Aviation Cyber Security: A New Security Landscape ABSTRACT With the increasing adoption of digital technology across the aviation sector, cyber security is fast becoming a new landscape for aviation security. The aviation security community needs to adapt to this new landscape in order to formulate effective responses to the security challenges inherent to the vast network formed by complicated linkages between aviation technologies. Prominent cyber security challenges in air traffic management (ATM) technologies, airport networks, and e-enabled aircraft have arisen, and the aviation sector should embark on technical, regulatory and cooperative approaches in order to boost the cyber resilience of the aviation sector.
THE AUTHORS Mr Martin Siu is Manager for the Aviation Security and Emergency Preparedness Division in the Civil Aviation Authority of Singapore (CAAS). His key responsibilities involve the development and implementation of the aviation security oversight framework for the protection of Singapore s air navigation services, including the establishment of security provisions in the areas of physical security, cyber security, security response and security assurance. Mr Siu is also responsible for the conduct of aviation security oversight activities on the air navigation service provider to ensure its compliance to national civil aviation security requirements. Mr Daniel Goh is Manager for Information Communication Technology Strategy, Governance and Security in CAAS. He is responsible for the cyber security programme for aviation Critical Information Infrastructures. His task involves establishing cyber security oversight for the protection of critical cyber assets, cyber security monitoring and cyber security incident management. Mr Goh began his cyber security career with the Singapore Infocomm Technology Security Authority before joining CAAS in 2013. He maintains security certifications including (ISC)2 Certified Information Systems Security Professional and GIAC Security Essentials Certification. Ms Cheri Lim is Head (Aviation Security and Facilitation) of the Aviation Security and Emergency Preparedness Division in CAAS. Her key responsibilities include reviewing aviation security and air transport facilitation policies and working with stakeholders to facilitate implementation in accordance with international standards. She is also the secretariat to both the National Air Transport Facilitation Committee and the National Civil Aviation Security Committee. Ms Lim is an ICAO Certified Instructor and Universal Security Audit Programme Auditor. She is also an instructor for the ICAO Aviation Security Professional Management Course.
Martin Siu, Daniel Goh and Ms Cheri Lim Civil Aviation Authority of Singapore INTRODUCTION Over the past decade, the aviation sector has rapidly leveraged the advancement of digital technology to enhance the execution of key aviation processes such as airport baggage handling systems, flight information display systems and air traffic management information and communication technologies. Adoption of passenger self-service initiatives, upgrades to ATM technologies and wireless in-flight entertainment systems are but a few examples which exemplify how the aviation sector has become increasingly propelled into cyberspace. While there are exponential benefits to be reaped, this development has also spawned threats and black swans to information and communication systems. Past incidents involving aviation information and communication technology systems underscore the potential damage that digital technology poses to the aviation sector. In 1997, the security risk posed by increasingly networked airports was exploited when a teenager accessed the Supervisory Control and Data Acquisition (SCADA) systems at Worcester Regional Airport, Massachusetts, US and disrupted the telecommunication service to the Federal Aviation Administration (FAA) tower at Worcester airport, Worcester Airport Fire Department, weather service and air freight organisations (Stern,1998). The vulnerability of ATM to threats against communication systems was highlighted in 2009, when a truck driver carrying a Global Positioning System (GPS) jammer managed (without intent) to cause outages to Newark Liberty International Airport s GPS ground-based augmentation systems (Strunsky, 2013). Another incident highlighting how unsupervised software engineering may compromise cyber security was reported in an International Civil Aviation Organization (ICAO) working paper by the International Coordinating Council of Aerospace Industries Associations (ICAO, 2012). In June 2011, the check-in operations of a newly opened airport terminal were disrupted, and three software engineers working on the system were suspected of sabotaging the programme code. As such, it is incumbent on the aviation community to adapt to this new security landscape. This paper will discuss the issues involved in the area of aviation cyber security. The definition of cyber security in this paper is drawn from ICAO Doc 9985 (ICAO, 2014) which refers to all matters pertaining to the security of information and communication systems, technology or applications of all kinds. This includes analogue or digital devices, and encompasses radio, telecommunications, computer and network hardware and software, data storage systems Journal of Aviation Management 2014 73
and devices, satellite systems, surveillance systems, navigation systems, as well as the various services and applications associated with them. It argues that, because managing cyber security in aviation is largely different from that of a regional approach to aviation security, new strategies are needed to respond to this new security landscape. Prominent challenges have arisen due to the vulnerabilities of ATM technologies, airport systems and networks, as well as e-enabled aircraft to cyber-attacks. To respond adequately, the aviation sector needs to adopt technical, regulatory and cooperative approaches in order to work toward and achieve cyber resilience. THE WEAKNESS OF REGIONAL APPROACHES TO SECURITY While overcoming current cyber security concerns require technical expertise, the aviation security community should address this new security landscape holistically and aim for cyber resilience, rather than merely plugging gaps in the current cyber security architecture deployed in the aviation systems. This necessitates the adoption of concepts which differ from those that govern aviation security in the physical world today. Traditionally, aviation security is largely based on differentiating physical spaces into a number of security regions. The notion of a regional approach to security is drawn from Actor-network Theory (ANT) in the discipline of geography. Based on ANT, space can be treated as being configured by various entities into three possibilities: region, network, or fluid. Regional space most conforms to classical geography and the common sense way by which we speak of space; but with the appearance of new modes of action, other notions of what space is and how it functions would arise. For an elaboration on ANT see (Law, 2002). Each region is separated by a perimeter, and can only be entered through controlled access points with various processes (e.g. security screening, recording of particulars, verification of identity or credentials, etc.) before one can be cleared to enter the particular security region. Regional approaches to security are highly dependent on the integrity of perimeters which differentiate one region from another, and the effectiveness of access control points in conforming entities attempting entrance to security requirements, both of which hinge on the solidity of the security region. Even in the physical world, the solidity of a security region is not guaranteed. Perimeters between regions can be breached due to the lack of maintenance, and the spatial solidity of regions can be undone by events such as the addition of a new wing to the airport, the reconfiguration of security screening arrangements (e.g. from decentralised to centralised screening, or vice versa), or the blurring of boundaries between security regions due to poor application of security controls. During such events, entities which do not conform to the security requirements of the region may be introduced, or access control points can be by-passed. In such situations, security agencies may be forced to revise their requirements so as to accommodate the new spatial reality temporarily or permanently, or step up measures to reinforce pre-existing boundaries. Access control points can also fail to perform their functions due to factors such as equipment 74 Journal of Aviation Management 2014
failure, poor organisation and oversight, or human lethargy. Moreover, the security screening regime itself may not be able to weed out dangers which were previously undetected such as insider threats, thereby necessitating the deployment of technologies such as CCTV cameras to track the movement of entities within and between the security regions. A NEW SECURITY LANDSCAPE This erosion of perimeters is an even greater problem in the realm of cyber security. To begin with, what is commonly called cyberspace is less of a space divided into regions than a network of various systems connected at different nodes. This makes a regional approach to security which divides the network into various sectors and placing security controls at the nodes increasingly untenable. The rapid addition of information and communication technologies to current ATM systems, and developments such as cloud computing and internet-of-things (IOT) concept will exponentially add to the number of nodes via which data and systems can be accessed. In addition, these connections are often created by different parties within the same organisation, with no whole-of-organisation level oversight from a security perspective. This creates difficulties for mapping out the ever-expanding network of systems into different regions and creating solid perimeters between them, allowing external parties to access critical systems and information through unsecured nodes. Challenges also abound with regards to