Protecting Aircraft Networks from Cybersecurity Breaches

 - October 1, 2021, 8:12 AM
Adobe Stock Montage: John A. Manfredo

To many observers, 2020 can be labeled as the “year the earth stood still.” But while the global population as a whole stayed home, that doesn’t mean we didn’t accomplish anything. Instead of doing business face-to-face, we switched our interactions to the internet.

From both a business or personal perspective, there’s almost nothing we collectively do today that doesn’t include interacting with a mobile app, website, or connected device of some sort. In fact, according to data firm Statista, the global internet population is now on the threshold of five billion people. It’s mindboggling that almost two-thirds of our world’s population has the capability to share all kinds of information with anyone instantly.

And that’s not counting the uncountable number of internet of things (IoT) machine connections there are today. The IoT has everything from smartwatches to cars to just about anything you can imagine sharing real-time information. Unfortunately, all that free-flowing information is just too tempting of a target for the rapidly growing business of data piracy. And like the internet itself, cybercrime is just going to keep expanding.

Welcome to the YOSC

Just how much of an issue is cybercrime for corporate and private aviation? Considering that the International Civil Aviation Organization (ICAO) designated 2020/2021 as the “Year of Security Culture” (YOSC), it’s a pretty pressing issue. In a statement, the coalition of aviation stakeholders and the ICAO Assembly called for a Cybersecurity Action Plan that, among other things, would work toward a common baseline for cybersecurity practices and make cybersecurity a part of aviation security and safety systems.

But what is cybersecurity in terms of business aviation? “Cybersecurity is the act of ensuring that data being transmitted from an aircraft to a prescribed network is protected at all times to prevent the unauthorized use of that data,” explained Chris Moore, president of business aviation at Satcom Direct. “It is often perceived as an abstract concept, but it incorporates physical security, data security, monitoring, risk management, education, roles, and responsibilities of departments that may not have converged before. For example, an IT department with an aviation department.”

Moore added that while many aircraft owners—including those at Fortune 500 companies—are familiar with cybersecurity for their offices and facilities, not many ever put their aircraft’s data security needs into that bubble. And that’s a mistake, he noted.

“In business aviation, there is often the assumption that if you are in an aircraft at altitude, that data is secure. However, without cybersecurity protocols in place, this is not the case,” he said. “The internet is visible to the aircraft data; then the aircraft data is visible to the internet.”

But business aircraft have been connecting to the global web for a long time. Why is cybersecurity becoming such a hot topic now? According to the experts, there are a number of reasons. One is that hackers are becoming much more sophisticated. They realize that with prosperous companies and individuals spending more time on their “private” aircraft, there’s that much more valuable information to be hijacked. Another is that the way we use the aircraft’s connectivity has changed, and that has opened the door to easier access.

“The ability to do live-streaming or a videoconference call from the aircraft opens up the connection for a much longer time, and that’s a potential security issue,” explained Britton Wanick, v-p of digital solutions partnerships for SmartSky Networks. “We need to realize that the ultimate objective of a hacker is not going to change because they’re hacking an airplane. They want the same information they try to get on any other internet connection.”

And, depending on the goal, that information can be extremely tempting. Personal data, credit card numbers, and bank accounts are top on their list. But when a hacker is targeting a sophisticated business jet, they may well have bigger ambitions.

“It’s not a matter of if, but when an attack will occur,” Moore said. “We noted a sharp increase in attempted cyberattacks through the pandemic, particularly in ransomware attacks.”

It should be pointed out, however, that probably last on a hacker’s digital target list is to try and “hijack” the airplane’s controls via its internet connection. While the idea of controlling a business jet from a laptop makes for exciting, Clive Cussler-worthy fiction, but industry experts say the likelihood of this ever happening is pretty much nil.

Rather, what the hackers want is either to collect data—corporate espionage, for example—or better yet, work their way into the company’s computer network with some kind of malware or ransomware.

“Overall, we look at what the hacker’s motivation is and who or what is behind that motivation," explained Chris Bartlett president of CCX Technologies, which makes cybersecurity-focused cabin routers, components, and security plans that work in parallel with the aircraft’s connectivity provider. "There’s a wide spectrum of what that can be. In some cases, it’s just mischievous, and in others, it’s the opportunity to impact an organization’s business. I don't know of an instance where it was a safety risk.”

“An attack can come from a variety of points: it can be a non-targeted attack like a malware virus. I think everyone is familiar with those,” he continued. “It could be a drive-by attack by a hacker who is just curious whether or not they can succeed. They just want to show how smart they are. These usually are no more than an annoyance.

“The most troublesome are the commercially motivated hacks like the recent attack on the U.S. oil pipeline. There was a massive ransom paid on that one,” Bartlett said. “There are so many motivations for attacks today. With all that’s riding on communications, I think you can see that aviation is in no way immune to the risk. Private airplanes are only private up to a point.”

