Cybersecurity for business aircraft has become a hot topic in recent years, with cyber-attacks on aircraft increasing annually according to business aviation solutions provider Satcom Direct (SD). In May 2019, SD reported that 81 percent of nearly 600 aircraft that subscribe to the company’s ‘SD Threat Monitoring’ module “have experienced a cyber event that has been thwarted by the SD service.”
Throughout the expansion in availability of high-speed connectivity links and networks for aircraft, the technology and service providers behind the modems, antennas and bandwidth that enables passengers and pilots on business jets to use connectivity have been tackling cyber threats by adopting the latest standards in encryption and other security measures while also performing their own internal penetration testing and consulting with authorities.
One of the companies providing satellite-based connectivity to business jets right now is Inmarsat, with its GX fleet consisting of four satellites, a number that will increase to seven by mid-2021. The company’s current focus is on completing coverage for flights over the polar regions. Recent fleet upgrade and line-fit wins in the commercial world for Inmarsat include Air Asia, Qatar Airways and Virgin Atlantic.
“It is very common today for airlines to have cyber security clauses and requirements in all connectivity contracts,” Joseph Teixeira, vice president for aviation safety and cyber security at Inmarsat, told Avionics International.
Teixeira thinks there are now very few distinctions between protecting against cyber vulnerabilities on the ground and in the air. Inmarsat’s primary efforts to address the concerns of business aviation operators include adoption of new standards such as software partitions, fire walls, encryption and authentication within the devices or through aircraft interface devices (AID) that provide any type of data communications or exchanges between aircraft systems and wireless Electronic Flight Bags (EFBs).
“Business Aviation operators often have the latest avionics and communications on board and as a result, they typically operate their own security and encryption systems,” Teixeira said. “Inmarsat applies the latest techniques and procedures to safeguard our networks. We have also obtained the ISO 27001 certification to assure our customers that our cyber-security measures are independently verified on an ongoing basis.”
Cyber threats against aircraft are on the minds of the FAA and European Aviation Safety Agency (EASA), who are working to impose their harmonised cybersecurity requirements (DO-326/ED-202) on the aviation industry this year. EASA also plans to compel aviation manufacturers and operators to build anti-hacking protection into new/modified avionics and other aircraft equipment as a requirement for achieving EASA certification, beginning sometime in 2019. These requirements will be aimed at avionics connected to an ‘Aircraft Control Domain’ network, which handles safety-critical flight functions.
The next step in tackling cybersecurity is to move beyond the aircraft and consider an operator’s overall cybersecurity requirements in the air and on the ground, with the goal of harmonizing the two. As a provider of air-to-ground broadband connectivity for business aircraft, SmartSky Networks is doing its part for cybersecurity by imposing 5G-level security standards on its operations.
At the onboard level, companies such as SmartSky Networks are already applying cybersecurity methods and protocols to protect against the type of threats EASA is attempting to address with its proposed legislation.
This includes applying software-defined networking and network function virtualisation to enhance the company’s security posture. SmartSky Networks also uses multi-factor authentication for users, akin to Google’s two-step verification process, on computers and mobile devices to foil hostile players, and maintains insurance to compensate customers for any hacks that it can’t deter.
When it comes to developing effective cyber defenses for aircraft, “operators need to consider those protections just as if they were in a terrestrial mode,” said Britton Wanick, VP of Digital Solutions with SmartSky Networks.
“Things that are in flight need to match essentially what they provide in that office. For operators seeking informed guidance on cybersecurity, the National Institute of Standards and Technology has an entire 800 series that addresses regulations for businesses around risk management and cybersecurity in particular,” Wanick said.
Putting the Rapid7 CAN BUS Hacking Report in Context
The worst-case cyber threat scenario is for a hostile player to gain remote access to a business aircraft in flight. Such remote control would allow a hacker to redirect the aircraft to another location, use it as a guided missile or simply to hold the occupants for ransom in the air until the fuel ran out.
Now it has been shown that aircraft using an onboard CAN bus Air Control Domain network can be hacked and their operations remotely affected; making such worst-case attacks theoretically possible.
This is why the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an ICS Alert (ICS-ALERT-19-211-01) about the vulnerability of CAN Bus avionics networks in civilian aircraft to such attacks on July 30, 2019. Developed for automobiles, the CAN bus shared two-wire network infrastructure was not built with security or compartmentalisation in mind.
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” said the CISA ICS alert.
“The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot. The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft.”
For the record, this research was led by Rapid7 security consultant Patrick Kiley.
However, a CAN bus avionics attacks isn’t easy to execute. This is because this hack requires physically attaching a piece of computer hardware such as a Raspberry Pi microcomputer loaded with malware commands to the aircraft’s electronics, which is why the ILS alert specifically mentioned the attacker must have physical access to the aircraft.
Given that aircraft hangars are usually well-secured, there isn’t much chance for hostile players to open up an aircraft and do the necessary handiwork.
Since most aircraft do not use CAN bus network architecture, this threat is not an actual concern for most business aviation operators, and those whose aircraft do use CAN bus are still not at much risk. Hijacking an aircraft via remote control requires some form of reliable wireless link included with the attached Raspberry Pi microcomputer, which is a lot of work for a hacker to do compared to stealing passwords via phishing email attacks and getting into a business aviation operator’s office network.
While possible, this kind of cyber-attack is highly unlikely.
The hacking of a business aircraft’s In-flight Entertainment and Connectivity (IFEC) network by someone connecting a device to the network while in flight is a realistic concern. This can be done by a passenger connecting a laptop computer to an aircraft’s IFEC wired connection at their seat or via the plane’s wireless network.
The good news is that IFECs typically run on Passenger Information networks that are separate from Aircraft Control Domain networks and the safety-critical avionics connected to them. The cautionary news is that there can be some cross-connection between these networks — such as providing passengers with real-time flight location mapping — that might open up vulnerabilities in the area of flight control.
The anti-hacking process begins with business aviation operators assessing the cyber vulnerabilities of their own aircraft. This can be done on an informal basis by a trusted IT expert, or more formally through a firm such as Argus Cyber Security.
Argus provides a range of cybersecurity services to aviation equipment manufacturers and aircraft operators. These services include conducting threat analyses and risk assessments; penetration testing to detect actual vulnerabilities in a specific aircraft component or entire system; and creating ‘Security Requirements Specifications’ (SRS) to help operators determine what levels of cybersecurity they wish to attain and the methods to attain it.
Argus can also help business aviation operators create their own Aircraft Network Security Programs (ANSPs), in compliance with the FAA’s OpSpec D301 Aircraft Network Security Program. In this program, customers receive assistance in developing/implementing in-house cybersecurity policies and processes to keep their networks secure and aircraft certificates properly guarded.
“There have already been incidents where passengers and white hat researchers have attempted to gain unauthorized access to the IFEC systems in the cabin,” said Rubi Arbel, Vice President, Aviation, Argus Cyber Security. “While attacks on these systems will not disrupt safety-critical functionality, they can create passenger unrest and violate privacy; ultimately threatening business continuity and customer trust.”
Today, there are cyber best practices recommended to operators by EASA in ED-204 and by the FAA in DO-355. Future regulations in the USA will most probably be based on the 2016 ARAC ASISP recommendations and in Europe on relevant EASA NPAs published in February and May, 2019, according to Arbel.
“As in other industries, the supply chain is an attack vector which aviation companies should take into consideration,” Arbel said.