the application of security controls on entities attempting to access aviation systems and information. Information on aircraft movement communicated by way of Very High Frequency (VHF) radio or Automatic Dependent Surveillance-broadcast (ADS-B) can be accessed with radio receivers and mobile device applications (e.g. the mobile phone application, Flightradar24) without undergoing security controls which would verify the identity of persons acquiring that information. Another example is the use of commercial off-theshelf software (COTS); such software is often deployed without proper knowledge of its source and application code, and it is difficult to verify their security features. Without knowledge of possible incompatibilities and security risks, operators may unintentionally integrate unsecured software into their networks, thereby linking an entity with cyber security risks to their critical systems and data. The permeability of security perimeters and difficulty in applying security controls to entities accessing the network of aviation technologies demonstrate that a regional approach to security is inadequate in the cyber security landscape. Cyberspace, unlike physical space, is a network of systems and at the same time much more fluid in constitution (Pieters, 2011). Aviation cyber security cannot rely solely on the concept of securing regions from unlawful access and interference, and should consider practices and models which are more suited for the security of networks instead of individual systems 1. Regional thinking about cyber security is still relevant, as seen in methods of securing systems such as infrastructural isolation, application 1 A possible area for future research in relation to cyber security is the discipline of epidemiology, which studies the causes and effects of health events and characteristics in their distributions and patterns in various populations. For the relevance of public health policy to cyber security, see (Rowe et al., 2012). Journal of Aviation Management 2014 75
of firewalls, and de-militarised zones; but the cyber security threat only serves to remind the aviation community of the need to think out of the proverbial box in order to formulate effective responses to the security challenges inherent to the vast network formed by complicated linkages between aviation technologies. CYBER SECURITY CHALLENGES IN ATM As the array of information and communication technologies deployed across the aviation sector grows, protecting systems and information from unauthorised access, preventing tampering, and detecting attacks becomes increasingly urgent. Prominent challenges in the areas of ATM, airport networks and e-enabled aircraft have arisen, requiring aviation security regulators to take action to ensure the safety and security of passengers and customers of aviation services worldwide. In the area of ATM systems, security challenges lay in two areas. Firstly, current systems may not be fitted with the necessary information and communication security measures. A key example is the use of radio frequency in today s ATM environment. Radio is commonly used for functions such as communication between air traffic control and aircraft, navigation, and surveillance. This makes the ATM networks highly vulnerable to unauthorised transmissions through the use of VHF transceivers. While it is possible to encrypt radio transmissions, this would limit the number of available channels for communications between air traffic control and aircraft. Systems reliant on radio are also vulnerable to radio jamming, as demonstrated in October 2013 when a portable transceiver was used to jam the Unicom frequency at Central Maine Airport (Mark, 2013). Secondly, new technologies that have been incorporated into the current ATM networks may create unsecured access points through which critical information and systems can be compromised in novel ways. ADS-B technology is being increasingly adopted in ATM systems today due to its ability to provide wider coverage and improve air traffic control s situational awareness, thereby increasing air traffic capacity. However, as ADS-B ground stations rely on the 1090 MHz spectrum for the receiving of ADS-B messages from aircraft, communications between ground station and aircraft can be jammed by generating interfering signals on the 1090 MHz spectrum in the vicinity of the ground station (Purton et al., 2014). In addition, as ADS-B currently does not require authentication at the data link layer, false transmission is possible, or messages broadcast from legitimate sources can be modified by overshadowing them with a high-powered signal (Strohmeier et al., 2014). Both technical and legal approaches should be considered to ensure that the identity of the message transmitter can be authenticated, and their messages to selected recipients can be limited. In the future, as more Communication, Navigation, and Surveillance (CNS) and ATM systems become reliant on digital technology and are incorporated into the system wide information management platforms, other vulnerabilities related to increased connectivity may also surface. 76 Journal of Aviation Management 2014
