Hacking the sky: planes need patching, too – interview

Cyber assaults on the aviation sector carry more serious repercussions than mere data theft or DDoS attacks. Yet, these incidents may not be widely publicized, as some hacker attacks are disguised as technical glitches.

A hacker can steal data from airlines. A hacker can cripple airports’ websites. More worryingly, they can also spoof external communications to the aircraft, misguide the plane so it lands at a different destination, or even take over the plane itself.

While none of this is easy, and, in most cases, would even require a state-sponsored attack, it is possible. So, testing and patching cyber holes on an aircraft is a thing now. Not everything is fixable, though, Avi Tenenbaum, the CEO of Cyviation, the cybersecurity company focusing on aircraft security, told Cybernews.

What are the main concerns and issues these days in the field?

During a recent event in Miami, many people on the podium were talking about challenges and opportunities. They were asked: what’s the main challenge that they’re fearful of? Cyberattacks, they replied. What were they doing about it? Nothing.

I think commercial airlines understand that the key threat right now for them is exposing private data. Simply because it happens and it resonates well with what they’re familiar with in normal IT cyber, such as ransomware attacks.

They don't yet see the impact of a cyberattack on an aircraft because most of them falsely assume that all aircraft are secure. Who does see the problem? Air traffic control sees a huge problem in operation. A comprehensive cyberattack will make your airport shut down for quite a long time.

Air traffic control understands because it’s already suffered from attacks quite substantially. They’re looking for solutions when it comes to aircraft and fleets. These are probably the most dangerous and vulnerable areas. People still assume that there are enough buffers in place so the aircraft themselves will never really be affected.

Part of it, I think, is because many issues were reported as technical glitches, as human errors. They didn't mention anything about cyber. Airlines are extremely afraid to admit that they have any cyber issues on their aircraft, or people will not fly with them.

DDoS and data theft in the aviation industry are quite mundane. I wonder how physical a cyberattack can become? Could our health and lives be at stake?

Let me outline three physical angles. The least severe is an attack on your cabin that actually modifies the way your screens behave. Maybe upload messages about Ebola or whatever just to create panic and fear. Like many pilots told me, from a safety point of view, they would shut down the in-flight entertainment systems.

Another angle is the spoofing of external communication to the plane. Just assume the plane is perfectly okay, but the information you get is not accurate, which means a flight might be taking a different route. It could lead to quite disastrous consequences. You could get into challenges on TCAS (traffic collision avoidance system).

The critical risk is somebody taking control of the plane. For that to happen, the attack needs to be done in the cockpit. Now we're talking about different protocols and different communication. It's not normal internet, at least most of it. It's not simple, but it's doable. Now, when you take control of the cockpit, lots of things can happen. Somebody can land your plane someplace, somebody can modify information, show you instruments and gauges with the wrong information. I mean, it really can deteriorate very fast.

How often do you see this happen? We don’t really hear about these sorts of things.

We don't see it often at all. People don't publicize it. Even if there were events, they’re usually disguised as a technical error or glitch. You look at certain events that happened in the last few years, the China Eastern plane that just went straight up and crashed. You see events like the one in France, aircraft trying to take off and unable to do so because the avionics have been shut down or have been tampered with.

Of course, there’s the Malaysian aircraft that nobody understands what really happened to and some people still believe it was cyber. We don't see much of it. Nobody wants to talk about it.

However, we’re starting to see a demarcation point in the industry. The regulation understands that there is an issue and says it's not a recommendation but a requirement to build up cyber resiliency.

Do you know anything about the attackers? Who is attacking the industry? Are they opportunistic or targeted attacks?

What we see so far are attackers looking for some financial gain. Therefore, most of the attacks are around data stealing and tampering with ground information. Those attacks are not terror by origin. They’re not country-driven. In order to take down a commercial plane, you need to be a terrorist. You need to be a country-driven [attacker.] Normal hackers don't want to take down airports. There is no benefit. They will not get twice the ransomware. They want to try and get money out of it. To take down an aircraft, you need certain conditions, you know, maybe war between countries or groups around the world that want to jeopardize the normal business of day-to-day activities of a whole country or something like that. Luckily, we haven't seen it yet. It's doable, but we don't see it.

It's unlikely, but do companies still need to be prepared for an event like this?

Regulations, interestingly enough, are saying that we need to give the airline a cookie-cutter type of plan on what exactly they need to do. Firstly, somebody needs to own cybersecurity. Two years ago, CISOs would tell me the plane wasn't their responsibility and they were taking care of the database. Some of the major airlines, after being hit by different cyberattacks, are now calling us and saying, let's talk because we understand that we need to extend it. So point of contact is number one.

Number two is processes. What happens when you experience a cyberattack? Who do you need to talk to and alert? Who do you need to call?

Number three is awareness among your teams and anybody who touches anything around aviation. They all need to understand the importance of cybersecurity.

The fourth point is a vulnerability assessment. Doing an assessment on your key assets, including aircraft, can become very complicated because you're not allowed to touch the aircraft. You cannot do penetration tests on an aircraft. There are a lot of challenges, but this is a requirement.

My last point is to deploy as much as possible. Deploy cyber security measures of all kinds, including detection in real-time, analytics of logs, and many other things.

Doing vulnerability assessments of fleets is quite a new thing in the industry, right?

We trust Boeing and Airbus to give us the best airplanes, and we assume that everything is okay. But those aircraft were designed 20 years ago. Even the newest aircraft was designed a long time ago when there was no thought about cybersecurity.

Now, we need to think cyber by design because if we don't think this way, we cannot catch up. Cyber is not something you can tailor a solution for later on.

From a vulnerability point of view, we have a certain way to analyze an aircraft without touching it and without doing any penetration tests. Many of these vulnerabilities are rather simple to fix. The industry is using components that were designed when there was Windows 7 or even floppy disks. Often, a simple software upgrade solves a lot of problems.

Not everything is solvable. We cannot fix everything. In many cases, it’s about awareness. Aircrews and pilots need to be aware of the problem and consider that it might be related to cybersecurity.

More from Cybernews:

YouTube warns against using ad blockers – then runs an ad for one

Boeing breach: LockBit leaks 50 GB of data

X marks the spot: is rebranding the new normal in tech?

Streamers are sharing strategi

How learning AI can boost employability and income by 40%

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked