While the commercial aviation industry is struggling to even acknowledge threats to cybersecurity, the business aviation industry has already experienced attacks, according to Josh Wheeler, Satcom Direct director, entry into service.
“The attacks are happening while the aircraft is airborne,” Wheeler explained. “The attacks, just like the ones that corporations like Walmart have experienced, are most likely coming from the ground. The key point to remember is that if you can see the Internet when a passenger connects, then the Internet can see you. It’s not really about the satellite. The satellite is just the means to deliver Internet capabilities to the aircraft. In addition, there are security issues with the flight department, for example, any time an aircraft has an open Wi-Fi network operating in the cabin, there is a risk of hacking.”
Cybersecurity threats challenge one of business aviation's greatest attributes: security of trade secrets from prying eyes. There is also the risk of hacking aboard commercial aircraft. In an attempt to get ahead of the issue, Satcom Direct (Booth H1214) is offering monitoring systems and classes in cybersecurity literacy.
“We saw a huge gap in security because there are certain assumptions made in aviation that, if you are flying, no one can touch you,” Wheeler told AIN. “We need to change the conversation. An IP is an IP and it is irrelevant where it is. Just because you are at altitude doesn’t mean you are safe. People have this huge disconnect. They don’t understand the components of the aircraft, and that creates the perfect storm. Corporate IT people don’t want to get involved because they think they are secure. Flight crews don’t have the specialized training, so they may not realize there’s a problem.”
Wheeler sees threat attempts daily but he said, so far, no one has quantified the threat so there are no statistics on how many attacks there have been or what they were. “Once we started evaluating the traffic we were seeing daily attacks.”
It is not just business aviation passengers who are vulnerable, he added. If someone brings aboard an infected computer on a commercial flight and connects to an airline’s Wi-Fi system, an entire cabin can be compromised.
“So far there has not been a breach in aircraft systems or avionics,” he said. “We see phishing scams all the time where someone calls the flight department [and], in the interest of good customer service, employees reveal a lot of information that can be used to compromise the system. We’ve been pushing for years to develop awareness because a lot of folks don’t understand and that means there is no priority or focus on the problem. We see our courses as ice breakers, raising the issue and saying you need to be aware of the cybersecurity issues surrounding your travel.”
Wheeler went on to describe two inflight incidents aboard a Falcon 7X and a Gulfstream G550.
“One of our clients had a Windows-based maintenance laptop with a number of issues, including viruses,” Wheeler explained. “Likely through a virus, the attacker tried to obtain information such as log-ons to financial sites. Our threat-monitoring system pinpointed and caught the nefarious activity, which allowed us to alert the client, who removed the compromised machine, and the aircraft retained its integrity. This incident underscores the vigilance required with laptop security and keeping its antivirus up-to-date.”
Another client, after expressing skepticism of Satcom’s threat-monitoring service, was swayed. Within a few days of the customer's signing up for the service, Satcom Direct "noticed a hack that attempted to exploit a vulnerability in a laptop’s outdated version of Adobe Reader to try and compromise the network," Wheeler said. "Instantly three active viruses attacked that laptop. Our threat-monitoring system stopped these virus attacks and we let the client know. We were not privy to whether there were any additional consequences.”
In a recent attack on a customer, hackers tried to install a keylogger geared toward ecommerce and banking sites, by capturing passwords and user names. In another incident the guest of a client was connected to the Wi-Fi during a flight, and Satcom Direct's threat-monitoring system detected malware originating from the guest’s laptop. The client was notified and the laptop was shut down.
He added, "A lot of the hacks have been financially driven, but...others just want to crash the system rather than extract information out of it.” The point, he said, is that users need to take precautions.
If We Can Do It, Anyone Can
Satcom Direct director of training Mark Mata agrees. “Something as innocent as opening an email or clicking on links, or even using an infected USB drive in a network computer can result in a serious breach,” he said, adding that the course offered by Satcom Direct is designed to inform end users about what to do and what not to do. “It’s surprising how little thought many of us give to cyber security in our day-to-day actions, but cyber attacks are on the increase. Human error has been identified as the leading cause of cybersecurity incidents, and end-user education is one of the top ways to prevent network infection.”
Part of the company’s services include penetration testing to see what systems are vulnerable on board aircraft.
“If we can get around their systems then others can too,” said Wheeler. “It is really no different than hacking a neighbor’s network. We identify holes and help the flight department remedy it. In-flight networks are vulnerable to the same network security threats as the home or office network.”
The company does cyber hygiene evaluations along with a security risk assessment and threat analysis and prevention. It also offers its own private network for use by companies that want to secure their communications, avoiding the public Internet and protecting end-user communications.
Wheeler explained what that looks like. "We do on-site risk assessments and address disconnects in understanding between corporate IT and flight departments. We assess the flight department and interview everyone from dispatchers, to pilots, to receptionists and maintenance personnel to teach them how to be aware that what may seem like an innocent phone call asking about their operation actually may be a phishing expedition.”
How To Secure the Environment
Business aircraft have higher end equipment and more specialized routers than commercial aircraft. Still, that doesn’t mean they can’t be penetrated, Wheeler noted. So what can passengers do to ensure they are secure on board?
Passengers should have their own preflight checklist, advises Wheeler, including running virus scans and updating software before the flight. He also recommended updating malware and adware programs and seeking recommendations from the corporate IT department.
Then there is the obvious.
“Don’t have an easy password,” he said. “We have seen a lot of people who have 12345678 as their password. And don’t use your tail number as the password. We see that all the time. We’ve also seen people who have had a system they question and they haven’t addressed it and [the problem has] been in there for six months or more.
“Our primary concern is the integrity of our client’s systems. We use fact tactics not scare tactics by raising awareness. One of the biggest questions we ask is whether they use third-party companies and what those companies are doing to secure your information.”