Printed headline: Risks and Rewards
What predictive maintenance networks do for aircraft is similar to what the Internet of Things (IoT) does for domestic devices: They connect machines digitally to realize convenience and economic benefits. And just as the IoT presents security challenges to manufacturers of connected devices, networked prognostics raise similar questions for aircraft manufacturers and operators.
“These networks are another example of how manufacturers are trying to improve the operational longevity of their products,” says Bryce Boland, chief technology officer for the Asia-Pacific region at cybersecurity specialist FireEye. “The implications of a failed aircraft are pretty significant, so the risks that go with it need to be measured and understood. There are many challenges in this space.”
The maintainer under this F-35A’s wing (left) is using a PMA connected to the jet. Credit: Master SGT. Jeremy T. Lock/U.S.Air Force
Military predictive maintenance networks have to meet exacting security standards but benefit from the already high security around military digital infrastructure, much of which is separated from the wider public internet. Even here, though, critics of the systems highlight opportunities for skilled adversaries to potentially gain access to classified data via these systems. In commercial aviation, where interfaces between airline and airframer systems and the public internet are more numerous, and security is often viewed through a cost-benefit lens, the risks may be significantly higher. By understanding military systems’ security challenges, commercial entities may be able to learn some vital lessons.
A well-known aerospace predictive-maintenance network is Lockheed Martin’s ALIS (Autonomic Logistics Information System), being developed to support the F-35. It is changing the way air forces approach the job of maintaining their fleets.
“One of my chiefs says he misses the challenge of opening up parts of a Harrier and trying to do fault diagnosis while getting your hands dirty,” says Royal Air Force Group Capt. Ian Townsend, commander of the UK’s F-35 Lightning Force. “It is different on this aeroplane because you will plug a laptop in, and the aeroplane will tell you what’s wrong . . . instead of you having to poke around and try and understand what the fault is.”
Lockheed Martin’s ALIS predictive maintenance PMA is visible under the nose of this F-35. Credit: Staff Sgt. Staci Miller/U.S. Air Force
ALIS synchronizes postflight data from each jet back to Lockheed’s Autonomic Logistics Operations Unit (ALOU) in Fort Worth for analysis that will help streamline fleet-wide spares ordering, optimize maintenance scheduling and thus increase aircraft availability. The system also is the sole means by which preflight data are uploaded onto the aircraft.
Pilots sign for their jet through ALIS, and programming of the “brick”—the encrypted cartridge used to insert mission-specific data into the onboard systems before a sortie—is carried out through the JMPS (Joint Mission Planning System), an ALIS subsystem. Without ALIS, the F-35 cannot fly.
The system breaks the synchronization chain into four distinct parts, which should make it easier to secure from attacks than a single end-to-end, aircraft-to-manufacturer link.
The first involves maintainers plugging a modified laptop, known as a portable maintenance aid (PMA), into the jet. The PMA downloads data post-flight and enables maintainers to conduct and manage repairs.
The second part involves the device synchronizing postmission data to a server rack known as the SOU (Squadron Operating Unit). Every F-35 operating location will have an SOU, which acts as a local data repository; it is physically secured within the base’s perimeter.
The third piece is the SOU connecting digitally to another server, the CPE (Central Point of Entry). Each F-35 partner nation will have one CPE, which is also that country’s ALIS hub.
The fourth part is having that CPE connect to the ALOU. Connections between the SOUs and the CPE, and between the CPEs and the ALOU, are made via what Lockheed terms “encrypted tunnels” on military and company digital infrastructure separate from the public internet.
Similar security measures likely apply to other military prognostic systems, such as the VROC (V-22 Readiness Operations Center) established in 2015 by Boeing to manage fleet-wide maintenance for the Osprey tiltrotor. “In order to continue the effectiveness of our methods, as a practice, we don’t discuss specifics about our security programs at Boeing,” says a statement released to MRO Network. “We have robust processes in place to protect our systems and networks.”
Both the F-35 and V-22 Osprey use bespoke predictive maintenance networks—ALIS and VROC, respectively. Credit: Lockheed Martin
However, even processes as robust as the use of dedicated, separate networks will not guarantee security.
“Just because the network is closed, it doesn’t mean that an attacker can’t have access to it at different points,” Boland says. “Obviously, the [U.S.] Defense Department has a lot of capability to build and monitor security to ensure there isn’t any tampering with the connections—but even so, you’re talking about a very large, global network with a lot of different endpoints.”
Points of particular vulnerability occur whenever a prognostic network connects with the outside world. For ALIS, these connections exist mainly at the ALOU, where ALIS has to interface with and/or integrate commercial off-the-shelf (COTS) software. For example, the system uses the customer relationship management tool Oracle Siebel and systems from SAP, the German enterprise software company.