VULNERABILITY OF SCADA-DEPENDENT SYSTEMS The interconnectedness of heterogeneous digital assets and systems in airports also pose a cyber security challenge. SCADA applications are widely deployed in airports due to their flexibility and ability to provide for monitoring, control and data acquisition functions across a wide range of systems. Baggage and freight handling, apron and runway lighting, energy supply, and ATM are just some examples of systems which depend on SCADA for their proper function. However, as SCADA applications are largely designed to be open and easily operable rather than secure, hackers need not be highly skilled to conduct attacks on its applications. As the systems which rely on SCADA are often critical for the smooth and continued function of an airport, the vulnerabilities which SCADA are prone to can be worrying from a cyber security perspective. Aside from the aforementioned attack on Worcester Airport in 1997, infrastructure dependent on SCADA, especially those in the energy sector, have also suffered coordinated cyber-attacks. As such, an airport cyber security programme must include measures to guard SCADA systems from being exploited to paralyse key airport operations. RISKS TO E-ENABLED AIRCRAFT Lastly, the creation of new e-enabled aircraft such as the Airbus 380 (A380) and A350, the Boeing 787 and upcoming 777X have also introduced cyber vulnerabilities to air travel. Aircraft systems are now increasingly linked to the systems of airports, airlines, and the operation centres of original equipment manufacturers through networks such as Health and Usage Monitoring Systems and class 3 Electronic Flight Bags, as important information for safety monitoring and flight operations is transmitted through these networks. Airlines need to step up on ensuring that their systems are not compromised unnecessarily by poor cyber hygiene habits which could introduce malware or other more malicious agents to these systems, causing them to malfunction. On board, the deployment of Avionics Full-Duplex Switched Ethernet protocols linking the flight deck to aircraft systems and the introduction of wireless passenger services also create potential cyber vulnerabilities which may not be immediately apparent and covered by regulations 2. As the IOT concept becomes increasingly applied to aircraft design and maintenance or repair functions (as seen in General Electric s development of GEnx Engine) (Lampitt, 2013), more on-board connections between systems will be forged. Scrutiny of these connections needs to be increased from both airworthiness and security perspectives in order to prevent the creation of further vulnerabilities. ADOPTING CURRENT STANDARDS AND BEST PRACTICES In view of the abovementioned cyber threats, the aviation community needs to adopt a holistic approach to reduce the risks inherent in this new security landscape. Securing the nebulous 2 For a case in which concerns Boeing s 777X aircraft, see https://www.federalregister.gov/articles/2013/11/18/2013-27343/specialconditions-boeing-model-777-200--300-and--300er-series-airplanes-aircraft-electronic-system (Accessed 26 May 2014). Journal of Aviation Management 2014 77
and fluid network of technologies will require the widespread adoption of appropriate standards and best practices by all stakeholders, a regulatory approach which focuses on attaining cyber resilience, and cooperation between government and industry. Currently, cyber security standards and best practices are already available. The ISO/IEC 27002: 2013 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), provide best practices for information security which stakeholders in the aviation sector should readily adopt (ISO/IEC, 2013). The ISO/IEC (2014) standard, which concerns supply chain security and is currently under development, should also be taken into account as organisations rapidly expand their information and communication technology networks by outsourcing projects to IT solution providers. Practices such as the identification of critical systems and information, penetration testing and the development of organisation-wide cyber security culture should be widely adopted and considered baseline standards in the aviation sector. Appropriate authorities for aviation security, airport and aircraft operators can also refer to the guidance material provided by the ICAO on mitigating cyber threats. Chapter 18 of Document 8973 (ICAO, 2011) elaborates on basic measures which organisations should take to mitigate cyber threats to critical aviation information and communication technology systems. Contracting States and air navigation service providers (ANSPs) should also take note of the need to comply with Standard 3.5 of Annex 17 (ICAO, 2013a), which states that Each Contracting State shall require air traffic service providers operating in that State to establish and implement appropriate security provisions to meet the requirements of the national civil aviation security programme of that State. The ICAO s Document 9985 (ICAO, 2013b) provides guidance on the development of adequate requirements and measures for the protection of air navigation services from both physical and cyber-attacks. ESTABLISHING REGULATORY FRAMEWORKS Governments can play a key role in providing a robust cyber security regulatory framework for the aviation sector by identifying critical systems and infrastructure in both private and public entities. This is crucial, as aviation systems and infrastructures are often connected, and securing such vast networks requires coordination between the multiple agencies and private organisations which own these systems. The principle of risk management needs to be applied to differentiate between crucial and non-crucial systems, allowing regulators to guide regulated entities in identifying the most critical systems to secure. Subsequently, threat analysis should be conducted to determine how current aviation information and technology networks may be exploited to threaten critical systems and infrastructure, as well as what impacts the exploitation of non-crucial systems may pose to aviation information and communication technology systems as a whole. 78 Journal of Aviation Management 2014
Secondly, governments can establish appropriate legislation to tackle threats which impact the aviation sector as a whole. In particular, state agencies should seek to control or license the sale or purchase of equipment which may pose a threat to communications systems such as GNSS jammers, radio transceivers, ADS-B receivers and transmitters. This would reduce the circulation of equipment which may be used to exploit current vulnerabilities in CNS/ ATM equipment. Legislation may also be required to address the protection of personal data. Organisations handling passenger information should abide by appropriate data protection standards to protect the privacy of their customers. Doing so would ensure that the suite of personalised digital services increasingly being offered by the aviation industry is safe and secure for customer use. Thirdly, the aviation cyber security regulatory framework should include a robust and legally empowered oversight programme to promote cyber resilience, whereby regulated entities are ready to respond to threats which can or cannot be predicted. This is important, as current technical cyber security measures are largely designed to repel only known attacks, while cyberthreat vectors are in reality much more numerous and unpredictable than the physical world due to the nature of its digital networks. To achieve this, the oversight programme should audit for and encourage regulated entities to put in place policies mandating the necessary technical measures to protect, prevent, and detect cyber security incidents. Documentation of these policies and measures should be made available throughout the organisation, regularly reviewed to ensure that they are updated to protect against the latest threats, and cover newly installed system and technology. The regulated entity should establish proper cyber incident management processes, including the provision of redundancies and cyber forensics analysis, which are tested regularly for their effectiveness in responding to cyber crises. Training of staff should be made mandatory to promote an effective cyber security culture, and internal quality control activities should be conducted to assess the efficacy of the abovementioned efforts. In particular, manufacturers of aviation technology software and hardware should be required, as in the case of the FAA s application of special actions to Boeing s 777 aircraft, to put in place necessary measures to ensure that no further serious vulnerabilities are introduced to existing networks. In the area of ATM cyber security, Eurocontrol has released a comprehensive Manual for National Air Traffic Management Security Oversight (Eurocontrol, 2012); aviation security regulators may find it useful in their own establishment and implementation of oversight programmes. ANSPs may wish to consult the Cyber Security and Risk Assessment Guide produced by the Civil Air Navigation Services Organisation (CANSO), which provides guidance as to how ANSPs may take a first step toward understanding the risks which their assets face, so as to better evaluate the readiness of their organisations for responding to cyber threats, as well as which security controls they may wish to give priority of implementation to (CANSO, 2014). Journal of Aviation Management 2014 79
