Advancing UK Aerospace, Defence, Security & Space Solutions Worldwide

Features

Overcoming aviation security challenges

Nitha Rachel Suresh, Cyber Security Consultant at Synopsys, considers the very real threats to aviation security and the ways and means by which these widespread security challenges can be overcome.

The aviation industry is not any more immune to critical cyber security risks than any other industry.

That is quite unsettling when you consider what the implications of a malicious attack on an airplane full of people could mean.

While it may be far-fetched to imagine an airplane’s highly complex systems being hacked at once to bring such an event to life, an attacker with deep knowledge of aviation systems could intentionally cause serious issues with the intended, standard operations.

Advertisement
Cranfield

Let us explore some of the key aviation security challenges and how to address them in order to move proactively toward a more secure future.

Due to the complexity of aircraft systems, through the years, the size of the software supporting those systems has grown exponentially. There are millions of lines of code involved in avionics systems. If these not regularly tested for vulnerabilities, severe security threats can arise. That is easier said than done when you consider that the complexity of these systems can lower the testability of software. Thus, leaving behind many vulnerabilities that could potentially be exploited.

Over the life cycle of an aircraft, it will go through multiple phases of overhaul and updates. The associated software must also undergo appropriate changes. Unless this job is carried out with extreme caution, there is a great deal of potential for security bugs to creep into the software.

Consider the attack surface. Modern avionics software development often uses commercial off-the-shelf (COTS) components to some extent.

An attacker could, in theory, tunnel through such components to enter the heart of the system. This is a key consideration in the realm of security.

The utilisation of COTS technologies has also brought about more software exposure within the public domain. The aviation industry is an excellent example of how security through obscurity is becoming an increasingly outdated concept.

Traditionally, avionics software has relied heavily on the secrecy of its development process. COTS has ensured that this is no longer the case. As such, software vendors must plug loopholes as they would with any other open architecture.

We must also consider the array of hardware and software components implemented from various sources. Conducting the appropriate level of vetting for each for security threats is a massive undertaking. Currently, third-party vulnerability assessments are not a common practice with regards to aviation security. To ensure secure development, this gap must be filled.

Additionally, major development standards do not have detailed cyber security policies — as of now, at least. However, the ASISP 2015 initiative by the FAA is a move in the right direction.

Advertisement
ODU RT 2

Examples that illustrate a need for change
In the 2008 crash of Spanair flight 5022, it was discovered that a central computer system used to monitor technical problems in the aircraft was infected with malware. An internal report issued by the airline revealed the infected computer failed to detect three technical problems with the aircraft, which if detected, may have prevented the plane from taking off. The malware was found to be Trojan Horse.

In 2010, the FAA published a notice indicating that some computer systems on the Boeing 747-8 and 747-8F may be vulnerable to outside attacks due to the nature of their connectivity.

In 2016, Reuben Santamarta demonstrated that attacks such as bypassing the credit card check and SQL injection can be conducted on an in-flight entertainment system.

These are only three examples illustrating what could happen when software vulnerabilities go un-resolved. So, how do we fix the problem?

How to overcome such aviation security challenges
To overcome the widespread challenges, the industry must understand and proactively work to defend the attack surface. There should be a common repository of threats to both hardware and software detected by the developers and/or assessors. This needs to be maintained by regulatory agencies like the FAA and should also be available across different development platforms.

Next, the development team should be able to compile all known threats to build a threat model. Within this threat model, there should be information about threats that exclusively affect the product or piece of software at hand. A security risk assessment model should be built to effectively prevent, identify, detect, respond and recover from the security challenges that the aviation industry is facing.

Every failure is a lesson to be learned. It is of great importance not to waste those lessons by forgetting them. Threats and attacks should be logged and made available to all avionics security personnel. A-ISAC is one such organisation which can provide intelligence on aviation security threats.

In the best case scenario, security considerations should be built into the earliest phases of design, even before requirements analysis. Software architecture teams should consider the potential threats faced during the software life cycle. This will help in providing reliable and robust software.

It is becoming ever-more critical to have a well-established cyber security policy accepted by all leading manufacturers in place along with the accepted avionics standards. The observance of such policy should be mandatory for all civil aircraft.


 

Advertisement
L3Harris LB May IAMD L3Harris LB May IAMD
Delivering advanced UK air mobility by 2030

Features

Delivering advanced UK air mobility by 2030

1 June 2024

Jeff Hoyle, Executive Vice President of Global Aero, Space and Defence and Managing Director UK and North America, Expleo, considers whether there is time enough to build an advanced air mobility sector in the UK by 2030.

Bringing innovation to life

Features

Bringing innovation to life

10 May 2024

Paul Adams, Director and aerospace and defence sector specialist at management consultancy Vendigital, defines the risks and challenges involved in taking innovative aerospace and defence products to market.

The rise of low-carbon aircraft

Features

The rise of low-carbon aircraft

24 April 2024

Stephen Gifford, Chief Economist at the Faraday Institution, examines the potential of three technologies being developed for future low-carbon aviation.

Prioritising sovereign capability

Features

Prioritising sovereign capability

17 April 2024

Martin Rowse, Campaign Director, Airbus Defence and Space, looks at why reinforcing the UK's security requires the prioritisation of sovereign capability across the country's defence and space sectors.

Advertisement
Marshall RT
Insider threats: the risks employees can pose

Features

Insider threats: the risks employees can pose

8 April 2024

With insider threats on the increase, Noah Price, G4S Academy International Director, explains the risks and threats employees can pose to your organisation and how to prevent them.

Securing environmental licensing and sustainable data for spaceport operations

Features

Securing environmental licensing and sustainable data for spaceport operations

2 April 2024

Ruth Fain, head of advisory for ITPEnergised, who has worked with SaxaVord Spaceport, launch operators, local authorities and the CAA on environmental consent for UK spaceflight activities, outlines recommendations for future-proofing ongoing data collection for space operator activities in the UK.

Advertisement
Marshall RT