Printed headline: Keeping Hackers at Bay
U.S. government researchers in 2017 concluded that “most commercial aircraft currently in use have little to no cyberprotections in place.” A year earlier, the same researchers had taken two days to hack into unspecified systems on a parked Boeing 757 via its radio-frequency communications, while their next project was to examine the vulnerability of Wi-Fi and inflight entertainment (IFE) systems.
The results of that study have yet to be made public, but there are fears that more modern aircraft, where passengers, crew and many aircraft components themselves possess greater internet connectivity than on a 757, will prove even more vulnerable. In 2015, a cybersecurity specialist said he had moved an aircraft inflight via its IFE system, although his claims have been met with huge skepticism and, even in the case of the more rigorous 757 research outlined above, it is unclear whether critical systems were accessed.
Even so, U.S. Homeland Security Department researchers believe it is only “a matter of time” before an aircraft cybersecurity breach occurs, while a 2018 survey of airline IT chiefs by SITA found that cybersecurity was their second-highest investment priority. For airport chief information officers it was No. 1.
Boeing says it is confident about the cybersecurity of its aircraft. “Multiple layers of protection, including software, hardware and network architecture features, are designed to ensure the security of all critical flight systems,” a representative tells Inside MRO, adding: “Boeing’s cybersecurity measures are subjected to rigorous testing, including through the FAA’s certification process, and our airplanes meet or exceed all applicable regulatory requirements.”
One example of those regulations is DO-326, which deals with activities that need to be performed in support of the airworthiness process when the development or modification of aircraft systems and the effects of intentional unauthorized electronic interaction can affect aircraft safety. Companion documents set out various measures to achieve this.
While the potential to access flight control and other critical systems remains uncertain, huge disruption could still be carried out. For example, it has been estimated that the cost of updating one line of avionics code can run to $1 million when one considers the implications of developing, testing and implementing a fix and—crucially—the time an aircraft might have to be out of service to do so. One need only consider the global grounding of the 737 MAX fleet while Boeing upgrades certain software to imagine the havoc that computer viruses might cause.
Also worth noting is the interplay between mobile devices and aircraft systems, particularly as flight and cabin crew take advantage of advances in connectivity to assist them. Often they use tablet devices to do this, presenting a risk that malicious software on the tablet could migrate onto aircraft systems. To reduce such risks, airlines need rigorous systems in place to manage their mobile devices and who has access to them.
In theory, a more direct route into those systems potentially exists through connected components that form part of the Internet of Things. One example is the engine management unit (EMU), which collects, processes and transmits engine data. In the past, this was a one-way stream, but certain EMUs can also receive instructions. Rolls-Royce launched such a device with its Pearl 15 business jet engine and is intending to roll out the technology to other platforms in order to enable functions like remote testing. “Now we can talk back to the engine while it’s on the ground,” Rolls-Royce’s head of product management for digital services, Nick Ward, told Inside MRO recently.
Like Boeing, Rolls-Royce is confident that multiple security layers protect its components from interference, but that is not the case everywhere on an aircraft. SITA estimates that about 12% of aviation cyberattacks target navigation and air traffic control, with GPS proving particularly easy to undermine with cheap jammers and open-source “spoofing” software. The effects already experienced by flight crews include loss of satellite position reception, an inability to report aircraft positions accurately and being forced to perform go-arounds using backup navigation systems.
Another layer of threat exists for ground systems. An airline’s passenger data security is beyond the purview of this publication, but OEMs and maintenance companies must be aware also of heightened cybersecurity risks, be they to internet-enabled components or the increasingly valuable data they generate. Keeping client data confidential is one priority, but manufacturers and MRO providers must also guard against intellectual property theft and other malicious actions by rival companies or even nation states.
“Access and authorization to see data, whether from an individual airline or anonymized/aggregated, is either controlled by an identity-management team or through integration with the airline’s ‘single sign-on,’” says Jon Dunsdon, chief technology officer of GE Aviation digital solutions. “GE monitors access to ensure only those employees or contractors authorized to view the data are allowed access.”
Rolls-Royce tells Inside MRO that it recognizes cybersecurity “as one of the principal risks” for the company and outlines several measures it takes to protect its own and its customers’ data, including: an information assurance board to approve cybersecurity architecture and access controls, cybersecurity risk assessment for new projects, security operations centers around the world with teams focusing on cyberissues, proactively searching for weak spots across its IT systems and cooperation with Microsoft to enhance the security of data stored in the cloud.
Lufthansa Technik has access to certain airline data via its Aviatar platform, although only what each customer is willing to share. As well as separating each customer’s data, the MRO provider also uses encryption throughout the Aviatar platform, both for data in storage and in transit. This is the last line of defense if other security measures—such as Aviatar’s firewall and automatic threat detection—fail.
At the same time, it is clear that cyberthreats will continue to evolve and proliferate and that the defenses of today may not suffice tomorrow. Therefore, aviation companies must continue investing in security to stay ahead of the hackers.