AVIATION CYBERSECURITY

Finding Lift, Minimizing Drag

By Pete Cooper

Full Report: http://www.atlanticcouncil.org/images/Aviation_Cybersecurity_web_1107.pdf

Executive Summary:

This is a boom time for the aviation industry. The ten-year average for passenger growth hovers around 5.5 percent globally, aviation accidents and incidents are down to their lowest levels, profits are up due to historically low oil prices, and the increasing use of technology is transforming efficiency and passenger experience.1 As an “always on” generation of travelers demand to be “always connected,” an increasingly interconnected aviation industry is employing evermore digital technologies to deliver efficiencies: across aircraft (including Unmanned Aircraft Systems [UAS]), Air Traffic Management (ATM), airports, and their supply chains.

Aviation is a cornerstone of national and international commerce, trade, and tourism, which means even an isolated incident could spark a crisis of confidence in the entire sector. The potential impacts on stock market value, stability, and national gross domestic product make securing and protecting the connected aviation world a critical element of national security.

This study indicates that the aviation industry will likely experience cybersecurity challenges similar to other industries that have embraced the “digital revolution.” As the industry moves forward, will it be able to maintain stakeholder trust by accurately perceiving the risks and opportunities as well as understanding adversary threats?

Previously, aviation systems were relatively secure due to the bespoke nature of their design, isolation from other systems, and little in the way of communication protocols. But ATM is no longer isolated, and ground services and supply chains are becoming fully integrated into an interconnected digital world.

In addition, cyber adversaries and their capabilities evolve and adapt quickly. This may be particularly challenging for an industry where many of the systems have long design and development periods. As technology radically transforms design, production, operation, and maintenance of aircraft, models of safety and security must adapt. While new and emerging capabilities, like additive manufacturing and UAS, are transforming the aviation sector, their novelty may obscure the cybersecurity risks these technologies introduce.

Connectivity of aircraft systems, through traditional information technologies and aviation-specific protocols, has now extended the attack surface to the aircraft itself. Aircraft are now complex data networks, yet the ability to monitor them arguably lags behind comparable ground-based networks— as does the ability to avoid and respond to potential cybersecurity incidents. ATM is also undergoing a sweeping modernization program that shifts away from legacy radars and beacons to a heavy reliance on Global Positioning Systems (GPS) and digital communications. Advanced technologies such as GPS and Automatic Dependent Surveillance— Broadcast (ADS-B) can greatly improve accuracy and reliability under normal conditions, yet remain susceptible to degradation by environmental hazards or manipulation by hostile actors.

Airports are a key focal point of adversary interest. As a federated management system with numerous interdependent service providers, deficiencies in airport cybersecurity may allow bypass, subversion, and eventual breaches of physical security. Additionally, as capabilities such as remote tower services gain popularity, balancing commercial interest with sound risk management will be even more difficult. Attacks against public-facing systems at airports may pose little safety risk, but can harm public confidence and trust.

As the domains of aviation and cybersecurity increasingly overlap, the common goals of safety, resilience, and trust can be achieved sooner by working together. Preserving aviation’s strengths relies on clear definition of governance and accountability and recognition of shared responsibility across the supply chain. The aviation industry has a longstanding and robust safety management system with a safety culture embedded at its core.

The challenges of cybersecurity are testing these existing industry policies and frameworks as nations, organizations, and businesses attempt to develop best practices. There will be a key role for the International Civil Aviation Organization (ICAO) in bringing both leadership and vision to the challenge. With multiple perspectives and stakeholders, it is essential for the increasingly interconnected aviation industry to have a clear, coherent vision.

A cybersecurity vision for a connected aviation industry and its foundation

A vision or aspirational state for the aviation industry as it faces cybersecurity challenges may be characterized as:

A safe and prosperous aviation industry with resilient trust and systems.

To achieve this vision, the industry must focus on strengthening five foundations of aviation cybersecurity:

  1. Systems Thinking, Governance, and Accountability

In a complex, interdependent, system of systems, finding and securing the weak links are not only an essential requirement but also a critical test of governance and accountability. The ICAO plays an important role in working with national regulators to decide how the aviation industry should manage cyber risks and to clarify and simplify the legislative burden for stakeholders.

