Don’t wait for disaster

October 2018

Just because hackers have not brought down a commercial aircraft or paralyzed global air travel does not mean it can’t happen. Cybersecurity strategist 
James Vasatka offers a blueprint for commercial aviation cybersecurity.

Much has been said about the state of commercial aviation cybersecurity. Some of it is true. The important questions are which parts are true and which steps airlines, manufacturers and air traffic service providers must take to assure the continued integrity of the aviation system and the trust of the traveling public.

Do commercial aviation cybersecurity standards set a high enough bar? The following thought should give us pause: “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards — and even then I have my doubts,” computer scientist Eugene H. Spafford of Purdue University was quoted as saying.

As psychologist Daniel Kahneman has pointed out, humans have a tendency toward what he calls System 1 or automatic decision-making rather than System 2, effortful decision-making. This tendency results in biases, blind spots or lack of imagination. We are inclined to overestimate our capabilities, focus internally, underestimate risk of external threats, underestimate the need to coordinate across organizations, and ignore external innovation.

We can see System 1 decision-making at work before the 1941 Pearl Harbor attack; the Apollo 1 launchpad fire in 1967; the Cuyahoga River fire of 1969; the explosion of the shuttle Challenger in 1986 and the disintegration of Columbia in 2003; and the Sept. 11 terrorist attacks in 2001.

Cyberattacks on critical infrastructure, including the aviation system, will continue to increase, unless we shift to effortful decision-making. Without that, we will not understand the risks we face or prioritize investments appropriately, and we risk outcomes ranging from excessive regulations by well-intentioned legislators to catastrophic loss of life.

The risk expands

Today’s cyber risks are not to suggest that society hasn’t benefitted greatly from the communications revolution that began in 1969 when researchers working for the Pentagon’s Advanced Research Projects Agency (later renamed DARPA) sent the first messages over the ARPANET, the military precursor to today’s internet. Those benefits are undeniable, but the desire to realize the economic benefits afforded by these advances is creating a dependence on an unreliable communications technology.

For example, we know from the 2010 Stuxnet attack on Iran’s nuclear centrifuges that even obscure, proprietary networks with no connection to the internet can be vulnerable. Even when a site like this is not connected to the internet, the software that runs it was developed in a facility that was connected to the internet, making the software a threat surface. The Stuxnet malware targeted the supervisory control and data acquisition software at an Iranian nuclear facility. This incident proved that software can be deployed as a weapon to destroy physical infrastructure, in this case Iran’s centrifuges. The risk to commercial aviation has now expanded from the traditional areas of physical safety and security to the evolving threats in the cyber realm. The only barrier remaining for commercial airplanes is the community’s rigorous safety standards.

Some of the key considerations for understanding the current state of affairs include: the internet is not secure; economics are driving increased automation and connectivity; the use of IP-connected systems continues to expand; threats continue to evolve rapidly; adversaries have an asymmetric advantage given that they must succeed once whereas defenders must thwart attackers every time; the increasingly complex and dynamic environment requires improved security; cyber criminals can implement new technology in days or months, whereas the commercial aviation industry typically needs years or decades.

Getting the focus right

I don’t believe the risk today centers on the airplane, notwithstanding the claim by a manager from the Department of Homeland Security that during a test, agency experts managed to exploit radio communications to hack into the cockpit of a Boeing 757 at an airport. While the details of the test remain classified, those radio frequency communications would be either voice or for the Aircraft Communications Addressing and Reporting System. I don’t believe you can use voice or ACARS to hack into a flight-critical system.

That is not to say that ACARS might not pose other kinds of risks. Widespread disruption of the ACARS system would have a significant impact on the departure of airplanes, the plans of the traveling public and airline costs. ACARS is a two-way messaging system that was designed in the 1970s to improve data integrity and reduce crew and air traffic controller workloads. Flight plans or weather updates from an airline’s operations center, for instance, are routed to a central computer and then on to one of two service providers that then transmit via VHF radio ground stations around the world to the airplane. Messages from the airplane, such as automated event reports about the health of equipment, flow through the system in the opposite direction. Anyone armed with a computer, a radio transmitter and easily available know-how can send and receive ACARS messages.

