Soft targets

Cybersecurity attacks on airlines and their partners are neither a matter of if nor when. They are already happening with serious consequences. Joshua Hatch spoke to independent security experts and aviation executives about the greatest threats ahead.

In 2015, an attack on LOT Polish Airlines’ ground network left 1,400 passengers stranded. Last year, a breach of Delta Air Lines may have compromised as many as several hundred thousand passenger credit cards. At least several aviation companies were targeted by the Russian government as part of its broad intrusion into American infrastructure in early 2017. And in November 2017, a researcher with the Department of Homeland Security said he managed to penetrate the computer network inside a Boeing 757 the year before, though Boeing dismissed the claim.

One thing is certain: Cyberattacks reveal a troubling contradiction for the aviation industry. While the benefits of increased connectivity among aircraft and support systems are straightforward — more information delivered more quickly and more reliably — the cost of all that connectivity may be just as significant with increased vulnerability and a greater chance that a flaw in one part of the commercial airline network could have major consequences throughout it.

The most worrisome question is whether someone could maliciously hack into a plane’s flight control systems. That’s also the least likely scenario, according to Jessica Ferguson, director of security architecture at Alaska Airlines. One reason is the amount of testing and certification required for every piece of equipment that goes on an aircraft, including networking devices.

“For everything that’s put into a plane, it has to be certified by the FAA,” Ferguson says, adding that European Aviation Safety Agency certification is often also necessary. Furthermore, equipment “has to be certified not only at the product level, but then our implementation of it,” she says.

Alaska Airlines’ new Boeing 737s, which come with Linux servers that monitor the aircraft’s hardware and software, provide an example. “For us to even uncollar the circuit breakers that turned them on,” Ferguson says of the small computers, “we had to file a whole aircraft network security program with the FAA on how we’re going to monitor these things.” That required testing, documentation and even demonstrations for regulators.

Given the risk of cyberattack, and the regulatory hurdles, what makes it worth adding networked devices to airplanes? Turning planes into, as Ferguson puts it, “flying IoT [internet of things] devices” can improve maintenance efficiency and safety.

“There are economic benefits to the airlines,” explains Boeing’s John Craig, who is responsible for aircraft information and security, “and a real simple one is predictive maintenance. If you know what is going on in the airplane, you can predict whether a certain part is going to fail.”

For example, by constantly monitoring and logging how quickly a valve opens or closes, “you can predict pretty close when that [valve] is going to fail and can schedule getting it replaced.” That helps increase safety and reduce unexpected maintenance that can delay flights.

Spotting vulnerabilities

Still, some security researchers fret that clever attackers could exploit flaws in a maintenance computer, in-flight Wi-Fi network or passenger entertainment system to gain access to the plane’s flight controls, or communications or navigation systems. This is what Chris Roberts, a security expert, claimed to have done midflight in 2015, and similar to what the Department of Homeland Security says it was able to do in 2016 to a parked 757 it owned. “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey in an interview with Defense Daily. At the time, Hickey was an aviation program manager within the Cyber Security Division of the DHS Science and Technology Directorate.

“[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”

Hickey did not respond to my voicemail request for an interview.

According to the article, Hickey said the details of the hack are classified, but said his team “accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, ‘you can come to grips pretty quickly where we went’ on the aircraft.”

Don’t cancel your reservation on a 757 just yet. “Everybody seems to lay claims that they can break into our systems and there are a few notable ones that just keep coming back,” Boeing’s Craig says. “To date, we have not had one claim [proved] to be true. And we investigate all of them.” Of the DHS claim, Craig notes that those findings are classified, but adds, “We participated in that test and we were not concerned with what they found.”

Why such confidence? For one, the various computers and networks — flight control, passenger Wi-Fi, entertainment — are completely segregated through hardware and software. And there are nonpublic security protocols in place, including limiting when computers are able to send and receive certain kinds of data. As a result, “there is no open communication at the networking level between systems,” says Peter Lemme, an aviation communications consultant. “We basically build a moat around aircraft control.”

Being able to monitor and alter the communications in and out of an aircraft is another concern. Since the 1970s, airlines have relied on the Aircraft Communications Addressing and Reporting System, or ACARS, for data communications with their aircraft. Coded, but unencrypted, text messages are sent over radio frequencies and by satellite. These messages, including engine performance data and updates to flight plans or gate assignments, can be printed out on telex machines or displayed on screens.

A wide variety of information is transmitted over ACARS. For example, a flight crew will let ground stations know the plane’s location or estimated time of arrival, or request a gate number upon arrival. Likewise, ground stations use it to send messages to aircraft, such as altered flight plans, information about gate assignments, or weather updates.

Still, the system is 40 years old and wasn’t designed with cyberattackers in mind. Lemme says ACARS was built for resiliency rather than security, meaning it works to ensure communications get through, rather than also verifying that the communications come from authorized entities.

As a result, it is theoretically possible to send bogus messages to aircraft through ACARS, according to security researchers. But, such messages would likely have little effect. They would be more like sending spam than taking control of a plane or stealing information, since flight crews have to accept the information and decide to act on it. And any nonstandard message would raise red flags.

Even so, for Lemme, transitioning away from the current technology “can’t happen soon enough.” A possible replacement could be ACARS over IP, or Internet Protocol. Instead of messages being sent via open radio signals, the messages would be sent as encrypted data packets through a virtual private network.