Gone Phishing

No matter what they’re looking for or doing, the easiest way for a hacker to gain access to a company’s network via an aircraft’s connectivity is through passengers' and crews' personal devices. That’s why so many cybersecurity experts suggest carrying separate personal and business devices, something so many of us do not do.

“Rarely is an insertion accomplished by an individual hacker finding their way directly onto a network,” Wanick said. “It’s usually someone accessing a person’s personal device and planting something in there. The surface area in a large company is tremendous. The more users, the more entry points a hacker has.”

Of all the possible entry gates, the experts agree that phishing, pop-ups, fake emails, and the like are at the top of the list of ways for evildoers to gain entry into a device. That’s why it cannot be stressed enough that one should never open any unfamiliar email or document, which is easier said than done. Phishing scams are very sophisticated today and it’s getting harder all the time to tell the real from the fake.

“Methods used by the bad actors or malevolent hackers range from social engineering attacks to theft of passwords and credentials, to spam, malware, ransomware, and more,” Moore said. “Their methodology is becoming increasingly more sophisticated, to the point where some threats are thought be derived from some state-sponsored institutions.” 

In fact, some regions are becoming so notorious for cybercrime that Satcom Direct, in particular, has taken steps to proactively forewarn customers as to the threat potential. “Our existing cyber solutions suite offers a geofencing service," Moore explained. "If an aircraft is about to enter airspace where cyber events are more frequent, our threat-monitoring service will advise the crew. They can then advise the passengers and/or close down the network while the aircraft travels through that airspace.”

Of course, it’s not only data that the bad actors are after today. There are plenty of instances of black hat corporate espionage goings-on inside of business jet cabins.

Justin Vera, senior installation sales representative for Duncan Aviation, shared a story of a customer who was traveling internationally and somehow someone put malware on his phone to break into the aircraft’s network. “Apparently, someone wanted to be able to listen in on what was being discussed on the airplane,” Vera said. “Luckily, the system’s service provider spotted the intrusion and was able to shut it down. It’s hard to imagine here, but apparently, there are parts of the world where this is commonplace.”

“Operators need to employ on the aircraft the same security protocols they do for their terrestrial networks,” Wanick added. “Monitor, protect, and loss prevention, they all should be available on the aircraft’s network.”

Also not to be overlooked is the need to maintain vigilance with regards to the aircraft’s security when away from home. Many wrongdoers are quite happy with planting an electronic device directly in the aircraft’s cabin. “When it comes to physical security, remember that most business aircraft don’t have locks on their cabin doors. That makes them vulnerable for intrusion,” Bartlett said. “Operators need to be aware of this situation and take steps to protect the aircraft. It’s still part of a cybersecurity plan.”

Not Our Problem…Yet

There’s a saying among psychologists that “realizing you have a problem is the first step to finding a solution.” Unfortunately, when it comes to cybersecurity measures, way too many business and private aircraft owner/operators are still in denial, according to industry experts.

“We have had dialogs with so many different flight departments, and in most cases, they are more worried about whether the Apple TV or Roku TV will work than whether or not the network will get hacked,” Bartlett said. “It’s just a matter of priorities for the passengers.”

That lack of urgency is evident when talking to MROs and avionics shops. When it comes time to upgrade or install a new connectivity system, cybersecurity is usually the last thing to come up in planning. 

“The subject of cybersecurity is still rare. Customers do ask about it, but not as often as you would think,” Vera said. “We do have larger flight departments have their corporate IT folks get engaged from the beginning of the installation. And there are others that do nothing at all.

“Right now, when it comes to putting connectivity equipment on an airplane from the customer, to the manufacturer, service provider, and the system’s installer, anything that any of them can do is regulated by the FAA or EASA," he added. “Everything is regulated except cybersecurity. There are currently no regulations regarding keeping that connection secure. In the eyes of the regulators, this is all ‘non-essential equipment.’

“That’s probably one reason why cybersecurity is not on a DOM’s mind today,” Vera continued. “They are focused on the things they need to be doing and what the regulations require to keep the airplane airworthy.”

Dwayne Chandler, director of avionics sales for Stevens Aerospace and Defense Systems, agreed that while cybersecurity isn’t currently anywhere near the top of many of the MRO’s customers' “must-have” lists, it is coming up more in discussions. “We tell customers if they are under the assumption that no one else can get onto their aircraft’s network, they are incorrect," he said.

"It’s just another network until you protect it," Chandler added. "The various connectivity providers have put a lot of effort into doing just that. Many of the large satellite service providers like Viasat and Satcom Direct also provide connectivity for the U.S. military and governments. They have very good security measures in place, and most are available to their other customers.

“For us as an installation agency, our job is to configure the equipment per the manufacturers’ specifications and FAA regulations,” Chandler continued. “There is nothing we can do to design or implement any further cybersecurity steps that the system doesn’t already have.”

All of the air-to-ground (ATG) and satellite connectivity providers have invested heavily into technologies that keep their various customers’ data as safe as possible. It’s not an easy solution by any stretch of the imagination.

