By David Smith
Instances of ransomware in the aviation supply chain have risen more than 600% in a year, according to a recent analysis by Boeing. The US company said sensors on almost every part of an aircraft had increased the range of potential vulnerabilities. Any component sending or receiving a signal can in theory be hacked. ICAO, which develops standards and procedures to fight cybercrime, agrees with Boeing that the threat has “grown exponentially” during the past decade.
Professor Krishna Sampigethaya, chair of cyber intelligence and security at Embry-Riddle Aeronautical University in the USA says, “The aerospace industry is attractive for cybercriminals.
“Dangers have increased because of the amount of technology coming into aviation. When software is constantly updated, weak points are exploitable, and aircraft may not be resilient to an emergent vulnerability.
“An aircraft has hundreds of boxes that collect, process, and transmit data and must be updated. It is hard for all of them to keep up with the rapidly evolving threat landscape given the existing requirements and constraints of aviation.”
Sampigethaya, who teaches courses on cybersecurity for ICAO, says the aviation industry is not serious enough about combatting cyber physical attacks.
“An example would be a cyberattack that targets the behavior of physical components. They are damaged but everything looks fine to the operator,” he says.
“The possibility of such attacks on physical systems means that the threat is comparable to terrorism. There is also too much trust in dependent systems. For example, air traffic control systems are liable to attack.
“But companies often do not want to open Pandora’s Box and look more closely at each technology, because it is a very costly process. They also often do not have expertise in-house and require external help from cybersecurity experts.”
According to Saulo Da Silva, chief global interoperable systems section at ICAO, an aircraft’s controls cannot be hacked. There are three different and isolated networks within a commercial passenger aircraft – aircraft command, information, and passenger entertainment. But lots of other elements in aerospace have been exposed, he says.
Independent research firm KonBriefing said there were 38 cyberattacks in the aviation sector last year, with 13 in the USA. A Eurocontrol report published in summer 2021 about the “rising tide of cybercrime” estimates there is a ransomware attack every week in the aviation sector. It says 61% of attacks in 2020 were on airlines and that the vast majority (95%) were financially motivated. Eurocontrol’s 2022 analysis revealed the most common attacks as ransomware (22%), data breaches (18.6%), phishing attacks (15.3%), and Distributed Denial of Service (DDoS) attacks (7.3%). The data also revealed a significant rise in cybercrime in 2022.
The “total attack surface” has grown significantly as remote systems like IoT sensors, actuators, biometric readers, robotics and cloud applications require web connectivity. Mobile phones and bring your own device (BYOD) policies add more weaknesses. Important targets for hackers include reservation systems, flight history servers, ticket booking portals, flight management systems and cabin crew devices.
Rob Pocock, technical director at cybersecurity firm Red Helix says that dependency on the cloud to store information has exacerbated risks.
“Aviation is changing as all industries do. Even the UK’s Ministry of Defence uses the cloud for data storage now. There is a point when the advantages outweigh caution,” he says.
Attacks can come from a variety of sources. Cybercriminals are often behind ransomware attacks, but there is also the possibility of insider attacks from dissatisfied employees and state sponsored groups.
Some of the worst hacks compromise customer data and expose credit card details. In 2016, the 1937CN group from China hacked the website of Vietnam Airlines, stealing the confidential data of 411,000 members of its frequent flyers’ club. A sophisticated hack in January 2020 of EasyJet’s booking systems compromised nine million customers’ data. Thousands of stolen credit card details including security codes were exposed.
In 2021, Air India admitted that the personal data of 4.5 million passengers had been compromised following a data breach at air transport data giant SITA.
A state-sponsored hack occurred last year when the Chicago Department of Aviation, FlyChicago.com and other websites associated with O’Hare International Airport and Midway International Airport were taken offline. The Russia-aligned hacking group KillNet claimed responsibility for the coordinated attacks and posted on messaging app Telegram a list of state websites it was targeting. KillNet also claimed responsibility for cyberattacks against Estonia and Lithuania.
As well as stealing data or money, attackers may aim to create chaos and destruction. Changing passenger lists, routes or luggage inventories can impact an airline’s operations and damage its reputation. In 2022, numerous airport websites were targets of DDoS campaigns arising from the Russia-Ukraine conflict. “They can cause panic among the passengers by hijacking the reservation systems connected to the internet. The result can be delays in flights and congestion at the gates, which can affect the safety of operations,” says Da Silva.
Pocock believes it’s essential to understand cybercriminals’ motivations to predict where the next threat will come from. His main focus is the intersection between airframes and the large enterprises entering the aviation space.
