MIAMI – In 2017, cybersecurity researcher Ruben Santamarta sat in front of his computer eavesdropping on the technical guts of hundreds of planes soaring thousands of meters above him. Commercial airplanes flown by some of the world’s largest airlines were among those he was able to penetrate.
That same year, a Department of Homeland Security (DHS) officer revealed that he and his team of experts remotely hacked into a Boeing 757. Around the same time, the US Federal Aviation Administration (FAA) warned that due to the nature of their connectivity, some computer systems aboard the Boeing 747-8 and 747-8F may be exposed to outside threats.
Santamarta’s 2017 experiment, as reported a year later by Forbes, was probably the first time someone hacked planes from the ground by exploiting flaws in satellite technology. If he’d wanted to break the law, the cybersecurity researcher could have hacked those onboard systems, snooped on the onboard Wi-Fi, and spied on all linked passenger connected devices.
Fortunately, because of the way modern aircraft networks work, the flights’ safety systems were not jeopardized. Yet, as modern avionics software development takes advantage of commercial off-the-shelf components, breaches such as GPS interference can result in missed approaches, forcing flight crews to re-approach the airport using backup navigation systems.
The crux of the matter is that no system is 100% hack-proof. As a benign example, to face possible threats, the US military conducts routine testing on GPS that affects, or jams, all ATM, CNS, and ADS-B systems, the latter of which reports an aircraft location to Air Traffic Control (ATC).
The above acronyms ATM and CNS stand for Air Traffic Management and Communication Navigation Surveillance. A 2018 Federal Aviation Administration (FAA) commissioned report titled “Operational Impacts of Intentional GPS Interference” states that these jamming exercises are on the increase and create serious problems to air traffic control and commercial airlines.
Indeed, some serious incidents could have taken place following the loss of the Global Navigation Satellite System (GNSS). Cases in Texas, Idaho, and Nevada have resulted in serious incidents, which could have easily evolved into accidents, following the loss of GPS navigational aids during approach or navigation, if it were not for the prowess of the affected pilots.
The question, then, is if cybersecurity researchers and the US military are able to interfere with systems that directly affect commercial aircraft operations, can black-hat hackers do the same?
Recent Cyberthreats on Civil Aviation
Hacks of aircraft and aviation-related systems, including in-flight entertainment systems, data connections between pilots and ground-based controllers, and airline operations systems, have previously occurred, resulting in flight cancellations in one case in Europe and missed landings in the US.
In the aforementioned Texas incident, a commercial flight approaching El Paso lost all GPS aids due to US Military exercises held at the White Sand missile range. Just in 2017, to avoid such issues on 24 occasions, Texas ATC had to revert to an action called ‘stop buzzer’ that requests the military to pause the jamming.
The aircraft missed an approach due to wind conditions, tried again, and landed visually with no access to its Instruments Landing System (ILS) with vertical guidance. The runway in question has a high Controlled Flight Into Terrain (CFIT) risk due to terrain configuration.
Another notable incident occurred in 2015 when security researcher Chris Roberts was removed from a United Airlines (UA) fight after joking on Twitter about hacking the aircraft’s inflight entertainment system (IFE) but the plot thickened.
According to WIRED, Roberts later told FBI investigators that he was able to gain access to the Thrust Management Computer (TMC) and the IFE aboard the aircraft. The TMC, which works in tandem with the autopilot, determines and maintains the power at which the engines should operate under varied conditions.
During a previous interview with WIRED, Roberts said he discovered flaws that allowed him to leap from the satellite communication system (SATCOM) to the IFE and cabin-management systems. According to an FBI affidavit, Roberts was able to issue a “climb order,” which “enabled one of the airplane engines to climb, resulting in a lateral or sideways movement of the plane.”
On August 5, 2016, Cathay Pacific (CX) Flight 905 from Hong Kong was on its way to Manila’s Ninoy Aquino International Airport (MNL) when the pilots radioed ATC to report that they had lost GPS guidance for the last eight nautical miles to “runway right-24.”