It is important to understand the safety assessment developed for ACARS by a standards committee of the RTCA, an association founded in 1935 as the Radio Technical Commission for Aeronautics. The assessment assumes that the information can be corrupted. Operational mitigations are included in the implementation to ensure that the information received is appropriate for use. The committee exercised System 2 decision-making in the assessment by identifying mitigations for the possibility of corrupted data, but at that time, the internet did not yet exist. Even though I do not believe ACARS could be used to take control of a plane, it may be necessary now to review the safety assessment in the context of the evolving threats.

A second set of mitigations is provided for in many countries by criminal codes for unauthorized interference with aviation. There are many cases in which individuals were fined or imprisoned for unauthorized communications with airplanes.

Establishing consequences

There are a couple of interesting points to glean from the ACARS example.

The first is that the data may be corrupt and operational mitigations are in place to assure safety of flight. Unauthorized communication can impact the efficiency of airplane and air traffic operations. The second is that the threat surface extends beyond radio communication with the airplane. Any component of the ACARS ground system connected to the internet creates a threat surface.

The third is that unauthorized access to the ACARS network, either ground or air system, may be legal in some countries, and international conventions requiring nations to support law enforcement investigation are not in place for cyberattacks. I find it interesting that if you place a bomb on an airplane you are a criminal in the 192 member states of the International Civil Aviation Organization, ICAO, whereas if you attack an aircraft with electronic digits, you are a cyber warrior or hacktivist in some nations. Today, if a country does not follow the international instruments governing behavior for flight safety, such as not providing safety oversight of airlines, and physical security such as not screening passengers and baggage for bombs, the airlines based in those countries will be denied access to two large aviation markets: the U.S. and Europe.

In the cyber realm, however, there are no consequences for bad behavior by nation-states involved in attacks on aviation. If there are no consequences, there are no rules. If there are no rules, there will be chaos.

This contradiction is not simple to solve since state-sponsored espionage, intelligence and military preparedness are all intertwined.

Where the safety of the traveling public is concerned, including in the cyber realm, nations should follow the underlying principles of the ICAO convention. Countries participating in international aviation have an obligation to prevent attacks on commercial aviation and to respond to law enforcement investigations in a reasonable time. Commercial aviation should be off limits to unauthorized interference. It will take at least 10 years to negotiate such an international instrument for cybersecurity. That is, it will take 10 years after we get started.

The fourth issue is the need to develop a common language and approach. As noted earlier, mitigations are included to address corrupted data over open communications channels. Government agencies, on the other hand, would see open communications as a vulnerability, and it then becomes a classified discussion with no path back into the open and transparent commercial arena.

The last point is that aviation safety, security and efficiency are a shared responsibility — a partnership of government agencies, airlines, airports and manufacturers providing layers of security.

The decision-making culture is an important aspect to meeting these responsibilities and there are, unfortunately, a mix of cultures in the cybersecurity arena.

Decoding the cultures

Today’s safety culture evolved separately from the cybersecurity culture, and therefore takes a data-driven, working-together approach driven by a desire to reduce accident rates. Open, transparent collaboration for risk management, modeling and decision support created a shared vision, strategy, goals, standards and implementation models that drive safety improvements and international norms of behavior.

By contrast, the security culture, which today remains separate from the IT security culture, takes a law enforcement/intelligence approach driven by legal and policy considerations. This culture has proved successful in strengthening the system’s resilience against physical attacks by terrorists through prevention, response/mitigation and recovery. To protect methods and sources, the distribution of sensitive threat information is restricted to a need-to-know basis. This culture often focuses on components of the aviation system and does not always understand the impact on stakeholders or leverage their knowledge and capabilities.

The security culture also is in dire need of resilience to cyberattacks. The black hat culture of nation-state and criminal hackers adds complexity to the decision-making approach. Black hats have no rules and strong imaginations and are not restricted by the biases and norms of aerospace engineers. One person’s criminal is another person’s cyber warrior.

