In an interconnected world how vulnerable is aviation to cyber threat?
1. The turbulent cybersphere
If you think the sky is a dangerous place, how about the internet? In the online world, trolls, hackers, hacktivists, cyberwarriors, data thieves and cyberterrorists do battle over keyboards. It’s a never-ending computer game with very real consequences in the flesh and blood world, of which aviation is a vulnerable part.
It’s nearly 15 years since the slammer worm attack shut down the Continental Airlines booking system for 24 hours. Since then, there have been cyberattacks on nuclear facilities in Iran (2010) and banks in South Korea (2013), thefts of perhaps 110 million sets of credit card details from US department store Target (2013), and an attack on the electricity grid of Ukraine (2015).
Cyberattacks took a bizarre and unsettling turn in 2016 with the Dyn distributed denial of service attack, which utilised an estimated 500,000 domestic devices connected to the internet to mount a coordinated electronic barrage on computer networks and media outlets. Among the devices coopted to form the ‘botnet’ of zombie-like attacking computers were digital video recorders, printers and baby monitors.
This year has seen the Wannacry ransomware attack on computers around the world and the Petya malware attack that swamped the websites of newspapers, banks, government departments and energy companies in Ukraine.
2. Future shock or fake news?
Aviation, with its system of navaids, radio communications and air traffic control,
was a pioneer of networking and from time to time it suffers network problems, ranging from atmospheric conditions blocking radio communications to deluded or malicious individuals impersonating air traffic controllers. However, for much of its history, aviation’s networks were unique, using technology unavailable to the general public, and with their own protocols and languages. This is beginning to change. Modern aviation has joined the networked world, with navigation, information and reporting systems using widely available computer architecture and languages.
- electronic flight bags
- wireless field loadable software
- real-time aircraft health monitoring and reporting
- passenger information and entertainment systems.
- Uploading and downloading flight and system data, using wireless technology.
- Performing maintenance testing and diagnostic functions remotely.
- Equipping engines with ‘call home’ functions for trend and operational information.
- Implementing wireless communications (e.g. SATCOM, HF, VHF, IFE, wi-fi
and cellular etc.) which include software updates for onboard communications avionics.
The extent to which these create an increased risk is under debate.
Modern transport aircraft do use internal high-speed data networks to connect digital multifunction avionic components. (It’s the ARINC 429 technical standard for local area networks.) In lay terms, this means the days of one avionics black box performing a given function on an aircraft are over. Instead, digital avionics modules perform software-defined functions, and can be upgraded with new ‘loadable software parts’ to improve their performance or add new functions.
CASA’s senior avionics engineer, Jayson Rowe, says a good analogy is how apps can make smartphones perform different functions. This ‘virtualised’ system has the advantages of being upgradable, resilient and often lighter than conventional avionics. It uses ‘off-the-shelf’ information technology and protocols that make it less expensive and quicker to develop. However, it is in theory subject to hacking in a way that the hard-wired one-box per function system could never be simply because its modules follow software instructions rather than fixed circuits.
The real-world risk is another matter, and not all it has been reported to be. The fast-moving tech world has no equivalent to the sober investigations performed by aviation accident investigation bodies, and as a consequence, rumour often leaps ahead of fact.
Several vaunted incidents of aviation hacking are nothing of the sort:
- The crash of Spanair flight 5022 at Madrid-Barajas Airport in August 2008 was widely reported to be related to malware found in a computer used to store the aircraft’s maintenance records. This meant engineers were not alerted to an engine sensor problem occurring three times in 48 hours, the reports said. However, the crash was the result of the crew forgetting to extend flaps for take-off (despite having recited the checklist), and in accordance with normal practice, the maintenance records had not been entered in the computer at the time of the accident. The engine and both the MD-82’s air data computers ‘were functioning normally on the previous flights and at the time of the accident’.
- In May 2015, an FBI investigation into computer security consultant Chris Roberts came to light. The bureau’s warrant application said Roberts had hacked into the in-flight entertainment system up to 20 times on separate flights and that on one flight he was able to make the plane ‘climb’ and ‘move sideways’ by accessing flight control systems from a laptop in his seat.
From the FBI warrant application: ‘He stated that he successfully commanded the system he had accessed to issue “CLB” or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights.’
However, former Boeing engineer Peter Lemme told Wired magazine no such command existed, because that would defeat the purpose of the autothrottle. ‘The autothrottle wants to keep the engines together. It does not want to split the engines,’ he said. ‘The only command [available] is to drive them together, not to drive them apart,’ Lemme said.