The controllers were taken aback and instructed the pilots to land the wide-body Boeing 777-300 using only their eyes. The crew members were able to pull it off, although they were nervous the entire time. The skies were generally clear that day, which was fortunate.
This was not a one-off occurrence. The International Civil Aviation Organization (ICAO) received more than 50 reports of GPS interference at MLN alone in July and August of that year. The fact is that hackers can jam a signal by drowning it out with meaningless noise or spoof it by providing the receiver bogus time or coordinates, causing the recipient to become disoriented in time or space.
When one device loses its proper time, it might communicate the faked time to other devices on its network, causing the entire complex to malfunction and degrade its performance, as the above examples show.
The high reliance on GPS is an appealing target. GPS is vulnerable and can be used to cause havoc, and the capacity to disrupt it has been demonstrated. The only question is whether an enraged individual or group would use GPS as a weapon of mass destruction. The answer appears to be yes in a growing number of cases, as there are cases of ongoing demonstrations of state-sponsored spoofing.
According to a 2019 Scientific America report, Russia is one of these countries. The Center for Advanced Defense Studies, a Washington, D.C.-based research organization, reported approximately 10,000 occurrences in ten countries, including the Russian Federation, Crimea, and Syria, in March of that year. Iran and North Korea, according to US government and academic experts, also have the capability.
Recent Cyberattacks on Civil Aviation
In the last few months, there has been a growing fear of the threat of cyberattacks on US infrastructure that the FBI says raises more alarms than the usual run-of-the-mill terrorist attacks, even comparing the latest cyberattacks to the threat challenge poised by another aviation ignominy, 9/11. What is true is that as commercial aircraft become more connected to the greater Internet of Things, the potential for safety issues increases, and 2021 is no exception.
Cyberattacks that affect commercial aviation can come in many forms, such as the cyberattack on SITA (Societe Internationale de Telecommunications Aeronautiques) that took place on February 24, 2021.
The February breach affected several carriers’ SITA Passenger Server Systems, including Air New Zealand (NZ), Jeju Air (7C), Singapore Airlines (SQ), SAS (SK), Finnair (AY), Malaysia Airlines (MH), Lufthansa (LH), and Cathay Pacific Airways (CX). SITA is an industry-owned firm that provides IT services to airports, border authorities, and serves approximately 400 airlines.
Then, in March 2021, researchers from Northeastern University demonstrated that a US$600 software-defined radio can be used to hack into an airliner’s radio navigation system, highlighting a potentially fatal weakness in the instrument-based systems that land aircraft ranging from small Cessna airplanes to huge commercial jets.
Here’s the thing, the university team used a widely available software-defined radio (SDR) to spoof radio signals from a plane’s instrument landing systems (ILS) to prevent a single-engine plane from landing using a flight simulator. The researchers did admit that their methods were unlikely to result in a deadly accident but warned the hack highlighted the vulnerability of the aviation industry’s long-used instrumentation-based landing system to unscrupulous actors.
As for aviation-related, peripheral critical infrastructure, in May 2021, a major fuel pipeline in the US was shut down by a ransomware attack, forcing US carriers to find alternatives to fuel their flights. The pipeline, which is owned by Colonial Pipeline of Houston, supplies 45% of the fuel on the US East Coast and serves seven airports directly.
Flying Still the Safest Way to Travel
Don’t get me wrong, commercial aviation has a solid security basis in regards to its aircraft and its automatic flight control systems (AFCS). It also has a century-old culture of safety; rest assured, commercial aviation is the safest way to travel.
Case in point, in Robert’s TMC hack, if the thrust increases in one engine and not the other, it will produce torque that might cause the plane to become imbalanced. But modern aircraft are balanced by design to compensate for this so that you can shut one engine down and keep the other at full throttle and it won’t flip the plane over or fly sideways.
