An International Civil Aviation Organization assessment on cybersecurity threats to ADS-B appears “dismissive,” given that the system is open and not encrypted, a Washington think-tank fears. In a report released November 7, the Atlantic Council highlighted potential cyber concerns and recommends developing a clear vision for mitigating concerns.
It praises aviation for its history of emphasizing security and safety but emphasizes that as technology has advanced, “aircraft, be they airliners, UAS or helicopters, must now be considered nodes on multiple networks, whether they are airborne or not. Multiple claims of opportunity and vulnerability must be met with more than dismissal.”
The report delves into several aspects of vulnerabilities involving the age of the connected aircraft—whether through air traffic management systems such as ADS-B or through systems on board the aircraft.
ICAO guidance has cited “considerable alarmist publicity regarding ADS-B security” and has said that “to a large extent, this publicity has not considered the nature and complexity of ATC,” according to the report. ICAO further has said its assessment of security policies in use for ADS-B provides a more balanced view. Other officials have maintained that the security has been assessed, a plan is in place, and systems are monitored.
Authors of the report conceded they could not comment on the assessment, since it had only a limited distribution for security reasons, and security efforts are not revealed. Even so, the report worries about the safeguards. Of ADS-B they said, “As an open system with no encryption, authentication, or integrity checks, the main researcher concern is that ADS-B signals could potentially be eavesdropped on, blocked, or transmitted by adversaries.”
Further, the report expresses concerns that ADS-B hardware is fitted and networked with other aircraft systems, providing a potential entry point for adversaries. “Already, many ADS-B units available for sale have both Wi-Fi and Bluetooth connectivity to permit uploading software and to link with electronic flight bag [EFB] software on portable tablets,” the report says. “The recent report of an ADS-B transceiver with a permanently open Wi-Fi hotspot, despite having a technical standard order authorization (i.e. design and production approval) from the FAA, demonstrates that there may be more challenges to come.”
The report looks at multiple air traffic management system issues, such as vulnerabilities with controller-pilot datalink systems and the System-Wide Information System. These systems contain similar challenges involving authentication, encryption, auditing and monitoring.
In addition to highlighting ATM, the report focuses on vulnerabilities with connected systems aboard the aircraft. EFBs must meet certain security criteria, and permitted data transmissions are limited for security reasons and must be isolated from other aircraft systems. Other efforts, such as firewalls, further improve security.
But the report still expresses concerns that “as their growth in popularity has increased, the variety of hardware and software used for portable EFBs has also increased. Diversity and platform complexity may make it harder to demonstrate assurance and deliver reliability.” The report notes incidents that have already taken place involving third-party applications crashing aircrew EFB tablets.
Other technologies such as maintenance monitoring and the Aircraft Communications Addressing and Reporting System (ACARS) provide further susceptibility, along with the rapid growth of use of Wi-Fi aboard aircraft by passengers. “Modern connected aircraft have seen a rapid growth in the amount of data they produce,” the report said. “It is estimated that by 2026, the global growth in aircraft-generated data could reach 98 million terabytes. Much of this data is where evidence of adversary activity or intent will be visible. Being able to see into this data, protect it and quickly analyze it for weak signs of compromise will be essential.”
Air Traffic Control Association president and CEO Peter Dumont, providing a perspective for the report, highlighted a need to ensure future technologies are designed to permit updates in real time. A concern highlighted by the report is the technologies themselves have long lead times for development, but cyber threats adapt much more quickly, hampering the ability to respond. Dumont further expressed concern that security policies tend to be generic, while aviation systems must be specific.
“To ensure security and prevent potential disruption to the aviation system—while at the same time ensuring that the full potential of connectivity is achieved—requires a concerted effort from manufacturers, service providers and regulators,” said Aerospace Industries Association president and CEO David Melcher, praising the report for identifying issues and calling for a unified industry-wide approach to the emerging threat. “Publishing this report is an important first step; now we need to move into action.”