WORKING TOGETHER TO ENHANCE CYBER SECURITY Even though regulation is necessary, aviation cyber security should be viewed as a collaborative effort between national agencies, private entities and international organisations, instead of merely as a top down regulatory exercise. As discussed in the first section of this paper, while the regional approach to aviation security focused on the hardening of and differentiation between security regions, aviation cyber security would require new strategies which emphasise on communication and collaboration between stakeholders. Similar to approaches taken in public health management, aviation cyber security regulators, the aviation industry, and international aviation organisations such as ICAO and IATA can work together to determine the responsibilities of various stakeholders. Platforms for the sharing of information on cyber security vulnerabilities and joint development of standards and measures which protect the aviation information and communication technology network from known threats should be created to best leverage the strengths, capabilities, and experiences of the various stakeholders. A notable example is The Boeing Company s cooperation with the US National Institute of Standards and Technology s request for information on improving critical infrastructure framework, which yielded extensive information on current risk management practices, best practices and standards, as well as industry specific practices relevant to the aviation sector. Both public and private entities in the aviation sector should also take note of cyber security developments in other industrial sectors to assess whether the aviation sector is also subject to similar vulnerabilities. In addition, aviation cyber security regulators and major aviation industry players can cooperate to promote good cyber security practices to the wider aviation community. These include encryption of transferred personal data and security assurance for COTs, as well as discouraging practices which introduce cyber risks to aviation software, hardware and systems. CONCLUSION The novelty of cyber security challenges to the aviation sector may seem perplexing and daunting, especially to those who do not possess an information security or ATM background. However, cyber resilience is not achieved merely with technical expertise, but through a combination of regulatory and cooperative approaches. In these two areas, aviation security has made much progress in the past decade. In facing up to the new cyber security threats, the aviation security community may need to acquire a new body of technical knowledge. More importantly, it must acquire the ability to grasp the contours of the very different security landscape which information and communication systems and technologies brought about, and formulate effective approaches to achieve cyber resilience. 80 Journal of Aviation Management 2014
References CANSO. (2014) CANSO Cyber Security and Risk Assessment Guide. The Netherlands. Civil Air Navigation Services Organisation. EUROCONTROL. (2012). Manual for National Air Traffic Management Security Oversight (1st Edn). Brussels. European Organisation for the Safety of Air Navigation. ICAO. (2011). Document 8973 (Restricted) Aviation Security Manual (8th Edn). Montreal. International Civil Aviation Organization. ICAO. (2012). Working Paper: AN-Conf/12-WP/122 Cyber Security for Civil Aviation, Montreal. International Civil Aviation Organization. ICAO. (2013a). Annex 17 to the Convention on International Civil Aviation Security (9th Edn). Montreal. International Civil Aviation Organization. ICAO. (2013b). Document 9985 Air Traffic Management Security Manual (1st Edn). Montreal. International Civil Aviation Organization. ISO/IEC. (2013). ISO/IEC 27002. Switzerland. The International Organization for Standardization and the International Electrotechnical Commission. ISO/IEC. (2014). ISO/IEC 27036. Switzerland. The International Organization for Standardization and the International Electrotechnical Commission. Lampitt, A. (2013). General Electric lays out big plans for big data. InforWorld. http://www.infoworld. com/d/big-data/general-electric-lays-out-big-plans-big-data-209994 (Accessed 5 June 2014). Law, J. (2002). Objects and Spaces, Theory, Culture and Society, 19, pp. 91-105. Mark, R.P. (2013). Radio Jamming at Maine Airport Continues. http://www.ainonline.com/aviation-news/ ainsafety/2013-09-02/radio-jamming-maine-airport-continues (Accessed 5 June 2014). Pieters, W. (2011). Representing Humans in System Security Models: An Actor-Network Approach, Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 2, (1), pp. 75-92. Purton, L., Abbass, H., Alam, S. (2010). Identication of ADS-B System Vulnerabilities and Threats. Australasian Transport Research Forum Proceedings 2010, pg 8, www.atrf.info/papers/2010/2010_purton_abbass_alam.pdf (Accessed 14 October 2014). Rowe, B., Hapern, M. and Letnz, T. (2012). Is a Public Health Framework the Cure for Cyber Security? CrossTalk: The Journal for Software Defense Engineering, 25, (6), pp. 30-38. Stern, D. (1998). Teen hacker faces federal charges. http://edition.cnn.com/tech/computing/9803/18/ juvenile.hacker/ (Accessed 5 June 2014). Strohmeier, M., Lenders, V. and Martinovic, I. (2014) On the Security of the Automatic Dependent Surveillance-Broadcast Protocol, arxiv:1307.3664v2 [cs.cr], pg 5, http://arxiv.org/abs/1307.3664 (Accessed 20 May 2014). Strunsky, S. (2013). N.J. man fined $32K for illegal GPS device that disrupted Newark airport system. http://www.nj.com/news/index.ssf/2013/08/man_fined_32000_for_blocking_newark_airport_tracking_ system.html (Accessed 5 June 2014). Journal of Aviation Management 2014 81