Airborne connectivity doesn’t need to come with cybersecurity baggage
The growing digital interconnectedness between aircraft networks is making operations more efficient for airlines and providing conveniences for the traveling public. But now, bad actors are threatening to turn this happy revolution against us. Josh Lospinoso puts on his hacker hat to point us to tactics for better cybersecurity in the air.
Modern commercial aircraft are flying data centers connected to the internet or, in the case of some subsystems, private networks. On any given day, there are some 25,000 planes in the air globally, including 5,000 over the United States. Every one of them relies on hardware and software components made by thousands of suppliers. The avionics and controls in the cockpit and the in-flight entertainment screens are more connected internally and externally than ever.
The electronics and software that the crew relies on to control the aircraft, known as operational technology or OT, create valuable data for stakeholders across the modern aviation ecosystem, from real-time location information for air traffic controllers to performance metrics for mechanics. A Boeing 787 Dreamliner’s Common Core System, the backbone of its computers, networks and electronics, hosts 80-100 applications. A 787 also reportedly generates half a terabyte of sensor data per flight. An Airbus A350 XWB has over 50,000 sensors and collects 2.5 terabytes of data daily. And a typical GE jet engine collects information at 5,000 data points per second.
There is no going back on this interconnectedness. In fact, the trend is likely to grow. Driven by the need to cut costs, find efficiencies and cope with an unprecedented employee shortage, operators now realize that analyzing big data at scale and in real time can help them gain competitive advantages.
Offloading, processing and operationalizing aircraft data quickly used to be challenging, but then onboard satellite-based internet broke down that barrier. Lufthansa was the first to offer this service in 2004. In 2013, JetBlue upped the game, providing broadband service with Viasat’s Ka-band geostationary satellites. And soon, SpaceX’s Starlink will provide Hawaiian Airlines with ultra-high-speed broadband from low-Earth orbit.
Internet connectivity on commercial aircraft comes with some complicated cyber baggage, though. Manufacturers of OT systems often don’t give cyber resiliency the attention it deserves, leaving even the most modern aircraft without basic cybersecurity protections.
Unlike enterprise IT hardware and software used by large companies that are well-known to security teams, visibility into the cyber risks lurking inside an aircraft’s components and networks is much more opaque. The more technology an aircraft has, the more complex it is to see and manage. And as more advanced, connected technologies make their way onto aircraft and as they become more closely interconnected with legacy systems, they will introduce new, unknown vulnerabilities.
This expanding, complex and largely unchecked attack surface is good news for bad actors seeking new opportunities to compromise our critical transportation infrastructure. They know that persistent connectivity with aircraft systems can make them as vulnerable as connected IT assets found in traditional businesses. They also know that failing to detect and fix a single exposure point could have a cascading effect on the entire aviation ecosystem.
In short, operators must balance the implementation of connectivity with the need to keep malicious adversaries at bay.
If I were a bad guy, here’s what I’d do
Don’t worry. I’m not sharing anything that bad actors haven’t already considered. My purpose here is to give you a glimpse of how a successful aviation security team puts itself in the hacker’s shoes. Hackers view the revolution in airborne connectivity as a tree of juicy low-hanging fruit. Implementing effective defenses against them begins with a security team recognizing that bad actors come in a variety of forms and, therefore, have a variety of motivations.
It begins with grasping the variety of threats. A security team must track nation-state operatives, cyber terrorists, hacktivists, script kiddies who buy code off the dark web and insiders who turn against their organizations. Motivations range from a desire for strategic advantage on the world stage, to a determination to change societal behavior through fear or by exposing information, to an attempt to earn financial gain or market advantage through the theft of intellectual property.
As you read on, imagine I’m a hacker who is after financial gain with ransomware. Hackers are increasingly attracted by how lucrative it can be to hold a company’s network and data hostage. The average ransom payouts bad actors get from critical infrastructure operators and health care systems are well into seven figures. Still, victims would rather pay than risk financial and reputational damages — despite advice from the U.S. government.
The aviation industry is no stranger to ransomware attacks. Indian airline SpiceJet grounded flights in May due to such an attack. Another attack targeting Swiss aviation services company Swissport caused operational disruption in February. And last August, Bangkok Airways suffered a similar cyberattack resulting in the exfiltration of sensitive passenger information, including passport and credit card data.
