Aviation Cybersecurity – Hacking Aircraft
This blog is an excerpt from the Atlantic Council report Aviation Cybersecurity – Finding Lift, Minimizing Drag by Pete Cooper. Alpine’s Christian Espinosa, an expert on penetration testing and risk assessments of commercial aircraft, contributed to this report via an interview and panel discussion.
Here’s the interview:
How do you envision the future of your segment, and how do connected technologies play a role?
Supply chain management, third-party penetration testing, and aircraft domain (enclave) management must evolve and are paramount to the future safety of “e-Enabled” aircraft against cyber threats. Managing the entire supply chain of components and systems that are integrated into an aircraft is critical. A vulnerable or compromised system from a supplier that makes its way onto an aircraft can be used to attack other connected systems on the aircraft. A risk management framework should be established, followed, and managed for all aircraft suppliers.
Third-party penetration testing should be performed against supplier components and systems, as well as the integrated systems on the aircraft. A third-party is necessary to provide impartial testing. Penetration testing reduces risk and uncovers flaws and vulnerabilities often missed by automated vulnerability scanning tools. Thorough third-party penetration testing should be mandatory for all suppliers for aircraft manufacturers.
Aircraft systems are placed in domains. Systems in each domain have specific Design Assurance Level (DAL) requirements, based on system criticality pertaining to hazard analysis or effect on safety of flight. Cybersecurity risk is introduced by the interconnections of these domains, such as data flows between systems at a lower DAL to systems on a domain with a higher DAL. These data flows and rationale for their existence need to be assessed thoroughly.
What are the major concerns your sector has from a cyber safety, policy, or security standpoint?
The major concerns are cybersecurity awareness, skills shortage, and policy. With cybersecurity awareness, many stakeholders do not understand the true risk connected systems pose to aircraft safety. Risk is often viewed in terms of the current state of affairs, but aircraft systems are complex and are not easily “patched”. As an example, everyone thought WPA2 was secure, until KRACK, and that Bash was secure until Shellshock. If a threat tree used to assess risk determined a “low” risk rating for a system using Bash, for instance, how does a major Bash exploit like Shellshock alter this risk rating and what other systems are now exposed in that same threat tree?
Skills shortage is another concern in the aircraft manufacturing industry. The EASA and FAA certify aircraft via type certifications to determine airworthiness of an aircraft “design”. The FAA and EASA have done a great job with this in the past, but do they have the cybersecurity expertise to determine if the cybersecurity aspect of the aircraft is properly designed? Aircraft are complex systems with thousands of components from hundreds of suppliers. Adequate cybersecurity skills, training, and experience are required to properly assess aircraft cybersecurity and focus on what has been proven to reduce cybersecurity risk, especially from a fundamental secure design aspect.
Policy is another concern with aircraft manufacturing. Once a type certificate is issued for an aircraft, according to policy, the design cannot typically change. How does this policy address cybersecurity issues in a timely manner, such as applying patches to aircraft systems to mitigate cybersecurity risk? And, what effect does a “patch” to a component on an aircraft have against the entire system? Aircraft are very similar to SCADA systems; both used to be treated as standalone, air-gapped systems, but they have both evolved to be connected to the Internet, which introduces a myriad of threats via new entry points into the system. Attacks on the once thought secure SCADA environments are now commonplace – Stuxnet, the Ukrainian Power Outage, etc. Efforts need to be made to ensure attacks such as these do not become commonplace on aircraft.
As technology evolves, how is your sector anticipating and avoiding future threats over the lifetime of those technologies?
Proper risk assessment is critical for aircraft safety. The challenge is when the likelihood of an attack against a system that may cause catastrophic impact deemed “rare” or “out-of-scope” later becomes “trivial” due to a new exploit discovery. This evolving risk and how to address it creates opportunities with a certification process that is based on a point-in-time design. To overcome some of these challenges, some aircraft manufacturers perform risk analysis with the assumption a system with an external entry point will be fully compromised by an attacker. This helps ensure that any system with a connection, or path, from the component considered fully compromised is properly assessed for risk and thoroughly tested.
Software on aircraft is typically treated as a “part”. This facilitates configuration control because existing parts management infrastructure and procedures are utilized. A known configuration that is tightly controlled is much easier to assess from a risk perspective, than a system lacking configuration control.
The aviation cybersecurity report launch was held November 7, 2017, in Washington DC. The launch included a panel discussion on Hacking Aircraft. This session was recorded and is shown here.
Christian Espinosa Bio
Christian after finishing the 2017 Broken Arrow Skyrace
Christian Espinosa is the CEO and Founder of Alpine Security. He has worked as a Network & Systems Engineer, a White Hat Hacker, a Trainer, a Consultant, and an Entrepreneur in the cybersecurity industry since 1993. He has held over 20 industry certifications, including the CISSP, CISA, LPT, ECSA, PMP, CCSP, etc. He is a veteran of the United States Air Force and holds a BS in Engineering from the U.S. Air Force Academy (USAFA) and an MBA in Computer and Information Management from Webster University. He also holds multiple patents on cybersecurity attack and defense simulation. Some of the major recent projects Christian has worked on include penetration testing and security assessments of commercial aircraft, medical device penetration testing, and numerous incident response projects. When Christian isn’t protecting us from cybercriminals, he climbs mountains, travels the world, teaches outdoor wilderness survival, and races ultramarathons and Ironman triathlons.