Aviation Security and Why We Don’t Need to Worry. . . Yet
Written by: Evan Stewart, Cyber Security Operator
With communication infrastructure being built on an internet/Ethernet-based interaction, it is only natural that the Aviation industry would adopt the speed and necessity of the same technology. However, with those changes, the concern for digital/data security is put into question. At Defcon 27, the Aviation Village was introduced to discuss and present the hardware, tools, and systems onboard an aircraft; how these systems integrate and communicate; and the security concerns surrounding them.
Brad Haines spoke on the use of the Automatic Dependent Surveillance-Broadcast (ADS-B) system onboard an aircraft. This system provides the real-time precise location of the aircraft. Haines demonstrated that he was able to receive communications and minor data points, using ADS-B, from aircraft in flight. He expressed fears that this unauthenticated and unencrypted system could allow a bad actor to influence, change or disable aircraft location/information systems.
Regarding these concerns, Pete Cooper, a former jet pilot and flight safety officer, suggested that the loss of certain systems would only be a nuisance to a seasoned pilot. The ability to fly a plane remains within the pilots and their ability to adapt and use other systems to compensate for the loss. Granted, if multiple systems fail, then larger issues could occur.
With the adoption of enterprise-like network management onboard an aircraft, the bar for being able to access avionic and information systems is lowering. This necessitates plans and actions to counteract this risk being discussed and implemented at the highest levels of government and industry. Cooper expressed confidence in the industry and its ability to adapt to changing infrastructure and address the security issues that will arise in the aviation industry as it continues to technologically evolve.
The recent loss of Lions Air flight 610 and Ethiopian Airlines flight 302 resulted in significant changes in the aviation industry regarding the use of technology. However, with these changes and improvements comes increased risk and vulnerability. Fortunately, not only is it reasonably difficult to even get access to the avionics and information systems on an aircraft, but the segmentation and redundancies in place provide strong security controls. In addition, attempting to hack a plane at 35,000 feet going 500mph is not the easiest of things to do.
The aviation industry is really a microcosm of commercial industries as a whole. Organizations across the globe are continually investing in new, smart technology. Unfortunately, as demonstrated in the Aviation Village, not all new tech is built with security in mind. This leaves organizations vulnerable to attack – whether it be an airplane being hacked or a financial database being breached. It is critical that organizations apply simple and basic network security principles, test their defenses, and monitor for indications of attacks and breaches.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.