Faced with the task of transporting millions of passengers between various destinations around the globe on a daily basis, the aviation industry is required to maintain one of the most complex and integrated information and communications technology (ITC) systems on the planet. And like any digital/computer system, this electronic infrastructure is vulnerable to software glitches, hardware, software, and network failures, and the attention of cyber-attackers.
But unlike in many other industries, the consequences of a systems failure or a successful cyber-attack can have life-threatening and potentially catastrophic consequences. The safety of aircraft and their passengers, the operational integrity and financial health of airlines and related industries, and the reputation of the aviation sector as a whole may be threatened by hackers, “hactivists”, cyber-criminals, or terrorists intent on sabotage, the theft of information and intellectual property, or simply looking to cause mayhem and create confusion.
Recent times have already seen notable instances in which the operations of large, well-known, and reputable airlines have been disrupted through incidents which on an individual basis might seem minor, but which within the context of their role in the aviation process have knock-on effects and multiplying factors that can extend their ill consequences far and wide.
It’s in the context of such incidents that we’ll be looking at some of the principal issues involved in aviation cyber security, and what impact an improved stance may have.
Aviation Cyber Security – Some Known Risks
Electronic Flight Bag Failure
As an alternative to the reams of documentation traditionally carried on board by airline flight staff, “electronic flight bags” – dedicated tablet devices with touchscreens – were recently introduced across a range of airlines. These provide both economic savings for the airline (less bulk to carry, less fuel) and benefits for the environment.
In addition to providing a lightweight, paperless alternative to the estimated 16kg (35lb) of manuals that pilots might typically be expected to lug around before, these devices can use wireless connectivity and mobile apps to distribute directives and information such as flight plans across an entire fleet.
But as any iPad or mobile device owner will tell you, using software that’s reliant on a fast and continuous internet/network connection – or a tablet whose performance may be affected by any number of other factors – has the possibility of failure, built in.
American Airlines learned this the hard way in April 2015, when an iPad software and connectivity issue caused electronic flight bags to fail, grounding multiple aircraft (“a few dozen flights”, in the words of an airline spokesperson) and affecting (according to some reports) its entire fleet of Boeing 737 passenger jets.
The issue of a software glitch affecting the pilot’s electronic flight bag on an EasyJet Airbus A319 carrying 156 passengers and six crew was at the root of an incident in June 2015, which almost resulted in the aircraft overshooting a runway on take-off.
Reports in the British press and a report from the UK Air Accidents Investigation Branch suggest that corrections made by the plane’s captain to its distance and speed calculations allowing for a change in the prevailing weather were incorrectly reported back by the software, which produced data for a longer runway.
The error left the Airbus A319 with insufficient stopping distance to abort take-off, as it traveled along the runway at 132mph (115 knots). Decisive action by the captain ensured that the plane (which was on a flight from Belfast International Airport to London Luton Airport) was able to take off – but only with 656ft (around 200 meters) to spare.
Control Systems Errors
Network and general systems errors were responsible for an incident in April 2018, which saw European air travelers facing massive disruptions on the Tuesday after the Easter holidays.
Eurocontrol, the Brussels-based agency coordinating Europe’s air traffic control operators, cited a “failure of the Enhanced Tactical Flow Management System”, which is charged with tracking and managing air traffic demand across the continent.
As a result of that system failure, around half of the 29,500 flights scheduled for that period in the European zone faced the possibility of delays, with Amsterdam’s Schiphol, Helsinki, Prague, Copenhagen, and others among the EU’s biggest and busiest airports being adversely affected.
The Risk to Avionics Systems
According to the Director of Strategy and Safety Management at the European Aviation Safety Agency (EASA), aviation cyber security issues are a very real problem and systems across the world are targeted by thousands of attacks, each month.
Singled out for particular attention are the connective communication systems between aircraft and the ground. These include the avionics systems which monitor and manage vessels, transmit flight information, and relay data to and from ground-based networks.
In an example from Hollywood, you might recall the scene from the movie Die Hard 2 where the bad guys hack the air traffic control system and change the altitude of ground level, causing a plane to crash.
