Cyber Threats to Civil Aviation

Introduction

Civil aviation relies heavily on information technology.?Additionally, cyber and information security management, (ISM), has developed into a specialist area that requires a coordinated approach from various disciplines within the civil aviation sector including, ISM subject matter experts, aircraft systems specialists, civil aviation IT systems providers and aviation security managers.?Moreover, recent changes to the IATA IOSA Standards & Recommended Practices, (ISARPs), introduce challenges for airlines that require a closely coordinated approach.

Aim

This paper aims to review the threat posed by Cyber-attacks to civil aviation from a non-technical perspective.

The Threat

The exam question is ‘can you hack an airliner?’?In a recent closed source ICAO document, cyber-attacks were assessed as presenting an overall residual risk rating of LOW[1]?An internet open-source document provides a summary of the recent top 5 cyber-attacks in order of severity affecting the aviation industry as follows:[2]

·????????Cathey Pacific Airways -??????????March 2018?????????????-??????????Passenger Data Breach

·????????EasyJet???????????????????????????-??????????Jan 2020??????????????????-??????????Passenger Data Breach

·????????SITA????????????????????????????????-??????????March 2021?????????????-??????????Passenger Data Breach

·????????British Airways???????????????-??????????Aug/Sep 2018??????????-??????????Passenger Data Breach

·????????Air Canada?????????????????????-??????????Aug 2018??????????????????-??????????Passenger Data Breach

?A 2014 article from the InfoSec Institute discusses at length the possibility of an individual hacking into onboard aircraft systems.?The article reports that a security consultant had demonstrated via ‘a proof of concept’ Smartphone application that it was possible to:

?‘.. use this system to modify approximately everything related to the navigation of the plane,”?[3]

The US FAA responded as follows:

"The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer. The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware,"[4]

?Based on the above opposing statements, at first sight it seems difficult to be able to quantify a credible and realistic threat scenario of either an individual or a group hacking into an onboard aircraft information system from inside the aircraft while in flight.?However, the InfoSec article concludes that newer aircraft are more dependent on IT systems, potentially increasing their vulnerability to hacking attempts.

?The Vulnerabilities

An eForensics online magazine from September 2014 provides some insights to the vulnerabilities present in onboard Flight Management Systems, (FMS).?Although written around the MH370 incident, and containing some technical FMS coding information, the article provides a valuable summary of the vulnerabilities.?Essentially, to hack the FMS the following vulnerabilities need to be exploited:

?‘to take the plane off course we need to have overwritten the database used by the field loadable software in the flight management system (FMS) with new waypoints that the crew can’t override’[5]

The article identifies the possible steps a hacker would need to take to access the software used to control the flight management computer by either:

·????????Physical access to the system, i.e. via a maintenance employee

·????????Remote access to an aircraft manufacturer server in which something can be inserted to the data to cause the aircraft to deviate from the planned route.?

?These steps, although possible, would also need the pilots to be incapacitated to prevent them from manually overriding the aircraft system.?From an aviation security perspective, this scenario requires a willing maintenance employee to act as the insider, technical ?knowledge of the FMS coding, a method of incapacitating two pilots, and the intent, (extremist or criminal) to carry out the act.?As the eForenics article states, ‘why not just have the maintenance employee plant a bomb’

?The Risk

The threat history highlighted above would suggest that cyber-attacks targeting civil aviation are more likely to be undertaken by criminals seeking financial gain, rather than Violent Non-State Actor, (VNSA) groups with an extremist ideology.?Current aviation security thinking points to extremists identifying vulnerabilities within the physical security measures, (e.g. those exploited in the 2001 shoe bomb attack, the 2006 liquid explosive plot, the 2010 printer cartridge bombs, the 2016 laptop bomb, and the 2017 meat grinder bomb).?Green hacktivists would be more likely to focus on disrupting airport and airline operations, highlighting climate change issues, rather than deliberately crashing an aircraft.?Finally, there is the sheer weight of aircraft numbers.?An online analysis of passenger aircraft numbers estimates that

?the world's aircraft fleet is expected to increase from 25,900 to 49,405 aircraft between 2019 and 2039.[6]

?While these numbers present an increasing target set, determining which specific aircraft to target, both where and when, to achieve a stated objective from a known extremist group such as Islamic State, could well be beyond an extremist groups’ current capabilities.

?Risk Management

ICAO has recognized the risk and has produced a number of resources to provide states with guidance on how they should respond to the risk of cyber-attacks.[7]?The challenges with a regulatory approach are:

·????????Threats develop faster than regulations, the 2010 Printer Cartridge bomb threat is a case in point

·????????States do not always meet the published guideline timetables due to a variety of challenges.

Using current cyber and information security management tools and procedures for civil aviation is equally challenging, particularly as their risk assessment and risk management methodologies are primarily concerned with safety and security issues.

?Conclusion

Civil aviation security practitioners need to place the threat from cyber-attacks into context with that of the global threat from terrorism.?The ICAO Risk document referenced earlier lists the residual risks from a person delivered IED and landside attack as higher than those of a cyber-attack.?Additionally, the Global Terrorism Index identifies that:[8]

1.???In 2021, deaths from terrorism fell by 1.2% to 7,142, while attacks rose by 17%, highlighting that terrorism is becoming less lethal.

2.???Sub-Saharan Africa accounted for 48% of global terrorism deaths.

3.???Following military defeats in Syria and Iraq, IS shifted its attention to the Sahel.

4.???In the West, politically motivated attacks overtook religious attacks.

5.???Islamic State (IS) replaces the Taliban as the world’s deadliest terror group in 2021.

6.???The Ukraine conflict is likely to drive a rise in traditional and cyber terrorism.

Cyber-attacks are one aspect of the overall threat to civil aviation.?Both ICAO and IATA have addressed this from regulatory and business perspectives.?ICAO’s responsibilities are to provide legislative guidance for member states.?IATA is driving the airline sectors’ return to pre-COVID passenger numbers.?While civil aviation security is constantly reminded to ‘expect the unexpected’, the question remains as to whether the world will wake up to a 9/11 scale event caused by hacking into an aircraft’s computer system.?Based on ICAO’s risk rating for cyber-attacks, the current criminal focus of hacking attacks against airlines and the recent trends in the global threat from terrorism, the answer would seem to suggest that such a scenario is possible but unlikely in the short to medium term.

?Allan Thornton, MSyI, ICAO AvSec PM

August 2022

?NB: The views expressed in this paper are those of the author and are not intended to form the basis for a formal threat assessment.?By accessing this paper, the reader accepts that the author shall be ‘Held Harmless’ for any and all decisions and actions taken by an organization when implementing cyber and information security measures.

[1] ICAO Updated Overview of Threats and Risks To Civil Aviation dated September 2020, (R).

[2] https://cnsight.io/2021/04/16/top-5-cyber-attacks-in-the-aviation-industry/

[3] https://resources.infosecinstitute.com/topic/cyber-threats-aviation-industry/

[4] https://www.aviationtoday.com/2013/04/15/faa-dismisses-aircraft-fms-hacking-claim/

[5] https://eforensicsmag.com/can-you-hack-a-modern-airliner/

?[6] https://www.statista.com/statistics/262971/aircraft-fleets-by-region-worldwide/

?[7] https://www.icao.int/cybersecurity/Pages/default.aspx

?[8] https://www.visionofhumanity.org/global-terrorism-index-2022-key-findings-in-6-charts/