Software inevitably contains errors that an attacker could exploit until they are corrected. Skilled and well-resourced attackers will look for hitherto undetected vulnerabilities and exploit them before software manufacturers find and patch them. Previously unknown vulnerabilities can enable an attacker to covertly access a system and remain undetected for extended periods. Vulnerabilities in COTS software would become vulnerabilities to any network that used that software, regardless of how error-free the proprietary code may be.
ALIS program staff are aware that the network’s interfaces with COTS software represent points of potential compromise. A slide from a briefing given by Scott LaChance, ALIS chief architect, to the Defense Department Maintenance Symposium in December 2015, notes that “COTS [software] is a vulnerability” and suggests that the program should consider developing customized alternatives.
An important part of maintaining network security is conducting penetration tests, in which a security team will work as an outsider and attempt to gain access to the system. In his annual report in 2015, the Pentagon’s Director of Operational Test and Evaluation (DOT&E) noted that the F-35’s Joint Program Office (JPO) had elected to postpone penetration tests of ALIS until the F-35’s development program is complete. In answers to questions from Inside MRO, Lockheed clarified that penetration testing of ALIS is still taking place, although not on systems operating in the live environment.
“Security and the penetration testing that verifies security are priorities to both JPO and Lockheed Martin,” the company wrote. “The JPO has decided to conduct their penetration assessments in operational systems, not in closed laboratory environments, and we support this decision.” However, “Lockheed Martin continues to conduct penetration testing in our laboratories prior to delivery as part of the normal developmental process,” it adds. When we deliver each iteration of ALIS, we are confident it will pass subsequent penetration testing. We continue to learn from field-testing and incorporate JPO findings in the ALIS development cycle.”
The DOT&E’s January 2016 report listed a number of security tests due to be carried out around year-end, including an “adversarial assessment” of Lockheed’s ALOU in Fort Worth and a “cooperative vulnerability and assessment” of the F-35A. Lockheed confirms these tests have now taken place and that “findings have been addressed.”
“These are not strict pass/fail exams, and field testing and other assessments are designed to provide input to continued development,” the company notes. “Cybertesting is robustly resourced and a recurring activity. In its program history, ALIS has been put through more than 2,000 cybertests. We partner with JPO to continue ongoing independent certification and accreditation activities to maintain ALIS . . . ATCs [authorities to connect] on all [Pentagon] networks.”
The risk to a military user of a breach in a predictive-maintenance network is most likely limited to giving an adversary access to tactically or strategically useful information. This is a significant concern, but it falls some way short of the more apocalyptic scenarios in which hackers could affect the behavior of aircraft in flight. In the civil sector, however—where predictive maintenance solutions are also emerging—this most dire of prospects may be a greater risk.
“Most airlines have very, very poor cybersecurity capability today,” FireEye’s Boland says. “Some of the high-tier airlines are investing more money in this, but most of them have completely flat and relatively porous networks, and in many cases they’re running extremely old software. It’s quite fragile infrastructure.”
“On top of that, there’s the complexities of the travel industry, with the interconnectivity to all the systems that are managing reservations and handling transactions,” says Todd Waskelis, vice president of AT&T’s security consulting business. Like Boland, Waskelis recommends segmenting networks to completely separate avionics computers from customer-facing systems. If not, an attacker able to exploit a vulnerability in the ticketing or luggage-tracking system may be able to move quickly through that flat, porous network and reach aircraft control systems.
Such attacks, though technically feasible, would be very difficult to carry out without access to an aircraft and its avionics source code, to test intrusions. This appears to rule out the threat of a bedroom anarchist launching cyberattacks against commercial airliners. “But you could see nation states conducting these sort of attacks,” Boland argues. “Frankly, I’d almost be surprised if certain nation states weren’t already investigating how they could take control of these sorts of systems.”
Recommended mitigations include:
·Ensuring devices that take data off of aircraft are not also used to upload information—and that they are not capable of modifying data.
·These devices, and the systems governing uploads to aircraft, should be kept separate from other networks, particularly any public-facing systems.
·Certificate-based access controls should be enforced to ensure it is only possible to upload data to critical on-board systems from secure devices being operated by approved and authenticated staff. This is difficult and ongoing work but must be done.
“We see this with financial institutions managing sensitive data,” says Waskelis. “You’re sharing the same sort of network, and you’re segmenting that cardholder data, but you have to constantly test the controls and validate that they are truly keeping it segmented. It’s an ongoing battle to assure that.” c