Headlines about aircraft platform cyber vulnerabilities inevitably grab our attention, and the current furor created by the FBI investigation of Chris Roberts, who reportedly hacked an airplane in flight, quite rightly focuses the mind upon platform vulnerabilities.
However, airline operators have arguably been exposed more widely for some time, and perhaps now there will be a recognition that these broad-based vulnerabilities need to be addressed on a holistic basis – this is not just about the website going down.
Cyber vulnerabilities are a real and pervasive issue for all airline operators. Threats come from nation state actors, terrorists, hacktivists (including purported safety hackers like Roberts) and organised criminals. These threat actors are interested in different data, information and access.
It is feared that terrorists may utilise cyber vulnerabilities to enable, accelerate or amplify the existing physical threats of which the sector is aware.
What Roberts Claims
Of particular concern is the vulnerability of aircraft platforms. The ongoing FBI investigation into whether Chris Roberts hacked into aircraft flight systems whilst in flight clearly shows the level of platform vulnerabilities.
Roberts reportedly gained access to on-board systems through in-flight entertainment (IFE) systems using a modified ethernet cable allowing access to the IFE through seat electronic boxes. As initially reported by Wired,
“[Roberts] stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in his warrant application. “He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”
Aviation Vulnerabilities Beyond Roberts
Electronic flight books are arguably vulnerable because of their connectivity inside the aircraft and into the wireless hub for the ground operations. This is effectively bring-your-own-device in the cockpit. Aviators need to be really sure that there are no compromised personal devices at large in the cockpit.
Terrorists are interested in compromising engineering capabilities—industrial control systems could be hugely vulnerable along with the engineering management systems, particularly those that are aligned to regulatory compliance. Software update management and new type introductions could be similarly vulnerable.
Spear phish e-mail attacks might potentially compromise airlines accounts. Ticketing and settlement systems that rely on websites are under sophisticated attack. The nature of these attacks has changed, targeting cloud service provision and potentially allowing the criminal to get many hundreds of clients from a single attack. The May discovery of the VENOM vulnerability (ask your technical team about it) reinforces the concern surrounding website attacks.
At the beginning of 2015 another major airline was reportedly hit by the Lizard Squad (purporting to be operating on behalf of ISIS). This looked like an attack on the airline’s website resulting in the website being down for 23 hours. In fact, it was a slightly different type of attack—so called DNS attack—that re-directed web traffic to a spoof website. There is a variant that steals money in legitimate-looking transactions through a legitimate looking website.
This year loyalty programmes have been the subject of attack—exposing substantial personally identifiable information about their most valued customers.
What Does All This Mean?
Simply, the risk quantification decisions and provisions you have made to date almost certainly underestimate the total exposure when cyber vulnerabilities are factored into the analysis. You need to ask whether your risk assessment is under–representative of the total scale of exposure in your portfolio and whether the frequency, impact assumptions of material critical risks are likely to be under–represented with the company carrying a significant unquantified and un-insured risk.
Aviation as a sector is in the sights of the threat actors, and all operators need to accelerate and amplify their response.