A study by Florida Tech Online reveals potentially vulnerable elements to include:
- Access, departure and passport control systems
- Cargo handling and shipping
- Flight management systems
- Flight traffic management
- Hazardous materials transportation
- On-board computer and navigation systems
- Reservation systems
High-value information resources may be targeted by hackers, criminal networks, nation state actors, terrorist operators, or industrial spies. These might include design specifications, software, and process data on the operational or manufacturing side of the industry.
Route, cargo, or passenger data might be targeted for any number of reasons, including physical theft, hijacking, or identity theft.
And in the “worst case” scenarios, opportunist cyber-criminals or terrorist organizations might seek ways of compromising avionics systems so that individual aircraft malfunction or sets of aircraft collide, causing injuries, deaths, and widespread destruction.
These threat scenarios aren’t just hypothetical. In June 2015, the Reuters news agency reported on an incident in which a Polish airliner with hundreds of passengers on board was rendered inoperable by what investigators believe was a Distributed Denial of Service (DDoS) attack. And in April of that year, a security researcher was barred from a United Airlines flight after tweeting about his attempt to hack the passenger oxygen controls on his flight.
The aviation industry is also vulnerable due to its diversity in terms of geographic spread, different lines of business (passenger, cargo, courier service, etc.), public and private aspects, and multiple touch points or interfaces with other sectors. This increases the potential attack surface made available to malicious actors.
Common ground with other digital systems also exposes aviation to what might be considered universal or “industry-agnostic” threats. These would include the likes of viruses, ransomware, social engineering, phishing attacks, and so on.
Recommendations for Meeting the Challenge
Although there is as yet no global standard or unified set of best practices for aviation cyber security and the industry as a whole, the following recommendations may apply:
- Evaluation and risk assessment should be performed, to identify potential threats and vulnerabilities, and the best methods to remediate them.
- Strong and comprehensive cyber security policies should be drawn up and enforced within the enterprise, drawing support from top executive level down throughout the organization, and taking into consideration all relevant industry standards and requirements for legal and regulatory compliance.
- Procedural and contractual steps should be taken to minimize insider threats, and risks from partner agencies, supply chains, and third-party vendors.
- Mechanisms and policies should be put in place for the predictive monitoring of IT systems and networks, and the protection of operational and customer information.
- Formalized procedures should be drawn up for notifying customers, stakeholders, and regulatory authorities, in the event of a security incident or data breach.
- Training for security awareness and cyber security best practices should be conducted on a regular basis, and a culture of proactive cyber security encouraged throughout the enterprise.
- Penetration and operational testing should be conducted on all critical systems at intervals, using reputable external contractors.
- From a compliance/legal standpoint, organizations are advised to conduct regular and full audits of their existing IT systems. Whenever possible, legal and compliance teams should coordinate their activities with local regulators or legislative authorities.
- Compliance testing should be conducted periodically, with an eye to ensuring the integrity of all system components – both individually and acting in conjunction as a network.
- With the enterprise market for cyber security insurance active and growing, organizations in the aviation sector are advised to invest in comprehensive coverage.
In all cases, a coordinated approach is required across the entire enterprise, including all of its geographical regions, business units, and the links of its supply chain.
There have been moves within the industry to promote aviation cyber security awareness and best practices. For example, the International Air Transport Association or IATA (which represents over 250 airlines) has developed an Aviation Cyber Security Toolkit, which includes training videos, a risk analysis tool, and several other resources.
And there appear to be some positive moves being made. A 2016 Airline IT Trends Survey by SITA (Société de Télécommunications Aéronautiques, the world’s leading specialist in air transport communications and IT) found that 72% of the 200 airlines surveyed already invest in cyber security projects, while 9% of the airlines polled plan to invest in aviation cyber security within the next three years.
With the American Institute of Aeronautics and Astronautics estimating its value at more than $2 trillion (or 3.5% of global gross domestic product), the aviation industry is a critical element in the world’s economic machinery. So taking the necessary steps for aviation cyber security to safeguard its workings and critical infrastructure is a common-sense strategy, for all of us.
Share this Post