Enhancing In-Flight Cybersecurity
When Wilbur and Orville Wright took off from Kitty Hawk, North Carolina, in 1903, their aircraft was a gasoline-powered, propeller-driven biplane. The machine consisted of a crude engine, wood, muslin, and light but inflexible wire wing struts. Everything was done manually, requiring the brothers to have incredible flight skills and rapid response capabilities should an emergency—such as an engine failure—occur.
Today’s airplanes are a bit more advanced than the Wright brothers’ creation. Most modern planes are made of aluminum and feature tremendous engine power. To help pilots safely fly them, they also often come with autopilot systems and software, all connected to an internal computer system requiring patches and updates as a part of regular maintenance.
These technological advancements helped increase safety and security for flight transportation. But they also created new vulnerabilities that manufacturers, regulators, and operators are only just beginning to understand and address.
This was most horrifically evident in the two recent crashes of Boeing 737 MAX airplanes—Ethiopian Airlines Flight 302 and Lion Air Flight 610—which collectively killed 346 people. Investigations into the causes of the crashes revealed a flaw in the planes’ Maneuvering Characteristics Augmentation System (MCAS). When the MCAS received an erroneous sensor alert, it pushed the aircrafts’ noses down into a dive—ultimately crashing the planes into the ground despite pilots’ efforts to correct the course.
“We now know that the recent Lion Air Flight 610 and Ethiopian Airlines Flight 302 accidents were caused by a chain of events, with a common chain link being erroneous activation of the aircraft’s MCAS function,” Boeing said in a statement. “We have the responsibility to eliminate this risk, and we know how to do it.”
Boeing later announced that it suspended production of the 737 MAX because the U.S. Federal Aviation Administration (FAA) must recertify the MCAS system that caused the two fatal crashes.
The tragic incidents highlighted how software flaws can have major consequences for the aviation sector—even when not compromised by a malicious actor. To better understand how the aviation industry is responding and mitigating threats to its increasingly digitized systems, the Atlantic Council created an initial survey that mapped the diverse perspectives around the globe on cybersecurity in aviation.
The 2017 survey, Aviation Cybersecurity: Finding Lift, Minimizing Drag, found that aviation cybersecurity needed global standards, along with increased transparency and trust between stakeholders, and increased focus on passenger safety.
To follow up on this work, the Atlantic Council released a new report in December 2019, Aviation Cybersecurity: Scoping the Challenge, which analyzes the responses of 244 individuals on aviation cybersecurity.
“The digital attack surface the aviation sector presents to its adversaries continues to grow in such a way that both managing risk and gaining insight on it remain difficult,” the report found. “With emerging technologies like machine learning and fifth-generation telecommunications seeing wider adoption—alongside electric vertical takeoff and landing, autonomous aircraft, and increased use of space—aviation-cybersecurity risk management is on the cusp of becoming more complex.”
The 2019 survey found that cyberattacks on aviation organizations appear to be increasing, ranging from ransomware and thefts of personally identifiable information to spoofing attacks on Global Positioning System (GPS) signals.
“Outages caused by either signal interruptions or spoofing could rapidly cause operational impacts,” the survey said. “An example is that, in 2019, a short period of system errors across some Automatic Dependent Surveillance-Broadcast units caused about 400 flights to be cancelled.”
Respondents also expressed concerns that the first round of cyberattacks will likely focus on impacting confidentiality of data or availability of systems before pivoting to compromising data integrity, which pilots and other officials rely on when making decisions.
Another threat is that terrorists may begin using cyberattacks on the aviation industry as physical attacks become increasingly challenging to carry out.
The survey also found that despite a strong culture of safety in the aviation sector, most airlines failed to incorporate cybersecurity into training for pilots, air-traffic controllers, and other critical staff that would help them recognize or manage aviation-cybersecurity incidents.
“Research by the European Union Aviation Safety Agency carried out in 2016 used a flight simulator to assess the potential safety impacts of cyberattacks on aircrew,” the survey explained. “The results demonstrated that it was challenging for the crews to recognize such attacks, but if standard flight-operation practices were followed, safety issues could be mitigated.”