Other stories are true. A US truck driver, who resented his employer knowing his
work vehicles every move, fitted a GPS jammer—and became the cause of a mysterious disruption to the precision-landing system at Newark airport every time he drove past or parked there. He was fined US$32,000 in August 2013.
Between 2013 and mid-2016, there were nearly 80 incidents of aircraft GPS signal interference or malfunctions, according to those filed on NASA’s Aviation Safety Reporting System (ASRS).
Computer security consultant Hugo Teso told the SEC-T.org computer security conference he had obtained a disc of airline modifiable information software from communications supplier Arinc simply by filling out an online form. He had been evasive about the question of his supposed aircraft’s registration but the disc arrived in the post regardless. He also found source codes for avionic systems in directories on aircraft maintenance websites as well as used flight management computers for sale on eBay, and discovered it was possible to obtain the IP (internet protocol) addresses of aircraft by local scanning in a similar way to looking for an internet hotspot. Finally, he discovered he could upload modified software using proprietary systems that allowed him to communicate with multiple nominated aircraft via a webpage.
Teso claimed he could gain access to an aircraft’s condition monitoring system, autoflight system and flight management computer. ‘Trust me, it’s not that difficult, but of course I cannot provide the details,’ he said.
3. Intruders in the circuit: the uneasy relationship of avionics and IT
Answers to the question, ‘Is it possible to hack an aircraft’s flight controls?’ are similar, but nuanced, ranging from an emphatic ‘no’ to a less reassuring, ‘most likely not’.
CASA’s senior avionics engineer, Jayson Rowe, is confident about the cybersecurity of modern transport aircraft flight controls. Older aircraft are simply too old fashioned to be hacked, he says, and newer ones have addressed the issue with stringent standards. ‘As far as the design of aircraft is concerned, that part is well addressed,’ Rowe says. ‘There are standards that are well-established, developed since the Boeing 787 came into service and they are there to address any concern about security.’
Rowe says more stringent aircraft network security requirements came in at the same time as off-the-shelf technology. ‘Modern aircraft are protected by dual firewalls. Data can only be installed on the ground; it can’t be changed or modified in flight. A LAME typically will connect a laptop to install the software. CASA’s been strict about this. We only allow LAMEs to install maintenance items on the ground. There have been discussions about doing this remotely but we would still require it to be by a LAME action. Whether it be by a laptop or remotely, the same intent is there: that updates only be done by maintenance action.’
Principal Security Consultant at IOActive, Ruben Santamarta, has a more nuanced opinion. ‘There is not a right or wrong answer here—each aircraft needs to be assessed individually,’ he says. ‘In general, an aircraft’s data networks are divided into four domains depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and aircraft control. However, there are certain devices that are shared between all those domains, such as SATCOM equipment.’
‘Physical control systems should be located in the aircraft control domain, which should be physically isolated from the passenger domains. However, this doesn’t always happen. Some aircraft use optical data diodes, while others rely upon electronic gateway modules. This means that as long as there is a physical path that connects both domains, we can’t rule out a potential attack.’
Professor of Cybersecurity at Embry-Riddle University, Gary Kessler, says the possibility of aircraft hacking must be considered and defended against. He is particularly concerned about ransomware attacks, in which money is demanded to restore computer files. These have become such a big illegal ‘business’ that ransomware attackers provide help desks that talk victims through the details of paying online.
‘Would it be possible to inject ransomware into an aircraft in-flight? I posed this question to buddies of mine who agreed that, probably, today you can’t do that,’ Kessler told the Safeskies aviation Safety conference in Canberra recently. ‘But about a year ago, someone got ransomware into the San Francisco bus and train system. The notion of putting ransomware into a moving vehicle is not implausible, and if I can think about it others have also.’
Like Hugo Teso, Santamarta sees in-flight entertainment (IFE) systems as a possible attack vector. ‘In some scenarios, such an attack would be physically impossible due to the isolation of these systems. In other instances, an attack remains theoretically feasible due to the physical connectivity,’ he says. ‘The ability to cross the “red line” between the passenger entertainment and the owned devices domain to the aircraft control domain relies heavily on the specific devices, software and configuration deployed on the target aircraft.’
Rowe says the main safety of IFE systems is the extent to which they double as passenger information systems in emergencies. We use a classification of five different failure levels from catastrophic to no effect. Failure of an IFE system so that it can’t show a movie to a passenger, would have no effect under our classification. But failure of PA announcements or emergency lighting, which can be controlled by IFE systems, could have an effect that might be minor or major depending on circumstance, and that’s where we have to look into the situation.
