This article is part of our special report Farnborough International Airshow 2016.
As airlines and airports increasingly become targets of cyber attacks, the EU’s aviation safety agency has urged taking cyber threats “seriously” by launching a common strategy.
In the US, Turkey, Spain, Sweden and recently in Poland, aircraft infected with malware or security breaches have provoked delays, loss of information and a wave of growing concern among public authorities, regulators and the industry.
The fear is that one day terrorists, clicking on a laptop, will be able to crash planes or make them disappear from radar screens.
“We have to be prepared always for the worst,” said Luc Tytgat, Director of Strategy and Safety Management at the European Aviation Safety Agency (EASA), an EU agency.
In one of the clearest indications to date of the magnitude of the challenge, Tytgat said aviation systems were subject to an average of 1,000 attacks each month.
“We have to take it seriously,” he told a recent event in Brussels, urging all EASA partners and cyber experts in member states to develop a “common understanding” of the risk management procedures and the information sharing mechanisms required to minimise risks.
“We do not have much time,” he insisted.
In an industry that knows no borders, devising a common strategy to tackle cyber threats has become a top priority over the last years, particularly in Europe and the United States which are home to the world’s two biggest plane makers.
Brian Moran, Boeing’s Vice-President of Government Affairs for Europe, highlighted the “importance” of transatlantic cooperation on the matter.
“It is absolutely essential,” he stressed during the same debate, saying “there is a great willingness to cooperate”.
EU’s new cyber centre
At European level, the response will take shape in EASA’s new cybersecurity centre, Tytgat indicated.
The Aviation Computer Emergency Response Team (AV-CERT) will help understand the nature of the threats, collect evidence of previous cyber attacks, identify security flaws and vulnerabilities, analyse and develop responses to cyber incidents or vulnerabilities – whether workarounds, recommendations, or technical solutions.
Those European efforts mirror recommendations by the high-level advisory committee set up in June 2015 by the Federal Aviation Administration (FAA) in the US. The aim of this committee is to identify risk areas and reach a consensus on international design and testing standards to counter cyber attacks.
Reflecting growing international concern for the topic, cyber security will be on the agenda of the International Civil Aviation Organisation’s general assembly in September 2016. The UN body had already flagged cyber security as a “major concern” in 2012 but the issue has gained in emergency since then.
ICAO is expected to adopt a resolution urging member countries to align cyber security responsibilities within respective governments and adopt a flexible, outcome-focused approach to deal with this new kind of risks.
According to Tytgat, the EASA and the FAA are drafting a common position “very urgently” as a contribution to ICAO’s proposal.
Hackers turned into cybersecurity advisors have played a major role in bringing the issue under the spotlight.
Chris Roberts, an IT expert, shocked the aviation sector and security agencies when he claimed that he hacked repeatedly a passenger jet through the entertainment console of his seat. He said he was capable of manipulating the plane’s engines during a flight.
His comments triggered an FBI investigation and US warning to all its airlines’ personnel to watch out for passengers attempting to connect their laptops to devices on board.
But according to Hugo Teso, a Spanish hacker and pilot, it is not necessary to get a computer on board.
Teso, now a reputed advisor for aviation companies, stunned participants in a closed-door meeting back in 2013 when he suggested he could take over an aircraft’s steering system with a mobile phone.
“In modern planes, there are a whole series of backdoors, through which hackers can gain access to a variety of aircraft systems,” he warned.
But Boeing’s Moran was less alarmist, arguing that today’s aircraft are “secured” against such intrusions. Instead, he stressed the importance of better protecting the ecosystem in which aircraft operate – from the maintenance systems to on-the-ground management systems and the cockpit.
Risks on the ground
Experts tend to agree with him. Currently, the main vulnerabilities are identified with on-the-ground networks connected to planes that upload or download flight-related information.
EASA points out that these systems are less secure than those installed on the aircraft.
Nowadays, hardware used by passengers during the flights, such as the Wi-Fi connection or entertainment consoles, are physically separated from critical onboard safety systems. That is the reason why experts questioned Roberts’ claim about the manipulation of the jet’s engines.
But the effects of cyber attacks against on-the-ground systems have already shown their effects.
In June 2015, an attack grounded around 1,400 passengers when the flight plan system of 10 planes went down for around five hours at Warsaw’s Chopin airport.
Hackers used a Distributed Denial of Service (DDoS) attack, a malicious technique commonly used on the Internet to overload an organisation’s system with multitude of simultaneous communication requests.
The attack took by surprise many actors, including the affected companies.
“This is an industry problem on a much wider scale, and for sure we have to give it more attention,” LOT chief executive Sebastian Mikosz told a news conference after the incident.
“I expect it can happen to anyone anytime,” he said.
While many airlines and airports have robust systems in place to tackle cyber attacks, “they haven’t always taken a holistic approach to the IT environment or considered the broader threat to the aviation system,” warns the International Air Transport Association (IATA).
“The next 9/11 will be caused by computer hackers infiltrating aircraft controls, not suicide bombers”, Dr. Gabi Siboni, director of the Cyber Security Program at Israel’s Institute for National Security Studies, said in a conference this year.
In December 2014, the International Civil Aviation Organisation (ICAO), Airports Council International (ACI), the Civil Air Navigation Services Organisation (CANSO), and the International Coordinating Council of Aerospace Industry Associations (ICCAIA) agreed on aligning their respective actions on cyber-threats. ICAO Secretary General said the common goal was to “work more effectively together to establish and promote a robust cybersecurity culture and strategy for the benefit of all actors in our industry”.
The agreement called on the signatories, “...to be more proactive in sharing critical information such as threat identification, risk assessments and cybersecurity best practices” and for the encouragement of “...more substantial coordination at the Estate level between their respective government and industry stakeholders on all cybersecurity strategies, policies, and plans.”
The airline industry extensively relies on computer systems in their ground and flight operations. Some systems are directly relevant to the safety of aircraft in flight, others are operationally important, and many directly impact the service, reputation and financial health of the industry.
There is no question that automation significantly enhances safety and aircraft capabilities while simplifying many routine tasks. But as a result, the number of entry points into systems is increasing steadily.
The International Air Transport Association (IATA) has developed a three-pillar strategy to understand, define and assess the threats and risk of cyber-attacks, the basis for appropriate regulation and the mechanisms for increased cooperation throughout the industry, with the support of governments.
A coordination mechanism has been established through the Industry High Level Working Group (IHLG) which meets on a regular basis. This group concentrates on the delivery and the promotion of the industry position on cyber security.
- 27 September-7 October: ICAO general assembly