An organization facing the risk of downtime losses may cut its losses and pay the ransom. This vicious cycle drives up the cost of ransom demands, encourages bad actors to seek new victims and emboldens them to devise novel attacks.
So with my motivation clearly defined, I can focus on execution. Bad actors have a history of rudimentary hacks on noncritical aircraft systems. Many of these systems remain vulnerable, and replicating a tried-and-true attack would take minimal effort. I’d attack one to make noise and get an operator’s attention.
Among the low-hanging fruit would be an attack on an in-flight entertainment system. These systems fall into a category known in the aviation world as Design Assurance Level E, or DAL E, which are systems that are considered least critical to the safety of the passengers.
Systems in this category have been hacked before, and I’d do it again. Can I access flight-critical controls through the entertainment system? Hopefully not. So why would I pick that? At scale, a carefully executed attack there could impact the flying public’s trust.
High over somewhere, I could take control of what passengers see on their seatback screens and present a demand that the airline pay a ransom before I will release my control. Such a demand is the last thing anybody wants to see while traveling at 450 knots and at an altitude of 36,000 feet. This type of attack could quickly incentivize an airline to pay a ransom rather than risk additional consequences.
But now, I’m emboldened to do more and seek higher payouts. Let’s go a hypothetical step further.
An attack on DAL E systems might cause passenger concern, but a suspected threat against one of the more critical systems in the DAL A-D range could ground a plane — or an entire fleet. If the airline doesn’t decide to do so, the flight crew could refuse to fly. Evidence suggests adversaries are already escalating such attacks, and the White House continues to warn us about these threats. Even the U.S. Department of Homeland Security has remotely hacked one of its test aircraft to demonstrate how airlines are at risk.
Moving up the design assurance levels, I’d cause a disruption that motivates payment while understanding what an airline can afford. If the average lease payment on an aircraft is $350,000, and if I can interfere with normal operations just enough to keep aircraft grounded, I could cost any of the four largest U.S. airlines (each with around 800 aircraft in their fleets) upward of $10 million a day.
How might I do it? When an aircraft pulls into a gate, communication between it and airline operations happens automatically. Wireless and cellular links exchange data like updates to electronic manuals, databases, minimum equipment lists in an aircraft’s electronic flight bag, engine trend monitoring data and more. I could compromise those connections and move from one system to another until I find my next exploit.
If I get into these communications, I could alter data or transmit error codes back to the aircraft so it can’t push back. Indeed, an over-the-air attack on a software update to primary avionics or a spoofed message to the flight control computer could trigger a master caution alarm, grounding an entire fleet until my ransom is paid.
But I’m not a bad guy, so now what?
Understanding an adversary’s playbook helps you make decisions to better protect aviation assets. Defenders should focus on best practices to prepare for the inevitable threats of a fully connected future. I’m encouraged by operators thinking about cybersecurity ahead of regulators. Here’s where to start:
- Observability: Solutions that provide observability into IT infrastructure won’t work on aviation assets, including critical flight control computers. To know what’s happening inside each aircraft and across your fleet, you must invest in modern, purpose-built solutions that access and interpret the data created by all of an aircraft’s onboard systems and networks.
- Risk assessment: Most aircraft components need critical software and operating system updates that often take years to get. Bad actors could exploit unpatched vulnerabilities in a component to move laterally across an aircraft. So protect your least critical systems as you do your most critical ones. Assess risks to onboard components and systems across all design assurance levels.
- Threat detection: The whole industry must internalize the government’s continued warnings that critical transportation infrastructure is the ongoing focus of nation-state attacks. That means having solutions that can detect threats and active attacks before they escalate.
The siren’s call for connectivity on commercial aircraft is too strong for the aviation industry to ignore. The irresistible benefits of data connections with fleet aircraft, including critical avionics systems, should be implemented in a way that protects flight safety.
The advice of the Federal Aviation Administration couldn’t be any more explicit: “The increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety.” We must act without delay to embrace and apply modern cybersecurity principles to aviation environments and assets.
is founder and CEO of the Shift5 security company in Washington, D.C. As a U.S. Army captain, he was a founding member of U.S. Cyber Command. He holds a Ph.D. in statistics from the University of Oxford.