  1. Resilient Systems

“Advanced adversaries will still breach the IT infrastructure.”2 This assumption of future breach, failure, or attacks on data integrity has resulted in a greater focus to deliver resiliency as well as security. It will require both resilient systems engineering practices and a resilient personnel culture to safely work through such adversary activity.

  1. Resilient Trust

The importance of stakeholder trust is at the forefront of the aviation cybersecurity challenge. If adversaries can erode trust, they are able to control passenger and stakeholder experience, perspective, and confidence. The longer it takes for an operator to counter perceptions and regain trust, the less credibility the operator will have in the eyes of the stakeholder.

  1. Secured Human Decision-Making

Human error or technical failure is inevitable, but all aviation systems are designed to help a human operator recognize and deal with an accident or incident before it impacts safety. Therefore, there must be a focus on protecting the integrity of the data that operators are presented with so they are able to make safe and timely decisions.

  1. Shared Perspective and Culture

The importance of collaboration cannot be underestimated. Even beyond sharing knowledge and different perspectives, there is great potential for cultural exchange between the aviation and cybersecurity industries. Developing a shared culture in which both groups synergize and view the challenges and potential solutions will increase awareness of risk and robust resilience.

Suggested Next Actions

To build and fortify the aforementioned foundations, it is recommended that all stakeholders take the following actions:

  • Reinforce Leadership and Standardization (Globally, Nationally, Regionally, etc.)
  • Define a Common Understanding of Aviation Cyber Safety and Security
  • Reevaluate, Develop, and Use Robust Threat Models
  • Develop and Communicate Coherent Messaging on Cybersecurity Risks
  • Find Ways to Develop Trust with Non-Technical Audiences
  • Improve Agility in Security Updates
  • Design Systems and Processes to Capture Cybersecurity-Relevant Data
  • Train for Safety Across Multiple Disciplines
  • Incorporate Cyber Perspectives into Accident and Incident Investigations

As organizations seek to exploit the opportunities of a connected aviation industry, they must retain the ability to be objective about both the benefits and risks. Innovative, connected technologies, if sympathetically and securely integrated, can assist in efficiency and safety; but this must not be at the cost of unknown or unacceptable risk.

It will take consideration and incorporation of multiple stakeholder perceptions to reduce the risk posed by adversaries. In a rapidly evolving environment, the industry must exercise leadership and utilize teamwork to boldly look to the horizon with clear purpose and maintain stakeholder unity. The conditions are ripe to find alignment, direction, and progress under strong international leadership to ensure a safe and thriving aviation industry in the years to come.

 

ISBN: 978-1-61977-397-4

This report is written and published in accordance with the Atlantic Council Policy on Intellectual Independence. The authors are solely responsible for its analysis and recommendations. The Atlantic Council and its donors do not determine, nor do they necessarily endorse or advocate for, any of this report’s conclusions.

November 2017

 

Author Bio:

Pete Cooper (MSc, CISSP) is an independent cyber security adviser based in London, UK, and a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative.

The first part of his twenty-four-year career in the UK Royal Air Force (RAF), was as a fast jet pilot and instructor on the Tornado GR4. He then became an early member of the UK Ministry of Defense (MoD) Joint Cyber Unit, developing and integrating cyber operations into UK and MoD processes. His final position was in MoD Joint Forces Cyber Group where he was the Strategic Cyber Operations advisor, playing a key role in developing policies, concepts, and doctrine both nationally and internationally.

He has an MSc in cyberspace operations from Cranfield University. His dissertation on adding a cognitive dimension to Active Cyber Defence was published by the Journal of Law and Cyber Warfare and explored how a better understanding of attacker psychology could be used to augment legal Active Cyber Defence methodologies.

Since leaving the RAF in 2016 he has been advising nationally and internationally on cyber security challenges and opportunities, supporting various organizations in developing their strategies. He is also a passionate supporter for the Cyber 9/12 policy and strategy competition, which has seen him present and judge at competitions in both the US and Europe. As director of Cyber 9/12 UK, he is also leading the rollout of the competition in the UK.

 

References:

Filed under: Categories

Like this post? Subscribe to my RSS feed and get loads more!