The IT security culture is tasked with the untenable position of being on the losing side of asymmetric warfare. IT security professionals survive by exuding confidence even before they understand the scope of the problem, recovering the system to an acceptable state, and repeating the first two steps. As they strengthen their system, adversaries move on to the next weakest link.

In the U.S., an unauthorized access to a computer system is a crime. Criminal investigations are time and resource intensive. They seldom result in a conviction due to their often-international nature. Therefore, corporations and IT security professionals have little motivation to report these crimes.

White hat hackers in government, industry and research firms have the best jobs in the world. They get to break things for fun. They also tend to oversensationalize safety implications of their research. Since the aviation community must divert critical resources in reaction to their misrepresentations, they are not considered a responsible party by the aviation community. This creates an unfortunate situation where the community has not figured out how to effectively deploy this creative and imaginative force.

In the United States, back in 1997, the President’s Commission on Critical Infrastructure Protection, known as the Marsh commission, recognized the cyber risks to telecommunications, information technology, commercial aviation, GPS and other parts of the infrastructure. The commission urged the government to work with private industry within an existing framework of government policy and regulation. The commission recommendations called for a concept of shared cyber threats, an integrated approach to protection, cultural changes and government to lead by example.

Less than two decades later came the 2014 data breach of the Office of Personnel Management, announced by the agency in 2015. Stolen were background checks, Social Security numbers and other information for millions of current, former and prospective federal employees and contractors. The OPM breach highlights the challenges for just one stakeholder, the U.S. government, to adopt best practices, actively manage risk, and improve security planning in its own information systems.

A possible template

For those in the aviation cybersecurity community, the good news is that there is a model to draw from. In 1997, the FAA and the industry formed the Commercial Aviation Safety Team with a goal of achieving an 80 percent reduction in the fatality rate for commercial aviation by 2007. Today, CAST’s various analysis teams provide a collaborative model that the airlines, manufacturers and aviation regulators could extend to implement the cyber recommendations of the Marsh commission. The principles underlying this holistic system’s approach include: 1) understanding the needs and risks of the stakeholders, 2) bringing the knowledge base of the stakeholders together for a common understanding of issues, 3) aligning stakeholder positions through data-driven, risk-informed analysis, 4) aligning the strategies and plans of the key stakeholders, and 5) balancing risk reduction with operational and economic impacts.

Leveraging these principles in the context of the needs and cultures of the cybersecurity communities would accelerate development of common risk management, modeling and decision support methods.

Much progress has been made in addressing elements of the comprehensive framework developed and presented by the Commercial Aviation Cybersecurity Panel at the 2013 AIAA Aviation Forum. Work remains to build a common vision, integrated strategy and plan for assessing and prioritizing cybersecurity risk to strengthen the security posture.

So far, the aviation community has built a rigorous governance, risk and compliance model for physical safety and security. Next, a governance, risk and compliance model is needed for cybersecurity. This model will be difficult to develop due to the complexity of the technical issues, the cultural disparities, and the geo-political considerations. The questions that need to be answered include:

What are the crown jewels that need to be protected?
Do we understand the risks?
Are the rigorous safety standards robust enough?
How do we shift the decision-making environment to prevent a failure of imagination?
How do we bridge the cultural gaps?
Is the community ready to take a holistic approach?

Strengthening commercial aviation’s cybersecurity posture and improving its resilience if disruption occurs will require the following:
1. A road map, strategy and plan for addressing the evolving threats;
2. A national research and development plan for securing critical commercial aviation connectivity; and
3. An international convention treating cyberattacks on commercial aviation as unlawful interference.

The list of events at the beginning of this piece shows a wide range of consequences for failures of imagination. The 1969 Cuyahoga River fire is the likely scenario that aviation and the high-tech industry face in the near term.

The Cuyahoga River caught fire at least 13 times between 1868 to June 22, 1969. It took the 1969 fire to catch the attention of Time magazine and the environmental movement. The resulting political pressure was one of the catalysts for establishing the Environmental Protection Agency in 1970.

How many fires will aviation face before the nation rallies to create a vision and build a plan?

James Vasatka. Credit: Courtesy