Tackling inflight cyber threats

While the report predominantly covers the commercial airline sector, Cooper confirms that business aviation is no less vulnerable. “The sector faces the same challenges as airlines. Aircraft have become generic platforms for data transmission with their multiple hardware and software systems connected to each other, as well as external systems. Vulnerabilities will exist in all systems, it is only a matter of when they are discovered, and by whom.”

Cooper outlines the misperceptions around cyber security and how it is often dismissed because, ‘such vulnerability is impossible’.  Echoing this view, Chris Moore, CCO of business aviation connectivity provider Satcom Direct, says: “Clients are often surprised at how vulnerable they are, and we are surprised at how many have not addressed the potential threats of a cyber security attack.  They are simply not aware and make lots of assumptions about network safety and security.”

International executive jet business NetJets confirmed that it includes cyber security management as part of its overall security assessment activity, but added that passengers rarely ask about the issue beyond checking their personal data was being respected. Another leading operator’s spokesperson added: “We’ve never had a passenger ask us about whether data transfer is safe, they just assume it is and that is the prevalent assumption.”

According to Moore: “An IP is an IP, regardless of location. An aircraft is just as susceptible to a cyber threat as an office, even though the impression is of reduced attack risk. Quite simply if you are communicating data you are connected to the net, and unless the correct protocols are in place you might as well be sitting in your local cyber café.”

Robert Fisch, Chief Aviation Operations Officer for Luxaviation Group, adds that, “the complexity of our industry and the fact we are relying more and more on information and communications technology, does not render us immune to security risks; in fact, it is quite the contrary.” Luxaviation has invested heavily in cyber security software, anti-spam filters and has even established a dedicated in-house company to manage the IT infrastructure of the company. It monitors its flights and notes thta recorded alarms vary between 700–2,000 a month for the entire group.

“Having the in-group company specialising in IT, with strong aviation knowledge, is certainly a good start to solving problems and monitoring risks,”
adds Fisch.

Flight deck vulnerability

There are certainly numerous scenarios for breaches of data security in the cabin or cock-pit. Flight decks operate via secure systems, but the development and implementation of the FAA’s NextGEN Aircraft Traffic Management systems increases points of vulnerability.  Traditional radars and beacons are being replaced by ADS-B and GPS-based systems reliant on data transfer. Electronic flight bags (EFB) have developed from handheld storage devices into sophisticated units that reduce pilot workload tremendously. With the incorporation of software as a service (SaaS) into the EFB, the number of weak spots increases. There are safety guidelines, but the diversity of the EFB applications brings risk. Similar points can be made about ACARS and ADS-B technology. Issues may even arise from third parties in the supply chain that unwittingly let hackers into flight department networks via their systems. The consequences of these systems being violated do not need spelling out.

Human factors play a part too. Crew and passengers can easily fall foul of malicious intent, for example, from simple phishing and evil twin attacks, which may bring data threats into the cabin. A randomly found digital thumb-stick may contain a software virus that activates when plugged into a Wi-Fi connected personal device. Unmanaged third-party devices may cause problems. Moore explains: “Just recently we alerted a flight department to the fact that while in flight, multiple attempts were made to access the email accounts of one particular passenger.” He points out this was not one of the client’s team members, but a business colleague invited to join them on a flight to a meeting. “We alerted the flight department right away and blocked further attempts.”

This monitoring service is part of SD’s Cyber Solutions Package.

Resilience and responsiveness is key to managing cyber situations. Luxaviation Group’s in-house IT steering committee regularly monitors all major IT related questions, which includes a cyber security report.

“This permits us to adapt rapidly to the ever-changing cyber security situation,” says Fisch. Luxaviation also carries out a complete cyber risk assessment should any operation be altered or any component changed.

SD is supporting the business aviation industry by providing tailored cyber security packages. It can do this as it owns the necessary infrastructure, hardware and software, which independently or in combination addresses the key issues. The SD Data Centre creates private networks on behalf of clients. SD hardware allows satellite and air-to-ground connectivity providers to connect aircraft and its software-as-a-service solutions provide applications to support passenger and crew activity within the secure network.

It also offers onsite risk assessments to identify threats across the supply chain, both inflight as well as on the ground, and makes recommendations that adhere to ISO 27001 and NIST (National Institute of Standards and Technology) principles. “We even deliver a certified cyber security course designed to improve understanding and support all those that touch business aviation from suppliers and FBOs through to flight departments, crew and even passengers. This is open to all the industry, not just SD customers,” says Moore.

Moore and Cooper are both clearly making the point that the industry dialogue shouldn’t be about “how secure we are”, but should be asking “where does vulnerability lie and how resilient can we be under attack?”

The industry’s lack of standardised legislation and regulation for the business aviation sector isn’t helping. Without these, many operators and owners are reluctant to put systems in place, that may become obsolete as certified standards are set. Cooper states, “Waiting does not just hold back the aviation industry, it also holds back a strong and diverse cybersecurity industry that supports the aviation industry.”

European co-ordination

When asked to comment, a spokesperson for the EBAA stated that the organisation “clearly recognises the need for, and importance of, cyber security in relation to business aviation and the multitude of stakeholders therein.” EBAA encourages all stakeholders to include scenarios around connection failures or hacks in their risk management scenarios. Encouragingly, as part of the single European sky initiative and specifically the Air Traffic Management Master Plan, the EBAA has also highlighted the need for the development of, in coordination with NextGEN, specific system architecture and essential operational tools to manage and minimise cyber risks.

ICAO has already tabled a resolution to address cybersecurity in civil aviation and has called for member states to work together to develop a procedure and policy to develop a framework. A subsequent directive calling for cyberattacks against civil aviation to be considered an offence was made in November 2017. This recognition of the human factors that run deep in the debate is well received and reflects that much of the issue is related to human behaviour, as much as technical weakness.

If business aviation is to meet this challenge, it will require all stakeholders coming together to collaborate, develop, and design resilient systems to support threat management. Education is vital to progression in this field across the supply chain. Responsibility does not just sit with one part of industry. International collaboration, education, and implementation of standardised models that reduce the threat will go some way to underpinning a safer business aviation digital network.

As business aviation drives economies, supports growth, and creates employment, the implications of a single cyberattack are potentially extremely damaging to business, reputation, and opportunity, yet it seems that the industry is still finding its feet in terms of risk management. Two very different sectors are converging as aviation, a traditionally very safety conscious, highly regulated, conservative sector, meets the cybersecurity sector, which has thrived on rapid change and minimal regulation. They need to better understand each other to provide a stable framework from which to operate.