What You Need to Know About Cybersecurity and Aviation for 2019

Aviation systems used to be custom-designed and relatively insulated. Today, because they are digitally connected and rely on a network, they are more vulnerable to cyberattack. This reality made 85% of airline executives declare cybersecurity a significant risk according to a PwC survey. Data breaches and cyber threats are expensive and dangerous for any industry, but the life-and-death stakes are certainly high in aviation where the safety of 400 million annual passengers is threatened. At the same time, improving cybersecurity is a challenge for the aviation industry.

Aviation Cybersecurity Challenges

The aviation industry faces unique challenges that other industries don’t when it comes to cybersecurity including:

  • Aviation crosses international borders; a minimum standard for priority of threat and risk levels must be adopted by all countries, airlines, and governments.
  • Cybersecurity in aviation involves the aircraft plus a complex network of systems that include passengers’ smartphones, in-flight entertainment and communication systems, airport grounds services, and more.
  • The aircraft is comprised of multiple systems that are developed by multiple OEMs using a variety of standards.

Although the goal is to prevent cyberattacks on aviation systems, IT specialists and cybersecurity experts know it’s not if, but when cyberattacks will occur. Cyber strategies must improve detection methods, minimize the impact, and expedite recovery from cyberattacks.

The Threat to SATCOM

Satellite communications (SATCOM) are important for many onboard aviation capabilities from performance and safety monitoring to voice telephony. Each application of SATCOM opens another vulnerability for cyberattack. As a result, the effective assessment of SATCOM security is critical in the ongoing development and deployment of modern air systems. There are good reasons satellite systems are often viewed safer from cyberattack than other communications channels, but they are not immune as evidenced by some high-profile attacks. Aviation system integrators must pay close attention to security design considerations such as a fully secure system-of-systems, virtualization, fault injection, and penetration testing when integrating SATCOM with other aviation systems.  

UAVs and Cybersecurity

One of the most significant changes in aviation since the advent of jet technologies in the 1950s is the emergence of unmanned aerial vehicles (UAV) or drones. The growth of commercial drones for use in agricultural, construction, remote sensing, and entertainment prompted the FAA to formulate new rules for operation and pilot certification. There are several cybersecurity challenges with UAVs including their reliance on radio frequency (RF) communication and dependence on sensors and processors with no human backup. UAVs are also susceptible to reverse engineering by a foreign adversary. The reality that UAVs could also be attacked on the ground highlights the need to develop secure hardware and software such as fault tolerant programming, coverage analysis, and systemic testing for UAV applications.

It’s only a matter of time before unmanned aerial vehicles will become a target of opportunity. While secure development practices and countermeasures like strong encryption, anti-tamper, and anti-reverse engineering provide more protection for military UAVs than is available for most commercial drones, no system is completely invulnerable. UAV developers and integrators need to be prepared to respond effectively and decisively even as threats continue.

JETS Defense: The System-of-Systems Cyber Tester

The individual systems of modern aviation platforms, which often contains millions or tens of millions of lines of code, work together to form a “system-of-systems” that provides the full range of capabilities for the platform’s stakeholders. System-of-systems security testing, such as Performance Software’s JETS Defense, is essential in today’s landscape of increased threats.

Supporting both full and partial virtualization of a wide variety of aircraft systems, JETS Defense can serve as a “System of Systems Test Bench,” gaining increased visibility into existing testing through greater instrumentation and injecting potential security flaws at internal or external system boundaries.

Cyber Kill Chain Testing

Precision-targeted “advanced persistent threats” involve sophisticated planning and execution and follow a consistent methodology that Lockheed Martin has termed the cyber kill chain. Aerospace technology developers and integrators can make use of the cyber kill chain in a variety of ways. One strategy is to employ the methodology as an outline for penetration testing of aerospace systems still under development, in order to understand their susceptibility to real-world attacks in the future.

Reconnaissance, the first stage of the cyber kill chain, is critical for penetration testers of an aerospace system. Virtualization and reverse engineering tools need to be used so developers understand as much of the attack surface as possible. Any penetration test of the system should include weaponization, in order to understand the theoretical and practical challenges (or lack thereof) an attacker would face. Command-and-control and actions on objectives, the final stage of the cyber kill chain, represents the system once fully compromised. It is critical that security testing consider what activities an attacker might be able to carry out against a compromised system and take active steps to thwart them.

ADS-B and Cybersecurity

The migration to Automated Dependent Surveillance-Broadcast, mandated for use in all commercial and general aviation aircraft by 2020, represents one of the most significant steps forward in the modernization of air traffic control in the United States. ADS-B uses a combination GPS receiver and radio transceiver, hosted on each aircraft, to determine and report position information. Additional ADS-B services will enable in-cockpit weather and flight information such as terminal conditions, temporary flight restrictions, and notes to airmen. Though ADS-B is expected to significantly improve overall aviation safety and security, it is not expected to be completely free of security vulnerabilities. In weighing the benefits and security risks of ADS-B, the aviation industry would benefit from understanding cybersecurity problems that have emerged with parallel technologies in other transportation domains.

Contact Performance Software today to learn more about how to protect your aviation systems from cyberattacks.

Other cybersecurity and aviation articles:

Cybersecurity and the Aviation Industry: An Overview

Cyber Attacks in Air: The Threat to SATCOM

Cyber Attacks on UAVs: How Should Aerospace Respond?

UAVs and Cybersecurity

JETS Defense: The System-of-Systems Cyber Tester

Applying Cyber Kill Chain Testing to Aerospace Systems

ADS-B and Cybersecurity