The current cybersecurity culture in commercial aviation is bound to be built on the industry’s security-safety tandem foundation, and the safety aspects surrounding AFCS are reliable, with firewalls being among the technologies used to manage aircraft flying, as well as other communications and IFE.
There are, however, numerous specifications for aircraft systems that lack well-defined security criteria, and the industry must work to resolve them by implementing a collective and collaborative approach. This means combining intelligence and technical knowledge from all stakeholders, including security and tech firms, aviation authorities, airline and airport operators.
There is also a rising awareness in the last 10 years of cyber hacking and potential vulnerabilities inside the sector. According to a 2018 report by aviationtoday.com, more information was at the time being exchanged, but the outlet noted that it was an ongoing process as new cyberattacks are on the rise.
Three years ago, experts said efforts to prevent cyber threats and hacking were siloed across the board. Today, industry stakeholders are collaborating more and more to reduce possible threats.
To tackle these, the aviation industry has benefited from the best practices used by other private sector organizations such as financial services and retail. This is crucial in today’s cybersecurity landscape, as commercial aviation is a critical operation that counts on a reliable and critical infrastructure. But the fact is that due to hyperconnectivity and a lack of defined frameworks and cybersecurity protections, civil aviation faces rising cybersecurity threats.
One of the ways the industry is improving cyber defense against cyberattacks is to educate its civil aviation workforce, as this will lead to efforts and measures to combat cyberattacks. Moreover, being vigilant with the growing vulnerabilities of hyperconnectivity, private and governmental entities are bound to create strong cyber protection plans.
Aviation Cybersecurity Today
According to the International Air Transport Association (IATA), aviation cybersecurity can be defined as the bringing together of people, procedures, and technology to secure civil aviation organizations, operations, and passengers against cyberattacks.
As a result, IATA’s focus is on aviation cybersecurity as it relates to the complete environment that interconnects and interacts across the aircraft’s whole lifecycle (i.e., design, certifications, operations, and maintenance). This focus is linked to the operations of the following stakeholders: airlines, airport operators, air navigation service providers, original equipment manufacturers, regulators, and so on.
IATA maintains that ICAO is the best entity to lead a worldwide conversation and action on Aviation Cyber Security (ACS). IATA says it is working closely with the ICAO Secretariat Study Group on Cybersecurity (SSGC) and the Trust Framework Study Group (TFSG) to produce an action plan for implementing the strategy.
IATA also addresses airline concerns about identifying and managing cyber threats and hazards associated with safety-of-flight through the work of the Aircraft Cyber Security Task Force (ACSTF) and new targeted and agile communities of trust.
The Aviation Cyber Security Roundtable (ACSR), an annual gathering of different stakeholders exchanging information on the aviation cybersecurity landscape that helps create the vision of IATA’s cybersecurity aspects, is another important part of IATA’s approach.
Within the US, the FAA Cybersecurity Awareness Symposium, often known as “Cyber Day,” is a conference co-hosted by the Air Traffic Organization (ATO) Cybersecurity Group and the Office of Information Security and Privacy Service (AIS).
The FAA’s annual Cybersecurity Awareness Symposium aims to increase cybersecurity awareness, collaboration, and partnerships among FAA, Interagency Stakeholders, Industry, and Academia. The events provide an opportunity for attendees to discuss current security issues as well as network with peers and industry experts.
Indiana Wesleyan University professor and chair of the department of information technology and management, Calvin Nobles, outlines in his book “Security Solutions for Hyperconnectivity and the Internet of Things” the following areas that require immediate attention to safeguard against cybersecurity threats in civil aviation:
- Eliminating supply risks
- Upgrading legacy systems
- Mitigating technological aftereffects
- Increasing cybersecurity awareness
- Developing cybersecurity workforce
- Managing hyperconnectivity
- Leveraging international entities
Nobles underlines that to defend civil aviation infrastructure against cyberthreats, forceful, coordinated, and successful tactics and capabilities are required.
Featured image: London Heathrow Airport at night. Photo: London Airport Media