Aviation, as part of the transportation sector, falls within the critical infrastructure. While it may not have the same security issues as ICS/SCADA-based manufacturing and utilities, it has certain conceptual similarities; including, for example, a vital operational technology infrastructure with increasing internet connectivity, and the associated cyber risks.
It also has one major difference — the close physical proximity of its own customers. Catastrophic failure in the aviation industry has a more immediate and dramatic effect on customers — and for this reason alone, a trusted brand image is an essential and fragile part of success in the aviation industry. Without customer trust, customers will not fly with a particular airline.
Historically, aviation security has primarily focused on physical safety, and has become highly efficient in this area. But in recent years, the customization of new aircraft to provide newer and unique passenger experiences — such as the latest in internet-connected in-flight entertainment systems — has added a new cyber risk.
Matthieu Gualino, deputy director of the International Civil Aviation Organization Aviation Security Training Center, described the three current areas of cyber risk as flight control (the critical systems needed to fly the aircraft — high impact, low likelihood); the operational cabin (systems used to operate and maintain aircraft — medium impact, medium likelihood); and passengers (systems with direct passenger interaction — low impact, high likelihood).
The problem today is that aviation security is experienced in operational technology, security and safety; but less experienced in the rapidly evolving world of cyber security. To help counter this risk, Finland’s F-Secure has launched its new Aviation Cyber Security Services to help secure not just aircraft, but the entire aviation industry: aircraft, infrastructure, data, and — most importantly to F-Secure — reputation. Customers are unlikely to fly with companies they do not trust; and successful cyber-attacks rapidly eliminate customer trust and confidence; even, suggests F-Secure, a minor breach of something like an in-flight entertainment system.
“Off-the-shelf communication technologies are finding their way into aircraft, which makes security much more complicated than in the past,” said Hugo Teso, head of aviation cybersecurity services at F-Secure and a former pilot. “Because these off-the-shelf technologies weren’t necessarily created to meet the rigorous safety requirements of airlines, the aviation industry is making cyber security a top priority. But they need a partner that understands both cyber security and the details of airline operations, because it’s an industry where those details make a big difference.”
The new service integrates security assessments of avionics, ground systems and data links, vulnerability scanners, security monitoring, incident response services, and specialized cyber security training for staff.
The primary problem is not unknown to the security industry — the need to protect safety-critical systems from less significant but more exposed and vulnerable systems (such as those with an internet connection). “A key protection measure is separating systems into different ‘trust domains’,” explains F-Secure’s head of Hardware Security Andrea Barisani, “and then controlling how systems in different domains can interact with one another. This prevents security issues in one domain, like a Wi-Fi service accessible to passengers, from affecting safety-critical systems, like aircraft controls or air to ground datalinks.”
Data diodes are typically used for this type of system segmentation, because they provide unidirectional data flows where complete bidirectional isolation is not possible. “It is essential for any data diode to be implemented in a manner that allows no attack, parsing errors or ambiguities, failures to affect their correct operation,” Barisani told SecurityWeek. “Our team is routinely involved in testing data diode security to provide assurance on their operation, improve their design and fix any issues well before their certification.”
Diodes are part of the separation of the vulnerable passenger facilities from the critical flight operations. “In-flight entertainment and connectivity (IFE/IFC) are two of the most exposed systems in modern aircraft,” explained Teso. “Facing directly the passengers, those systems are a major cyber security concern to any operator as any incident would have important brand damage for them. Not to safety though. Due to the way aircraft are designed, built and upgraded any incident involving or originating in the cabin of the airplane will be isolated from the most critical, and safety related, systems.”
F-Secure is keen not to promote its new service with the ‘fear factor’. The aviation industry already does an excellent job at maintaining the safety of its flights. The new cyber risk is currently primarily against aviation’s brand reputation, and the threat of a cyber hijack taking over an aircraft in flight, is, suggests Teso, more likely in the movies than in reality.
But that doesn’t mean it can be dismissed or forever ignored, or even limited to civil aviation. The aviation industry, including both civil and military aircraft, shares a common core of technologies, although the threat model differs between the two. Nevertheless, commented Teso, “F-Secure aviation cyber security services is not limited to any specific part of the aviation industry. If it’s part of Aviation, our services have it covered.”
Related: Poland Eyes Cybersecurity in Skies