Commercial aviation is an industry in which safety and security are paramount. However, as with other critical infrastructure, consumer demand has brought the systems that run the aviation industry into greater contact with the Internet – and created more opportunities for cyber attack. The Cipher Brief asked Chad Gray of Booz Allen Hamilton about the nature of the cyber threat to commercial aviation. He feels that the threat has been overstated, but that there is a very real need for improvements to several key areas of the aviation industry’s infrastructure in order to ward off future threats.
The Cipher Brief: Senator Ed Markey (D-Mass) has introduced a bill meant to improve cybersecurity among commercial airlines. How would you assess the current degree of cyber-vulnerability in the commercial aviation industry overall? What are some common points of vulnerability in this industry in terms of cybersecurity? How has this changed over the last few years?
Chad Gray: The degree to which commercial aircraft are vulnerable to a cyber attack has been highly dramatized. There does, however, need to be more exploration by aircraft manufacturers to ensure there aren’t any existing vulnerabilities, and that they are set up to build security into their infrastructure from the ground up in future engineering efforts.
Two common areas of vulnerability are the airlines’ enterprise IT architecture and the nation’s air traffic control system. Passengers want their boarding passes on mobile devices, and they want access to partner offerings through IT systems integrations. All of that has increased the number of devices, systems and applications that are connected to airlines’ IT architecture, which means more places for an adversary to attempt an attack.
The air traffic control systems of the U.S. and other countries also continue to be vulnerable to remote access methods and denial of service attacks, and are in major need of an overhaul. Many of these systems were built decades ago and haven’t been upgraded to keep pace with today’s demands of volume and variety of aircraft. As an example, a Paris airport was reportedly shutdown for several hours when a critical system, running Windows 3.1, crashed. Windows 3.1 is over 20 years old.
Operating with a level of resiliency to prevent and respond to a cyber attack requires a modern infrastructure, capable of handling the full capacity of commercial, civil, and military aviation that will be operating in the space. And it needs to be built with the future in mind, with potential for increasing drone usage of the airspace.
TCB: What are the greatest cyber-threats to the commercial aviation industry? How can these threats be mitigated?
CG: The airline IT systems that handle scheduling logistics (including weight & balance fuel data), maintenance records, and mobile applications require further inspection for potential vulnerabilities. Today, the overall operation is accomplished via mobile applications – paper has been replaced with tablets and smartphones to cover passenger and cargo manifests, flight plans, and even aviation charts for navigation. More digital systems mean more potential vulnerability points. Scenario-based war-gaming, coupled with a tailored cyber threat risk analysis to discover the most likely and most impactful scenarios, will help inform airlines where they should invest their limited resources.
TCB: How do you see the cyber-threat environment changing in the near future? What can companies do to address these changes?
CG: There’s an old saying that the best way to catch a criminal is to think like one. Nation-state cyber actors are now targeting the commercial aviation industry. Airlines, as part of the critical infrastructure in our society, are becoming a more attractive strategic target for cyber actors to disrupt their adversary’s infrastructure. Airlines can prepare for this by leveraging the same caliber of cyber talent from current or former Intelligence Community talent. The best way to prepare for these threats in the future is by getting help from the folks who have been on the offense and can help them think like the attackers.
TCB: What is the role of government in this area? How can government and the commercial aviation industry work together more effectively to ensure that aviation systems are kept secure?
CG: The government can take a leading role in mitigating cyber attacks that affect commercial aviation by working with organizations, such as the Aviation Information Sharing and Analysis Center (A-ISAC), to share knowledge of trends and threats. Knowledge really is power when it comes to cybersecurity, and the more knowledge airlines and the government can share with each other, the easier it will be to develop ways of anticipating and reducing threats. Additionally, the government must address and prioritize funding for upgrades to the air traffic control system. Industry and the Air Traffic Control System share a symbiotic relationship—cybersecurity must be addressed for both in order to address safety properly.