One of the big fears of the aviation industry is that a cyber-attack could bring down an aircraft. It certainly has a right to worry about this. Modern aircraft are full of complex technology driven by computers. Some of those systems are exposed inside the aircraft for maintenance and use.
To address the risk, Finish cyber security company F-Secure has launched Aviation Cyber Security Services. The products is designed for anyone operating aircraft, fixed wing or rotary, to help protect them from cyber-attack. It is also focused on infrastructure, data and reputations.
Hugo Teso, a former pilot and current head of F-Secure’s Aviation Cyber Security Services says: “Off-the-shelf communication technologies are finding their way into aircraft, which makes security much more complicated than in the past.
“Because these off-the-shelf technologies weren’t necessarily created to meet the rigorous safety requirements of airlines, the aviation industry is making cyber security a top priority. But they need a partner that understands both cyber security and the details of airline operations, because it’s an industry where those details make a big difference.”
Are cyber-attacks on aircraft fact or fiction?
There have been several TV films and programmes that have looked at aircraft being hacked. In series 2 of The Tunnel, a drama series set in both France and the UK, a plane is hacked through the in-flight entertainment system and brought down.
Back in the real world, in November 2017, Homeland Security admitted that it had been conducting its own hacking on aircraft. In 2016 it had hacked into a Boeing 757 parked on a runway. This was not a theoretical or laboratory exercise. The story was originally reported by Defence Daily.
The Daily Defence coverage talked to Robert Hickey, the aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate. Hickey said: “The initial response from experts was ‘We’ve known that for years’ but in March 2017, at technical exchange meeting, he said seven airline pilot captains from American Airlines [AAL] and Delta Airlines [DAL] in the room that were attending the event had no clue.
“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible.’”
Homeland Security is not the only one testing aircraft security. In 2015, Chris Roberts of One World Labs in Denver was charged with hacking aircraft. In one instance he hacked into the entertainment system and then took control of the engine systems. His attacks targeted aircraft from Boeing and Airbus.
What is F-Secure Aviation Cyber Security Services?
F-Secure Aviation Cyber Security Services aims to protect all the cyber assets of any organisation involved in aviation. According to the press release the solution: “Integrates security assessments of avionics, ground systems and data links, vulnerability scanners, security monitoring, incident response services, and specialized cyber security trainings for IT managers as well as cabin and cockpit crews, into a single package that helps airlines harden their operations against cyber-attacks.”
The goal is to identify attacks before devices are certified for use. This is important. Protecting the aircraft themselves is only a limited solution. The weakness is often in the supply chain where component parts can be infected with malware before they are delivered. This type of attack has been seen with mobile phones and other devices over the last few years.
The solution will also help organisations create their own trust zone. Each trust zone contains equipment that has the same security rating. It allows safety-critical systems to be separated from any other equipment. The challenge is how that is done. Adding multiple physical networks to an aircraft is not acceptable to manufacturers because of the weight it introduces. Even with wireless networks there are issues such as interference and visibility to hackers.
What does this mean?
To date, there has been no confirmed downing of a commercial or military aircraft through cyber-attack. However, given the weaknesses in the supply chain and the networks in use, the possibility is there. The aviation industry is already moving to add additional protection into systems. However, much of that focus is about reacting to known threats. The aviation industry as a whole needs to start looking at different solutions.
Interestingly, none of the ERP companies that focus on aviation, such as Oracle, SAP, Infor, Ramco and IFS (Mxi), have complex cyber security solutions as part of their Aviation MRO products. However, with this move by F-Secure it will be interesting to see if any of them license this solution and embed it into their systems.
Flying is still one of the safest ways to fly and aviation has far fewer problems than automotive. Unfortunately, it will only take a single successful and publicised attack from a terrorist to cause significant issues for the industry.