“The airframe and safety systems are isolated and safe for now. But as we move further with digital transformation, there is going to be more of a connection between those systems,” he says. “If I am flying first class in a private cabin and I use my iPhone to control the lighting, then suddenly, you’ve got an important network in an aircraft being controlled by a smartphone which may contain malware,” he says.
Pocock believes that technology companies will prioritize profit and have a different mindset from the aerospace industry. “Supply chains are not massive, and they are self-contained, but we are going to see disruptive organizations entering the sector. They may use different supply chains and do their own security testing, or coding and writing.
“Instead of the careful processes of a Boeing or an Airbus, these innovators could be cutting corners.”
Updates and installs
Updating or introducing new software can also create vulnerabilities. Sampigethaya points to the F-35 fighter jet as an example of a potentially hackable airplane. Often called a “flying computer” because it relies on digital connectivity, the aircraft has multiple layers of security, making it impossible for distant hackers to control it. “Its mission makes it a target for cybercriminals linked to nation-states, who may aim to exploit and degrade its capability,” he says.
Open-source software has been flagged as another weak point. But Matthew Arnow, head of public sector solutions at software developer Tidelift says that the overall cyber risks are comparable to other types of software.
“More organizations are taking the challenges with managing open-source security seriously in the wake of last year’s Log4Shell vulnerability, which impacted companies using the log4j logging library,” Arnow says. “Many companies lost countless hours triaging the impacts on their organization. The first ever Cyber Safety Review Board report published by the US Government reported that one cabinet department spent over 33,000 hours remediating Log4Shell.”
Although the consequences of a vulnerability during a flight are disastrous, the most common impact of everyday vulnerabilities are decreased productivity, downtime, and lost revenue believes Arnow.
Satellites and drones
The nascent satellite industry could also present new risks, says Sampigethaya, as small satellites are within reach of hackers and manufactured by a whole supply chain of actors. “Injections of threats could happen and it’s becoming more of a concern. There’s been a Hack-A-Sat contest at the hacker convention DEF CON since 2020. This year SpaceX and NASA sent a satellite into low-earth orbit in the hope it could be hacked,” he says.
Drones that fly low are within reach of hackers and are another weak point. States and local governments use drones for environmental and disaster management, infrastructure updates, and other critical urban planning tasks. But drones often do not have the same security measures as computers or commercial aircraft. Meanwhile, fleets of commercial drones could also pose problems.
“If a drone is taken over by a hacker, the consequences of groceries not being delivered are manageable. But thousands of drones under unauthorized control flying into power lines would be a major issue,” Sampigethaya says.
Pocock says Red Helix works with aviation companies with different attitudes toward cybercrime. Some understand the dangers and how to fix them, and some realize there is a problem, but do not know how to solve it.
“The third group is the worst,” says Pocock. “They put their head in the sand because it is too complicated. We have to spend a lot of time convincing them about the catastrophic costs of being hacked.”
When they do begin to take it seriously, he says there are several effective techniques. First, it is best to adopt a “zero-trust architecture” approach. With so much technology handling sensitive information, all devices and users must be checked rigorously.
Second, aviation businesses should introduce “comprehensive encryption” to protect the identities and financial information of thousands of passengers. Third, they have to carry out “threat monitoring” which is about keeping up with the cybercriminals that constantly monitor the networks. And fourth, “regular penetration testing” will ensure devices are up to date.
“Most threats arise from vulnerabilities that are easy to patch and fix. It just hasn’t been done because the companies haven’t got the processes in place to do it, or they are procrastinating,” says Pocock. “It is impossible to prepare for unprecedented new zero-day attacks. But most hacks go back to something that was known. Hackers spend weeks trawling the internet looking for systems which haven’t been patched.”
According to Da Silva, one of the biggest issues facing cybersecurity is identifying authentic identities. He is leading an ongoing ICAO project to develop regulations for an International Aviation Trust Framework (IATF).
“One of the most important tasks is to guarantee the identity of players in the ecosystem – what we call technical trust,” says Da Silva. “This is not just personal identity, but also the identity of systems such as computers with IP addresses.”
IATF began in 2015, but is a slow process because ICAO has 193 member states and there must be consensus on every aspect. Da Silva says, “It will take about eight years because of all the coordination and a lot of technology will have moved on. But we develop everything to be technology agnostic as much as possible.”
The new standard will be a significant advance on the existing situation, where there are only two generic applicable standards. “We have worked with technical experts, white hackers, and manufacturers like Boeing to provide more detailed guidance, recommended practices, and standards. An important question is what does it mean to be resilient and allow operations to continue with reduced performance, but optimal safety?”