacks, which inundate online services with traffic from multiple sources, are even more relevant than the movie-plot type hacks, such as impersonation. Not only does the data need to be protected, but the connection as well. One way of doing this, Otto says, is already common practice: running critical operations on a private network to keep them a step removed from the Wild Wild West of the open Internet.
“How do we make sure we can detect it when it happens, and then make sure it doesn’t cause a discontinuity of operations?” €” Joel Otto, Rockwell Collins
In the age of the connected airplane, perpetrators, victims and targets must be looked at in slightly different ways. The ecosystem of the connected aircraft is a complex place. “What don’t we want to happen?” Otto asks. “How do we make sure we can detect it when it happens, and then make sure it doesn’t cause a discontinuity of operations?”
Those questions are important to stakeholders in flight operations, and every stakeholder in that complex relationship has its own property to protect, says Andy Mason, VP System and Program Management, Avionics, Transportation and Defense at Kontron: “If we have a media server that’s being used to serve up copyright-protected content, we want this to be secured against unauthorized access.” For this, Mason says, the Motion Picture Association of America maintains its own security certification, so add that to the stack of regulations that a responsible company will need.
The hack itself can even be considered a piece of content with its own market value. Miller says, “As we have seen in the most recent DDoS attacks, perpetrators may be looking for economic gain solely as a supplier of DDoS capabilities … rather than seeking economic gain by damaging a specific business. This is a new market for selling cyberattack capabilities that will have a significant impact on the rapidly growing world of the Internet of Things [IoT].”
There Are No Bystanders
As more passengers board with more connected devices such as smartphones, tablets and laptops, keeping personal and sensitive data – that of passengers and airlines alike – secure is key. McLaren says that more complex networking tasks mean more revenue streams, which means more personal data is getting pushed out. More opportunities for ne’er-do-wells to have a go at your personal info: “Make sure the equipment you’re putting on your aircraft is up to the latest standards,” he says. This security-mindedness also works the other way. “Make sure you’re protecting the in-flight connectivity system from unauthorized access,” says Mason.
The threatscape is rapidly changing, and will continue to do so. “The goal of 100-percent prevention is nearly impossible, and ultimately impractical. This means we must do better in terms of detection capability,” Miller says. The goal is real-time detection that sniffs for new threats even as those threats emerge in the wild for the first time.
Living in Public
So, is there room for anonymity in the future of commercial air travel? The answer is no. This is not necessarily against passenger wishes, though. “The biggest value you’re going to get out of the travel experience will come from some sort of data exchange,” McLaren says. “To get a service, you give up a chunk of data. There’s a lot of value to it, but I’m sure a lot of people are very nervous about it.” And still, they choose to be connected; passengers choose to be connected and so aircraft have become a part of the connected world.
“In addition to airlines wanting to provide a more personalized experience, security – including cybersecurity – necessitates a need for identifying individual passengers,” Schreiner says. “Additionally, by means of our personal smart devices in the IoT network, we are becoming increasingly connected and identified.”
“Reducing cyber risk is a balance between the user’s needs and cybersecurity best practices.” €”Sam Miller, Thales
Modern cybersecurity is not an everybody-panic situation, according to our panelists, who must balance breathless headlines with real-world threats as part of their work. When they travel, they take that extra bit of care to make sure they’re keeping their personal and professional data safe. “Reducing cyber risk is a balance between the user’s needs and cybersecurity best practices,” Miller says. “For most travelers, it is impractical to leave a personal electronic device or laptop at home.” He suggests using a VPN (virtual private network) when connecting to unfamiliar Wi-Fi hotspots. (Mason can’t resist a quick Samsung Galaxy 7 joke, but likewise suggests taking commonsensical precautions.)
There are a growing number of links in the security chain for a passenger airline flight: from the navigation to the in-flight entertainment and connectivity system to the devices brought aboard by passengers to the flight bag itself, with many more in between. As airplanes and airports become increasingly complex networking nodes, the Airline Passenger Experience Association is pushing for higher standards of security by sharing industry insights and leading conversations at APEX TECH conferences. Meanwhile, real-life risk management means recognizing threats, staying on top of emerging hacker trends and predicting potential targets. Cybersecurity professionals need to constantly re-evaluate their strategies and tactics for when they must spring into action.
“Intruder Alert” was originally published in the 7.1 February/March issue of APEX Experience magazine.