Managing Cyber-Risk in the Aviation Industry

Compliance and risk officers in the aerospace business should review their cyber-security practices in the wake of recent high-profile data breaches that could signal emerging cyber-threats in the aviation industry.

Earlier this summer, hackers believed to be linked to the Chinese government infiltrated the computer system of United Airlines, compromising customer and flight records. The breach occurred around the same time that United experienced a computer glitch that grounded all its flight for nearly two hours (although no connection has ever been confirmed between the incidents).

In a second cyber-attack targeting the airline industry, hackers in June infiltrated the flight-planning system of Polish airline LOT, grounding all its flights. “This is an industry problem on a much wider scale, and for sure we have to give it more attention,” LOT Chief Executive Officer Sebastian Mikosz said in a statement.

Both incidents highlight the growing cyber-risks that the airline industry faces as the Federal Aviation Administration makes the transition from a ground-based radar air-traffic control information management system to its Next Generation (NexGen) satellite-based system. “Each of those of changes in technology means that there are more points of interconnectivity between the aircraft and the air traffic control system,” says Gerald Dillingham, director of civil aviation issues at the Government Accountability Office.

As airline systems become more interconnected, the more vulnerable they become to a cyber-attack. “Airplanes themselves have never been more complex, never been more reliant on technology,” says Jeff Schmidt, a pilot and CEO of JAS Global Advisors, a security consultancy for government and critical infrastructure firms. “Complexity is the enemy of security.”

“Airplanes themselves have never been more complex, never been more reliant on technology. Complexity is the enemy of security.”
Jeff Schmidt, CEO of JAS Global Advisors

In April, the GAO issued a report recommending that the FAA adopt a more comprehensive approach to address cyber-security. “The FAA and the industry need to be more aware and act in a way that reflects the new threat for aviation,” Dillingham says. The airlines also “need to take action to mitigate those potential threats and the risks associated with them,” he says.

Currently, no formal set of cyber-security policies and procedures exist for the airline industry. “FAA is working on standards for cyber-security, but for now they are using a process called ‘special conditions’ as the substitute until those requirements are formalized and complete,” Dillingham says. The GAO defines a special condition as a “rulemaking action that is specific to an aircraft make and often concerns the use of new technology that the Code of Federal Regulations do not yet address.”

Cyber-Security Measures

High-profile attacks like the ones that targeted United and LOT should serve as a wake-up call to compliance and risk officers at airlines to enhance their cyber-security efforts. “Cyber-security is evolving almost on a daily basis in terms of the threats and challenges that are out there,” says John Rose, vice president-elect of the public policy division at the American Institute of Aeronautics and Astronautics. The way airlines design their security systems must evolve as well, he says.

Boeing, for example, has developed a cyber-security aviation framework that includes an aviation information sharing and analysis center that provides the aviation industry with a forum for managing risks to the aviation infrastructure. “Effective information security risk management requires a framework and methodology that can adjust to this dynamic security threat environment,” Boeing says on its website.

According to Boeing, an airline information security framework should ensure that:

Managing information system-related security risks is consistent with the organization’s mission, business objectives, and overall risk strategy established by the airline’s senior leadership; and

Information security requirements, including necessary security controls, are integrated into the airline’s enterprise architecture and system development lifecycle processes.

Robust security controls are especially important, given that insider threats are “probably the most dangerous adversaries that any enterprise faces,” Schmidt says. A lot of preventative measures start with “good internal hygiene,” he says.

Some major airlines are getting particularly creative with their security measures. For example, some employ “white-hat hackers”—computer security experts who specialize in penetration testing—to try to hack their systems to uncover any potential security vulnerabilities, Dillingham says.

DEVELOPING AN AIRLINE INFORMATION SECURITY FRAMEWORK

Below Boeing describes what airlines need to do to protect their data on the ground.
The need for airlines to adopt a solid information security framework is clear. Cyber attacks are increasing in number and sophistication. Software vulnerabilities expose intellectual property to unauthorized users. And insider threats to IT infrastructure and proprietary information are increasing.
Effective information security risk management requires a framework and methodology that can adjust to this dynamic security threat environment. An airline information security framework should ensure that:

Managing information system-related security risks is consistent with the organization’s mission, business objectives, and overall risk strategy established by the airline’s senior leadership.