Protecting in-flight data requires an understanding of the dynamic nature of the cybersecurity landscape and necessitates visibility into flight operations. This needs to be coupled with the right technologies, policies, procedures, and controls to implement solid security management systems, so operators need to discuss all these elements with their connectivity provider to reduce risk.

The in-flight connectivity system must be paired with a robust, secure ground infrastructure that can support secure connectivity solutions. Companies like CCX also add physical protection in the form of products installed on the aircraft.

“Our base-level offering goes beyond intrusion-detection systems to include intrusion prevention," said Moore. "This means we don’t just let you know that a security event is happening, we take immediate steps to stop it and track down the root cause. Satcom Direct offers operators a sophisticated threat-monitoring and risk-mitigation service applied to the data traffic flowing to and from the aircraft.” 

Moore stressed that Satcom Direct’s data monitoring doesn’t actually look at the digital content itself but instead looks for unique patterns in the networks and applications in use. “If we spot abnormalities, we can take remedial action to protect the network,” he said. “Our team of certified experts can recognize and prevent attacks by proactively examining the data and shutting down any activity that seems unusual and notifying the crew in real-time.”

The Satcom Direct Network Operations Center in Florida keeps watch on customer networks.
The Satcom Direct Network Operations Center in Florida keeps watch on customer networks.

Cybersecurity: Everyone’s Responsibility

Cybersecurity is a highly complex business. Like everything in aviation, no two situations are the same, which makes creating and implementing a security plan challenging for the typical chief pilot or DOM.

Aircraft owner/operators need to work with their connectivity providers to explore all the options available to keep data safe, Moore said. There is no one size fits all, and it is important that the operator trusts the connectivity provider to tailor the security system according to their needs.

The good news is that it's possible to take some simple steps to start to assemble a workable cybersecurity protocol. It may not be something many chief pilots and DOMs are familiar or comfortable with, but the fact is, ready or not, chances are these types of decisions are going to fall on their shoulders.  

“We always recommend that you start with understanding what kind of data is being transmitted from the aircraft. How does that translate into a threat factor?” Bartlett said. “It gets a lot more complicated when you start looking at passenger data, crew data, aircraft data, and the flight deck—Arinc 429 transmissions. What do all of those messages contain? What are the potential implications to the company if someone accesses that information?

“Then talk to your selected service provider and find out what types of security measures are available for your level of service and what are options to enhance the protection?” he added. “There are a lot of options today, maybe more than one provider can offer. Depending on how far you want the cybersecurity program to reach, you might need to bring in a third-party service provider.

“These are questions that are not easy for a chief pilot or DOM to answer,” Bartlett added. “There is a significant gap here. The biggest of all is whether or not the principal on board the aircraft will be happy with the solution.”

Unfortunately, there’s often a fine line between having a healthy, secure network and a happy boss. Take encryption, for example—there is a belief that encrypting a network connection slows down the onboard Wi-Fi experience, and the boss won’t like that.

“You need to have an open discussion with the principal and all those involved about consequences of any cybersecurity protocol or process before you implement it,” Bartlett said. “Yes, an open network is faster, but it’s very vulnerable to attack. Can the principal afford that?”

“I tell our new customers that while the service providers absorb the largest portion of the security issue, it’s really everyone’s responsibility,” Duncan's Vera said. “When they get a new connection installation, my first bit of advice is to consider the network wide-open like Wi-Fi in a coffee shop until you take steps to make it otherwise.”

Tighter Cybersecurity Starts Today

While it can take time and possibly new equipment to achieve the level of security that’s right for a particular aircraft and flight operation, the data pirates aren’t going to wait while everyone gets their digital ducks in a row.

Cybersecurity is new territory for the majority of business jet operators. For further help, a useful source is the NBAA connectivity subcommittee, which provides an array of insights to help answer cybersecurity questions.

While even identifying and planning a cybersecurity program is a major challenge, there are some steps that operators can take today to help make personal devices, and subsequently the aircraft’s network, just that much harder to break into:

• Install the latest version of the service provider’s preferred online security suite.

• Secure passwords. Use more than one password and do not share them.

• Update passwords often and remember that length matters. Experts say the more complex a password, the better. Just don’t forget to keep them in a secure location or use a password manager application.

• While strong passwords are good, always take extra precautions when emailing sensitive information. Make sure these types of files are encrypted before pushing “reply.”

• Always take a second look at an email that is asking you to reply to verify some personal or account information. When in doubt, don’t.

• If you must use a Wi-Fi hotspot, be sure to only use secure sites or, better yet, use a virtual private network (VPN).

• Use a multi-factor authentication protocol to provide extra layers of security. Set it up with authentication apps, SMS verification, or biometrics.

• When doing online transactions, look for secure sites. They will typically have a closed padlock icon in the status bar.

• Use one credit card for all of your online shopping needs. Also, experts suggest never using a debit card.

• Keep all apps and operating systems updated with the latest versions to ensure that you have the latest security patches and updates. If your device offers auto-updates for your apps, make sure to turn that on.