Cyber in Aviation and Automotive

Growing up in the 80s, we used to think that by the year 2000 we’d be all moving around in flying cars. A Flying DeLorean preferably. Well, 20 years late and there’s still no sign of flying car becoming available anytime soon (which is one of the reasons I’ve enjoyed flying an ultralight glider so much).

But the mobility sector that seems stagnant through the last decades of the 20th century has made significant advancements in the previous decade, which even the idea of consumer-ready autonomous vehicles sounds quite realistic. Another sector that has made vast improvements is the aviation sector, resulting in more planes taking to the skies, flying longer routes with fewer expenses and fewer accidents. The computing revolution impacted both the Automotive and Aviation industries. Airplanes and cars have been transformed from being purely mechanical to being computer-controlled. Your average sedan has more computation power than that of Apollo spaceship (and it flew to the moon and back, while all you do are round trips to school). Computers have penetrated the aviation industry to such an extent that nobody will even consider flying a commercial flight without a functioning flight computer. Even road vehicles are reliant on a computer for optimally operating their steering systems and engine functions.

But, these advancements also open these sectors to new cyber threats, and these threat, are novel compared to “traditional” cyber threats.

Why?

Why would anyone want to target an airplane or a moving vehicle, potentially killing or injuring its passengers? The motivations for cyber-attacks against these sectors can vary - beginning with acts of war or terror, to extortion and even plain pranks and proof of concept. The actual “why” is less critical in this case, especially since the cost is so unbearably steep. A different threat exists for the maritime sector, where cargo ships are vulnerable to hacking and manipulation, but unlike planes and vehicles, the main risk is for the cargo and the hull itself (needless to mention, there are already companies developing dedicated solutions for the maritime sector, such as Cydome and Naval Dome).                                  

Impact

In a nutshell, cyber threats in the IT domain are threats to digitized data - its integrity, its uses (like money or personal identification details). When we consider cyber threats to fast-moving, people-carrying machines, the impact is very different. A car that is failing to stop because a cyber-attack disabled its brakes will cost human lives. An airplane malfunctioning because of a cyber-attack- even more so. As a few proofs-of-concept hacks proved, cyber attacks have lethal potential. As such, manufacturers are moving as quickly as they can to provide security for their brands and regulators are beginning to view cyber as another, a critical safety mechanism that is required to ensure the well-being of land and air passengers.       

Challenges

Given the importance of cybersecurity means for vehicles and aircraft, their implementation seems straightforward. Borrow security mechanisms from IT security and install them at the vehicle level. But life on wheels isn’t so simple. To start with, both airplanes and cars rely on computers for their operations. The average car today can have between 25 and 50 central processing units (CPUs) controlling these functions and more, often networked but sometimes operating independently. Some vehicles utilize up to 100 million lines of computer code for their operation.

Vehicles and planes are mission-critical systems, they cannot tolerate any faulty detection, and prevention is tricky. A security incident in an IT environment is handled on “we have time” basis (in most of the cases). The security team is notified, the endpoint is quarantined, and the forensic team is dispatched to analyze the malware sample. False positives alerts are a nuisance and might cause some inconvenience (specifically for end-users); the impact on the organization is minor. Fast-moving machines require a different approach- deterministic identification of threats, mitigation without impacting critical systems and without alarming the driver for no need. Prevention must be more nuanced - You cannot “block” certain types of communications - it might be, for example, a much-needed vehicle software update.

Airplanes engines communicate regularly with the engine manufactures. This communication must not be blocked or interfered with, nor any communication on safety channels, such as Radio signals used to guide planes during landing.

There is also no one managing the security of the vehicle - the owners can’t be held responsible for installing security updates to their vehicles, and, to date, there aren’t any mobility SOCs (anyone for the challenge?). As more and more vehicles are becoming connected, and self-driving vehicles are around the corner, the significance of cybersecurity is on everyone’s mind. But the Automotive industry moves and a much slower pace than the IT industry - Changes to the production process (including the implementation of new security mechanisms) done today might impact vehicles taking to the roads in 5-8 years. For aviation- this time could be twice as long.

As a result of the unique characteristics of the aviation and automotive industries, traditional cyber companies steered clear, for now, of these sectors. This left a gap in the market that was quickly filled by companies developing dedicated solutions for these sectors, such as Upstream Security, Argus, C2A, Guardknox, Regulus, and Cymotive. Some of these vendors have partnered with or acquired by automotive companies (like Tower Sec that was acquired by Harman), and some are offering independent products and services.

Let’s hope that the cyber solutions to these threats will evolve at a much rapid pace than the industries they are protecting, and keep us all safe when driving or flying.

 Keep Safe!

Dotan