Cyber in Aviation and Automotive

Cyber in Aviation and Automotive

Growing up in the 80s, we used to think that by the year 2000 we’d be all moving around in flying cars. A Flying DeLorean preferably. Well, 20 years late and there’s still no sign of flying car becoming available anytime soon (which is one of the reasons I’ve enjoyed flying an ultralight glider so much).

Traffic in Israel can be rough, so I took to skies trying to fly over the congested roads

But the mobility sector that seems stagnant through the last decades of the 20th century has made significant advancements in the previous decade, which even the idea of consumer-ready autonomous vehicles sounds quite realistic. Another sector that has made vast improvements is the aviation sector, resulting in more planes taking to the skies, flying longer routes with fewer expenses and fewer accidents. The computing revolution impacted both the Automotive and Aviation industries. Airplanes and cars have been transformed from being purely mechanical to being computer-controlled. Your average sedan has more computation power than that of Apollo spaceship (and it flew to the moon and back, while all you do are round trips to school). Computers have penetrated the aviation industry to such an extent that nobody will even consider flying a commercial flight without a functioning flight computer. Even road vehicles are reliant on a computer for optimally operating their steering systems and engine functions.

But, these advancements also open these sectors to new cyber threats, and these threat, are novel compared to “traditional” cyber threats.

Why?

Why would anyone want to target an airplane or a moving vehicle, potentially killing or injuring its passengers? The motivations for cyber-attacks against these sectors can vary - beginning with acts of war or terror, to extortion and even plain pranks and proof of concept. The actual “why” is less critical in this case, especially since the cost is so unbearably steep. A different threat exists for the maritime sector, where cargo ships are vulnerable to hacking and manipulation, but unlike planes and vehicles, the main risk is for the cargo and the hull itself (needless to mention, there are already companies developing dedicated solutions for the maritime sector, such as Cydome and Naval Dome).                                  

Impact

In a nutshell, cyber threats in the IT domain are threats to digitized data - its integrity, its uses (like money or personal identification details). When we consider cyber threats to fast-moving, people-carrying machines, the impact is very different. A car that is failing to stop because a cyber-attack disabled its brakes will cost human lives. An airplane malfunctioning because of a cyber-attack- even more so. As a few proofs-of-concept hacks proved, cyber attacks have lethal potential. As such, manufacturers are moving as quickly as they can to provide security for their brands and regulators are beginning to view cyber as another, a critical safety mechanism that is required to ensure the well-being of land and air passengers.       

Challenges

Given the importance of cybersecurity means for vehicles and aircraft, their implementation seems straightforward. Borrow security mechanisms from IT security and install them at the vehicle level. But life on wheels isn’t so simple. To start with, both airplanes and cars rely on computers for their operations. The average car today can have between 25 and 50 central processing units (CPUs) controlling these functions and more, often networked but sometimes operating independently. Some vehicles utilize up to 100 million lines of computer code for their operation.

Vehicles and planes are mission-critical systems, they cannot tolerate any faulty detection, and prevention is tricky. A security incident in an IT environment is handled on “we have time” basis (in most of the cases). The security team is notified, the endpoint is quarantined, and the forensic team is dispatched to analyze the malware sample. False positives alerts are a nuisance and might cause some inconvenience (specifically for end-users); the impact on the organization is minor. Fast-moving machines require a different approach- deterministic identification of threats, mitigation without impacting critical systems and without alarming the driver for no need. Prevention must be more nuanced - You cannot “block” certain types of communications - it might be, for example, a much-needed vehicle software update.

Airplanes engines communicate regularly with the engine manufactures. This communication must not be blocked or interfered with, nor any communication on safety channels, such as Radio signals used to guide planes during landing.

There is also no one managing the security of the vehicle - the owners can’t be held responsible for installing security updates to their vehicles, and, to date, there aren’t any mobility SOCs (anyone for the challenge?). As more and more vehicles are becoming connected, and self-driving vehicles are around the corner, the significance of cybersecurity is on everyone’s mind. But the Automotive industry moves and a much slower pace than the IT industry - Changes to the production process (including the implementation of new security mechanisms) done today might impact vehicles taking to the roads in 5-8 years. For aviation- this time could be twice as long.

No alt text provided for this image

As a result of the unique characteristics of the aviation and automotive industries, traditional cyber companies steered clear, for now, of these sectors. This left a gap in the market that was quickly filled by companies developing dedicated solutions for these sectors, such as Upstream Security, Argus, C2A, Guardknox, Regulus, and Cymotive. Some of these vendors have partnered with or acquired by automotive companies (like Tower Sec that was acquired by Harman), and some are offering independent products and services.

No alt text provided for this image

Let’s hope that the cyber solutions to these threats will evolve at a much rapid pace than the industries they are protecting, and keep us all safe when driving or flying.

 Keep Safe!

Dotan


Barbara Filkins

Consultant at Syntax2Semantics LLC

5 年

Niv -- I beg to disagree and agree with you. There are some common threads here -- when you talk the mobility sector as opposed to automotive and aviation as separate sectors. I think the point to be taken is that we need to understand the threats between a pure IT environment and one that is operational in nature. There is -- in my humble opinion -- a culture shift between what is IT and what is OT. That said, I do agree with you about the automotive and the aviation sectors. On the surface, they may appear similar. Underneath they are very very different.

要查看或添加评论,请登录

Dotan Bar Noy的更多文章

  • For those of us who spend way too much time on Twitter

    For those of us who spend way too much time on Twitter

    For those of us who spend way too much time on Twitter, you may have noticed something strange pop up on your timeline…

    7 条评论
  • My take of the Verizon DBIR 2019 report

    My take of the Verizon DBIR 2019 report

    The Verizon Data Breach Investigations Report is the cybersecurity industry’s equivalent of Leo Tolstoy’s Novel “War…

    5 条评论
  • From Zero to One (keep calm and trust no one)

    From Zero to One (keep calm and trust no one)

    Following up from my previous post, it is clear that the traditional approaches for securing the enterprise networks…

    5 条评论
  • Data Security

    Data Security

    The current emphasis in the cybersecurity world is on countering hacking operations. So naturally, organizations invest…

  • IoT Security- it's complicated ...

    IoT Security- it's complicated ...

    IoT security is an extremely hot topic right now. I recently was asked by a friend (a VC partner) to talk with a very…

    8 条评论
  • “Say AI again, I dare you, I double dare you!”

    “Say AI again, I dare you, I double dare you!”

    Four in ten of Europe’s artificial intelligence start-ups demonstrate little evidence of actually using artificial…

    8 条评论
  • They offered me something I couldn’t refuse (and what I have learned in the process)

    They offered me something I couldn’t refuse (and what I have learned in the process)

    Not so long ago I told you about my latest startup – @forcenock (a Web Application Security Solution). We were doing…

    8 条评论
  • Hacking our Democratic voting process

    Hacking our Democratic voting process

    Wake up everybody, it’s 2019 and everything we’ve even known about democratic elections is wrong. Growing up in the…

    5 条评论
  • Stopping to Appreciate the View

    Stopping to Appreciate the View

    Something personal, general thoughts, and ForceNock updates. I have continued the “work hard, play hard” lifestyle for…

    8 条评论
  • A New beginning & a new venture

    A New beginning & a new venture

    Sorry in advance for the long post, but it has been a while. This time - something personal, general thoughts & the new…

    15 条评论

社区洞察

其他会员也浏览了