Aerospace groups shore up cyber defence of ‘massive’ attack surface
Whenever cyber security risks to the aerospace industry are discussed, there is typically one catastrophic scenario that springs to mind: what if hackers could attack — and bring down — a plane in flight?
While this remains a highly unlikely scenario, it has nonetheless been a focus for the safety-conscious civil aviation and defence sectors. But boosting cyber security is not only about ensuring that an individual aircraft — and its navigation, air-ground communication, wireless and in-flight entertainment systems — are secure from digital intruders.
According to Steve Luczynski, chair of the non-profit body Aerospace Village, companies must also protect the control tower, the navigation aids on the ground, airports themselves, plus manufacturers and their supply chains. “The attack surface is massive, that ecosystem is massive,” he says.
Aerospace technology, for example, is a prime target for espionage by nation states, given the development of new proprietary systems in both the civil and defence arenas. More damaging, however, is the risk of sabotage or disruptive attacks — even terrorism — from government-backed hackers or criminal gangs.
According to cyber experts, ransomware — software planted by hackers to seize data and only release it when a ransom is paid — is a particularly worrying threat. Reports show a recent explosion in these types of attack by financially motivated groups.
“You’ve seen these ransomware attacks where people are holding hospital records and hospital systems for money,” says Sami Saydjari, cyber expert and president of the Cyber Defense Agency. “One could definitely anticipate seeing people do that in the aerospace community, holding aircraft for ransom. I think it’s coming.”
In addition, there are also fears around “spoofing”, where hackers get inside aerospace systems and impersonate a trusted source. Ella Marie Atkins, a professor in the University of Michigan’s aerospace engineering department, says: “The nightmare scenario is a fake air traffic controller that tries to run people into each other”.
Levels of cyber risk have risen as the aerospace industry has digitised — introducing more connectivity and automation to its systems.
“In the aerospace world, the aeroplane has always been disconnected [from the digital realm],” says Saydjari. “But, now, we’re connecting the aeroplanes to computers on the ground. With them being online, we are much, much more vulnerable.” Today’s aircraft “depend on the ground information for navigation”, he says.
Given the scale of possible cyber attacks — and the breadth of the attack surface — the industry is increasingly turning to technologies such as machine learning and artificial intelligence to help monitor unusual behaviour and automatically defend against, or contain, attacks. Use of these technologies is set to escalate as attackers increasingly arm themselves with similar tools.
“[AI] can support automation of relatively common and easy tasks as well, freeing time for security engineers to focus on more creative exploits,” explains Rogier Fischer, chief executive of cyber security company Hadrian.
AI is particularly important in an industry where speed of response is vital, and the stakes are high. Pilots are trained to make decisions in under a second; but computers operate at a billionth of a second, Saydjari points out.
Todd Moore, Thales’ vice-president of data protection, agrees that cyber defences must keep pace. “The future of cyber attacks is likely to rely on autonomous intelligent cyber weapons and therefore an autonomous cyber defence is required which acts at the speed and scale of systems and attacks,” he says.
But, beyond artificial intelligence, experts say the sector still needs to do more to boost its overall cyber health, through other technologies. Dr Matthew McFadden, vice-president of cyber at General Dynamics Information Technology, says these include multi-factor authentication, segmentation (dividing a network into smaller parts to ensure an attack never spreads too far), and identity and access management.
“The path to long-term security lies in heightened standards, improved data governance and deep industry co-operation,” says Moore.
Avoiding catastrophes also comes down to carefully developed planning. “You have plans for failures and backups,” says Atkins of the University of Michigan. She says the aviation industry always ensures there are “three of everything” when it comes to critical features on a plane — radios, computers, and hydraulic systems, for example.
This principle also applies to data links — the digital communications technologies between aircraft and ground systems — she adds. In addition, the technologies relied upon should be diverse: WiFi, versus a satellite communications system, versus 5G, for example. “You can’t rely on one link because it’s not going to be reliable enough,” Atkins says. “Begin to mix and match.”
Saydjari believes companies in the sector should undergo a “really serious technical risk assessment about the probabilities and consequences of various attack scenarios”. Lessons learnt should be built into all the systems engineering choices that are made going forward, he argues.
Education is vital, agrees Steve Lee, senior director of adjacent content and product development for American Institute of Aeronautics and Astronautics. “Professors who are teaching the next generation of aerospace engineers need to start teaching [cyber security] and including it in their curriculum.”