Securing Cyber in the Sky
Layered cybersecurity needed to protect aviation ecosystem
When the WannaCry ransomware warning popped up on the arrival-and-departure signs of Germany's national rail system, experts in aviation security took notice.
While the now-infamous attack did not affect travel, it did show how easily malicious code can infiltrate mass transit systems. And with thousands of attacks on aviation systems every month, Raytheon, a company with expertise in both cybersecurity and air traffic management, is taking steps to mitigate cyber attacks in the skies.
Disrupting commercial flights in the United States would damage the U.S. economy. U.S. civil aviation is a huge economic driver, accounting for 5.1 percent of the U.S. economy, generating $1.6 trillion in economic activity, and supporting 10.6 million jobs with earnings of $447 billion, according to a November 2016 FAA economic impact report.
“The aviation industry, like the rest of the world, is becoming more and more interconnected, which increases attack vectors to gain entry into systems,” said Bob Delorge, former Raytheon vice president of Transportation and Support Services. “But when you understand the domain you're operating in and when you understand the weaknesses and vulnerabilities like Raytheon does, you can build defenses. It really plays to our core strengths — engineering and technology.”
While disrupting air traffic and crippling the economy is frightening enough, the greater fear is that hackers could crash airplanes or make them vanish from radarscopes. One solution, the Cyber Intrusion Detection System, is a cyber attack warning system that alerts pilots if anything on the aircraft has been hacked or is doing something it shouldn't. Raytheon is working on this company-funded research and development project, and planning to make it available to commercial and military markets within the next couple of years.
A Heat-Seeking Hack
During military operations, a cyber attack on an aircraft could trick pilots into not trusting their instruments and aircraft. If they don’t trust their aircraft, then their mission fails.
“For a military pilot, a cyber attack on their aircraft could cause mission failure,” said Bill Leigher, director of Raytheon’s government cybersecurity solutions business and a retired U.S. Navy rear admiral. “It could be really subtle, such as an alarm going off at a critical time, during a weapons release run. The pilot might miss an opportunity and have to circle back, exposing themselves to a greater threat from the ground.”
According to Leigher, malware could be introduced through the supply chain, since aircraft parts are manufactured by many different sources around the world. The detection system would look for anomalies on the specialized aircraft networks called buses. These communication systems control, monitor and transfer data between different electronic components in the aircraft and remote terminals. Many devices connect to those buses, such as annunciators, flaps, lights and landing gear. The cyber warning system would detect if a component aboard is “misbehaving” or suddenly appears when it shouldn’t.
Both Leigher and Delorge also advocate a thorough cyber assessment with the FAA, its partners, original equipment manufacturers, airlines and the aftermarket. This would include penetration testing, or "red teaming," where cyber experts try to gain access to a system, as well as vulnerability testing, where they look for flaws in security. The overall approach: to look at planes, air-traffic control, airports and all the other elements of aviation infrastructure as an information system, to understand their strengths and weaknesses, then to inspect them frequently.
In simpler terms: to protect planes and everything around them as attentively as people protect their smartphones.
“On my phone, I’m constantly being pushed updates to improve the device’s security,” Delorge said. “We need that same diligence and vigilance in aviation.”
While many commercial businesses, such as the banking and healthcare industries, have beefed up cybersecurity measures, the aviation industry needs to keep pace.
“There’s been painfully little research done regarding cyber vulnerabilities on aircraft,” Leigher said. “There needs to be consistent and constant red teaming and vulnerability assessments based on overall system risk, which keeps pace with the ever-evolving threat. It makes sense to scan for malware and vulnerabilities as part of doing routine maintenance checks, even make it part of the pre-flight checklist.”
Layers of Security
Leigher and Delorge believe the aviation industry should implement a layered approach to cybersecurity, which use several defense mechanisms such as access restrictions, two-factor authentication, encryption, proactive threat hunting, insider threat monitoring, and managed detection and response. This type of layered defense is a strength of Raytheon, according to Leigher.
“Raytheon's deep knowledge of those mechanisms has given us very pointed insights on how you go about discovering vulnerabilities and weaknesses in systems, and how they can be hardened,” Leigher said. “With our security research, our methodology and insights into how software is written and where there are general weaknesses, we can use that to reduce the risks and increase resiliency.”