Information security requirements — including necessary security controls — are integrated into the airline’s enterprise architecture and system development lifecycle processes.
The ideal airline information security framework addresses airplanes in flight, ground operations, and threat management. It consists of three major functions: prevention, detection, and response

Prevention addresses the ability to prevent disruption to the current operational state by allowing authorized access to the system services and preventing unauthorized access.

Detection consists of the ability to detect a security threat and assess information systems’ vulnerability to threats. Security threats consist of all methods, both intentional and unintentional, that result in unauthorized use of information systems. Detecting a threat requires a methodology and set of tools to define and evaluate the authorized use of the information systems and detect information system abnormalities.

Response comprises timely and effective communication to a defined set of stakeholders and the initiation of countermeasures to thwart the active threat and to reconcile disruptions and recover the system.
The information security framework is supported by three qualifying concepts: defense in depth, active management, and configuration control.

Defense in depth addresses the need to establish a multilayered approach to ensure that prevention, detection, and response cannot be compromised with a single threat approach or disruption event.

Active management is the persistent awareness of the network and its configuration. Both scheduled and unscheduled events occurring on the network that would change the configuration of the network are tracked.

Configuration control is the adherence to a well-documented process that manages all changes to the information system. This change control process falls under the broader discipline of business continuity.
Source: Boeing.

United even established a first-of-its-kind “bug bounty program” in the airline industry. The program rewards independent researchers up to 1 million airline miles if they discover a potential security bug that affects United’s websites, apps, or online portals. Bugs that are found on onboard Wi-Fi, entertainment systems or avionics, however, or bugs found on internal sites for United employees or agents (that is, systems that aren’t customer-facing) are not eligible for submission, United said.

As another information security control, some airlines try to ensure that their critical systems—the ones that control the aircraft—are physically separated from the in-flight entertainment systems to minimize the risk of someone hacking their way from entertainment to those critical systems, Dillingham says.

Other examples of robust cyber-security practices in the industry are hard to come by, as most airlines prefer to remain tight-lipped about their security efforts. “Protecting and defending our network and systems against unauthorized access is something American Airlines takes very seriously,” says Martha Thomas, a spokesperson for American Airlines. “We do not share the specifics of our program and efforts for security reasons.”

Aerospace experts advise airlines, when assessing their cyber-security risks, to take all jurisdictions, business units, and the entire supply chain into consideration. “I would definitely not limit [cyber-security] to being an IT issue,” Schmidt says. “I would think of it as an overall enterprise-wide risk management issue.”

In many respects, the cyber-security issues that the aviation industry faces are “industry agnostic” in terms of procurement, Rose says. A lot of the same hardware components that go into making the avionics in a commercial airplane, for example, also go into making other technology products for other industries, he says.

To mitigate the risk of hackers embedding malicious software within those components, compliance and risk officers in collaboration with IT should refer to the National Institute of Standards and Technology guidance, “Supply Chain Risk Management Practices for Federal Information Systems and Organizations.” That guidance provides best practices on how to better manage the supply chain for technology products, to root out cyber-threats that might leave a piece of IT equipment compromised or simply malfunctioning.

As the FAA and other industry bodies work to develop further cyber-security guidance, compliance and risk officers should work with regulators to help shape and drive those cyber-security frameworks. “[T]he commercial aviation industry could benefit from a closed, protected forum in which industry and government can exchange information about emerging information security cyber-threats to the air transport and aviation industries,” Boeing said.

“This type of forum would engage key government and industry participants in the development of the appropriate, coordinated strategies, policies, standards, and processes for aviation,” Boeing added. “The establishment of such a forum will enable the industry to understand the capabilities of existing and planned cyber-security controls and assure that it is prepared for the continuing emergence and escalation of cyber-security threats to the aviation industry.”

Aerospace experts further recommend that airlines share information and real-world experiences with one another to gain a common understanding of the cyber-security threats out there and how they are mitigating those threats. “A lot of times, companies are hesitant to share data,” Rose says. “The more we can share, the more we can leverage best practices.”

Airlines need to come to the realization that the way they’ve addressed security issues in the past doesn’t pass muster anymore. Better threat analysis is needed to understand today’s evolving cyber-risks as well as a willingness and ability to adapt to those changes.