Pilots, the ultimate safeguards

Airline executives are quick to point out the ultimate safeguard: pilots. “No matter how much technology we have on those planes,” says Nathaniel Callens, Alaska Airlines’ chief information security officer, “pilots still have ultimate control of the aircraft.”

Nevertheless, aviation companies actively work to find and patch digital vulnerabilities. “We actually have a secure lab where we can go in and do penetration testing,” Craig says, “and we do that on every change to the network on the airplane.”

Such testing can involve multiple companies, according to Jeff Troy, executive director at the Aviation Information Sharing and Analysis Center, an industry group that shares security information with its 45 member companies, including Boeing and Alaska Airlines. Exercises known as “red team testing” create scenarios in which one group of experts tries to break into a system and another tries to defend against it.

“The idea is to stress the system,” Craig says, with the goal of discovering ways to make it stronger. Furthermore, companies pay close attention to hacking claims by others.

While the safety of an airliner has never been put at risk by a cyberattack, according to Troy, that doesn’t mean there aren’t other significant cybersecurity threats to the aviation industry, and he cautions against a false sense of security.

“If you think that you are secure,” Troy says, referring to companies in the aviation industry, “that’s a very uncomfortable feeling for us.”

Marc Goodman, the chair for policy, law and ethics at Silicon Valley’s Singularity University and author of “Future Crimes: Inside the Digital Underground and the Battle for Our Connected World,” encourages that kind of worry. “The only people who are speaking truth about this subject say things like, ‘We’re being pounded every day. We have our finger in the dam and the wall’s about to burst.’”

Even if the planes themselves are well-protected, that is of little solace to Goodman, who says there are plenty of other paths for attackers to wreak havoc through, including GPS, airport security, public Wi-Fi, ground networks, including ticketing and reservations, and even other broad infrastructure like power plants.

One example is the 2015 attack on LOT Polish Airlines. This was a distributed denial-of-service attack in which the computer network was overwhelmed with meaningless traffic, preventing the airline’s computers from being able to talk to each other. As a result, the airline was unable to let planes take off for about five hours.

That kind of cyberattack is little different from those inflicted on other industries. Credit card companies and retail outlets regularly fend off intrusions into their systems from criminals or others looking for customer information. This was the case with last year’s Delta customer breach, in which the credit card information for hundreds of thousands of customers was exposed.

A weak link

Aviation makes for an especially tempting target for attackers. Some are motivated by corporate espionage; others are after customer data such as credit card information, business email addresses or rewards points; some might be disgruntled employees; and still others “have always looked at the aviation industry as a way to highlight their political or social messages,” Troy says.

Furthermore, the vast number of companies and systems that have to work together creates opportunities for attacks. “If somebody wanted to attack Delta Air Lines, and they could not get into their computer network, they could go after Hartsfield airport in Atlanta, which is their hub,” Troy says. Or vice versa.

In fact, that problem is one that most troubles Ferguson, the Alaska Airlines security executive. She says “common-use systems” at small airports — for example, airport-operated ticketing computers running antiquated and insecure operating systems like Windows XP — interact with all of the airlines’ systems, but are out of their control. “We are at the mercy of not only the airport or port authority, but other airlines. And it’s a complex problem.”

To that end, it’s critical for the industry to collaborate. “One of the biggest benefits I’ve seen is a company that just had an attack on their network will share that information with the other companies,” Troy says. “That is probably the most valuable information you can get — to actually know how someone else in your industry was impacted by an attack.”

Helping competitors fend off cyberattacks is for the entire industry, according to Ferguson. “I don’t win if Delta gets breached,” she says. “It’s not a competitive industry in that sense.” In fact, a competitor suffering from a cyberattack just brings headaches for everyone, she says. “If Delta gets breached, what does that bring? It brings a lot of regulators.”

Some cybersecurity concerns aren’t about malicious actions, but about technological creep. “I worry a little bit that we’ve become too tied to technology,” Lemme says. In the past, he says, small things that might be easily resolved by a pilot — like ensuring the proper navigation charts are in effect — might instead require the involvement of IT staff and addressing some systemic problem.

Data in public domain

Lemme is also worried about the quantity of aviation data being publicly shared. For example, the vast amount of information about aircraft in the sky, including the tracking of private planes, could be revealing more than people realize.

“Over the last 15-20 years, there’s been a movement to provide aircraft tracking information to the public,” Lemme says, referring to live data providing the names and locations of aircraft in flight, which powers websites like flightaware.com. That information can be valuable, especially with regard to private aircraft or corporate jets. “The movements of corporate executives can illuminate or reveal corporate strategy.” Lemme advocates obscuring the identities of more aircraft and instead assigning them temporary random names. “Air traffic control really doesn’t care who you are. They just need to have a unique identity for every flight.”

Because cybersecurity covers a broad array of concerns — from flight safety to protecting customer data to ensuring smooth operations — there’s no one solution to protecting the industry, especially not a technical one. Instead, Troy says what matters is a mindset for vigilance that constantly challenges the status quo.

“We spend a tremendous amount of time, energy and effort on the technological piece,” Goodman says, “and almost entirely neglect the human factors.”

That’s because the biggest cybersecurity hole isn’t technology, but people — their understanding of systems, their ability to foresee problems and to avoid making mistakes. “We can never say with 100 percent confidence that somebody didn’t screw something up and leave the door open,” Lemme says.