Executives responsible for flight safety must incorporate cybersecurity into their governance and organizational structure, the survey added, because in an emergency, individuals in safety positions—pilots and air traffic controllers—can make decisions that save lives.
“For years, the human operator has always been seen as the critical link in the flight-safety chain, as he or she is able to recognize and prevent flight-safety incidents,” the survey found. “With connected, digitized technology now underpinning safety-critical systems, there is now a risk of adversaries undermining that critical safety break.”
Survey respondents also expressed the need for global aviation cybersecurity regulations and standards that accompany a culture of cybersecurity driven by senior leadership.
“In minimizing risk, aviation already has an effective model in flight safety, where there is never enough effort, and risk is always being driven down,” the survey said.
While the Atlantic Council was analyzing its survey findings, the International Civil Aviation Organization (ICAO) was making strides to address cybersecurity. In October 2019, it adopted its first Aviation Cybersecurity Strategy.
“Recognizing the multi-faceted and multi-disciplinary nature of cybersecurity, and noting that cyber-attacks can simultaneously affect a wide range of areas and spread rapidly, it is imperative to develop a common vision and define a global Cybersecurity Strategy,” ICAO said in its vision statement.
Captain Andreas Meyer, aviation cybersecurity officer, aviation security policy, for ICAO, spoke at a panel event in Washington, D.C., about the Atlantic Council survey. He said that ICAO’s adoption of a strategy is a good start, but work remains to be done.
“It sets for the first time a global vision for cybersecurity,” he said. “We need to provide an action plan—not all states are at the same level, and we need to bring them up to speed.”
The ICAO strategy is structured into seven pillars: international cooperation; governance; effective legislation and regulations; cybersecurity policy; information sharing; incident management and emergency planning; and capacity building, training, and cybersecurity culture.
Due to the international nature of civil aviation, ICAO stressed that cooperation at the national and international levels for the development and improvement of cybersecurity is critical.
“Aviation cybersecurity needs to be harmonized at the global, regional, and national levels in order to promote global coherence and to ensure full interoperability of protection measures and risk management systems,” the strategy said.
The strategy also emphasized that the human element is at the core of cybersecurity, and the aviation industry needs to take steps to increase the number of qualified and knowledgeable personnel in aviation and cybersecurity.
“This can be done by increasing awareness of cybersecurity, as well as education, recruitment, and training,” according to the strategy. “Curricula relevant to cybersecurity, and—where practical—aviation-specific cybersecurity at all levels should be included in the national education framework, as well as in relevant international training programs. Innovative ways to merge and crosslink traditional information technology and cyber career paths with aviation-relevant professionals should be pursued.”
American Airlines Senior Cybersecurity Analyst Olivia Stella said in the same Washington, D.C., panel that the airline has been building on its culture of safety to incorporate cybersecurity. But she added that the effort will need more personnel with cyber expertise.
Stella also said more needs to be done to encourage the research community to report vulnerabilities directly to airlines so they can be addressed before being exploited by malicious actors.
“We need to grow to remain competitive and resilient,” she said. “We need to be more open in working with the research community…have higher transparency and be more open.”
The ICAO strategy encourages member states to create mechanisms to cooperate with good-faith security researchers.
“This change should globally help drive positive and productive engagements between the aviation industry and security researchers,” the Atlantic Council survey said. “From the results of the survey and workshops, respondents thought that such cooperation is a positive development for the aviation sector.”
However, some respondents said that there continues to be a lack of guidance for researchers wanting to share vulnerabilities with the aviation sector in a safe and legal manner.
“The perceived difficulty that good-faith cybersecurity researchers face when contacting companies within the aviation sector also contrasts with the results that point to organizations firmly welcoming such approaches,” according to the survey. “If the aviation sector can create and promote clearer and easier processes for researchers to work with them, it is obvious that there is great benefit to be had for both stakeholder groups.”