He is however confident in the integrity of IFE systems. ‘The data buses used in those systems are read only. You cannot write into them. That’s by design,’ he says. ‘It’s a one-way system. Someone sitting at the back can’t write to the system.’
‘If we became aware of any information to suggest otherwise, that would certainly warrant an airworthiness directive. It would be issued within hours.’
Ghost riders: systems outside the cockpit
Rowe and Santamarta both point out that aviation navigation systems are not secured. They can become jammed or spoofed with false data. ‘This is a known flaw because at the time these were written, security wasn’t considered,’ Rowe says.
‘We’re talking about any radio navigation system—NDB, VOR, ILS and GNSS. None of these was ever designed to include security. The standards are not publically available but they are not a secret—you can purchase them.’
‘There is an intention to change these systems, but it’s going to take a long time. You’ve got to change ground-based infrastructure and get every state in ICAO to agree. It’s a monumental feat of international cooperation.’
Santamarta says satellite communication (SATCOM) devices, including airborne SATCOM terminals, are a specific vulnerability. ‘A primary concern is the sharing of these SATCOM devices between different data domains (e.g. satellite data unit connected to the multifunction control and display unit on the flight deck), which could allow an attacker to use this equipment to pivot from a compromised IFE to certain avionics.’
Rowe says that even unencrypted systems have certain features that defend against spoofing. Receiver autonomous integrity monitoring (RAIM), where a GNSS receiver monitors the strength and quality of satellite signals is one such defence, he says. ‘RAIM can realise that a signal being spoofed would come from a source that’s quite close. It wouldn’t be representative of a satellite that has quite a weak signal, down in the noise floor.’
‘You also have a mask angle. Anything lower than the mask angle the system typically ignores, such as a signal coming from the ground. That would rule out a ground-based spoofing signal.’
The pseud-random coding of GNSS signals acts as another defence. ‘A GPS satellite also puts out a pseudo random code. It can be encrypted and is considered close to unbreakable. Each satellite has a unique seven-day P code. Denial of service is something more easily achievable,’ Rowe says.
Kessler sees ‘data diddling’ as a subtle threat to data-driven safety systems. This is where a cyberattacker subtly modifies information in a database, rendering it untrustworthy.
What’s being done
The US Federal Aviation Administration (FAA) is promoting the standard term Aircraft Systems Information Security Protection (ASISP) to refer to cybersecurity concerns about aircraft.
The ASISP working group reported to the FAA in August 2016, with 30 recommendations that address rulemaking, airworthiness standards, industry consensus standards, and technical standards orders. Among the report’s recommendations is a new provision in the Part 25, Airworthiness Standards for Transport Category Aircraft, which would require manufacturers to protect aircraft equipment, systems and networks from intentional unauthorised electronic interactions.
During January 2017, the FAA established a tiger team with appropriate CNS/ATM experts from industry and governmental authorities to determine if, and for which TSO industry, standards need updates to address cybersecurity threats.
The Aviation Information Sharing and Analysis Center (A-ISAC) was established in 2012 with backing from Boeing. The A-ISAC acts as a focal point for security information sharing among airlines, airports, aircraft manufacturers, equipment suppliers, service providers, technology providers and infrastructure providers.
Network vulnerability is an inevitable consequence of aviation technology evolving from mechanical and analog electronic systems, which were process-based to digital systems, which are information based. Aviation and IT experts agree it is a real, but manageable hazard to which the best defence is to take network security seriously.
The Three avionics domains
To provide an understanding of the aircraft’s electronic equipment, systems and assets, the concept of domains is used, however this does not prescribe any particular architecture.
The Aircraft Control Domain consists of the aircraft’s electronic systems, equipment, instruments, networks, servers, software and hardware components, databases, etc., which are part of the type design of the aeroplane and are installed in the aeroplane to enable the safe operation of the aircraft. These can also be referred to as flight safety-related systems, and includes flight controls, communication, display, monitoring and navigation, systems.
The Airline Information Services Domain generally consists of functions which are managed or controlled by the operator, for example administrative functions, cabin support functions etc.
The Passengers Information Service Domain consists of all functions required to provide the passengers with information. It consists of installed equipment and passenger-owned devices.
Potential risks to networked aircraft include:
- Erroneous maintenance messages.
- Corrupted software loaded onto aircraft systems.
- Malware infecting an aircraft system.
- Attackers using onboard wireless services to gain access to aircraft system interfaces.