All-inclusive approach needed
The aviation industry includes many domains, assets and interests that must be protected from a wide range of risks and threats. Some of these are linked to technology shortcomings such as software glitches, equipment or control systems failures; others, like cyber attacks, which may exploit known weaknesses, are deliberate. The industry also faces risks of a physical nature, essentially from terrorism, which have been the focus of protective measures for decades.
A holistic approach that addresses all possible physical and other threats, and which includes IT and OT issues, is vital for ensuring people (passengers and crews) and costly assets are afforded the maximum protection possible, for safeguarding business continuity, maintaining resilience and, when possible, ensuring recovery. It must involve all stakeholders, such as industry trade bodies, airports and airline operators.
Aviation is a highly important economic sector with an impact (direct, indirect, induced and linked to tourism) estimated at some USD 2 200 billion, equivalent to 3.5% of global gross domestic product. The safety record of commercial aviation is excellent: it transported some four billion passengers in 2017 without incurring a single casualty. The industry covers commercial (passengers), business, freight and courier aviation. Each carries with it issues that require different levels of protection.
Multiple domains need to take a systems-based approach to protection
As well as aircraft, the aviation industry covers multiple domains that are linked to:
- Physical infrastructure located at airports. This includes aviation-related activities and a wide range of services, some connected to critical physical security issues, which requires granting access to a very large number of staff. Airports can occupy vast areas and employ tens of thousands of employees, as does London Heathrow (over 76 000 people work there). It is essential that only vetted individuals have access to certain designated areas. For obvious reasons of security, these include granting proximity or access to critical assets such as aircraft (for maintenance, refuelling, baggage handling, etc.), air traffic management and control (ATM/ATC) installations, IT systems, security clearance of passengers and their luggage and freight handling, to name but a few. Airports also derive significant revenues from non-aviation sources such as retail concessions for shops, restaurants, etc. These add to the large number of people working overall in airports
- ATM and ATC installations are located mainly within airports, but can now also be found at remote locations, a move made possible by digitization. As early as 2015, flights to Ornskoldsvik airport in Sweden were controlled from a tower located some 180 km away at another airport. The introduction of these remote towers is becoming more common and allows ATC staff to oversee traffic from another location. It was announced in 2017 that London City airport would become the first in the UK to use a remote tower as its primary control facility
Security risks from technology issues
Until recently, protecting air travel from external security risks predominantly concerned physical threats. This has now evolved to include a broader range of risks (and threats), some linked to technology, others to deliberate cyber attacks targeting IT and OT systems and attacks carried out by different actors for a variety of reasons.
Risks facing aircraft and flights may be linked to technology. These include:
- The gradual introduction of so-called electronic flight bags, the size of a laptop computer or tablet, to replace the traditional carry-on flight bags containing aircraft operating manual, flight-crew operating manual, navigational charts and other paper documents. They have improved efficiency, as they can be updated in real time. However they present some risks, as was shown when an iPad software and connectivity issue caused electronic flight bags used by American Airlines crews to fail, grounding multiple aircraft in April 2015
Hardware failures or software glitches, such as those from Pitot tubes or angle of attack probes, which have caused at least two crashes (Air France AF 447 May 2009, Lion Air JT610 October 2018) after returning erroneous data to automatic flight control systems, affecting their operation and leading to incorrect reactions by pilots which resulted in these crashes. The use of electronic flight bags may also present risks, as was the case when an airliner
carrying some 165 passengers and crew nearly overshot the runway at London Luton airport after data corrections entered by the pilot were incorrectly reported by the software, indicating the existence of a longer runway
- Control system errors. A computer failure in April 2018 at Eurocontrol, the Brussels-based agency coordinating Europe’s air traffic control operators, resulted in around half of the 29 500 flights scheduled for that period in the European zone facing delays
The European Aviation Safety Agency estimates that some 1 000 cyber attacks target aviation systems worldwide each month.
A May 2018 UK Department of Transport Aviation Cyber Security Strategy report stresses that “it is not a matter of if but when cyber-attacks or system compromises are perpetrated against or impact upon the aviation sector”. There have already been cases of such attacks.
A study by the Florida Institute of Technology (Florida Tech) lists the following as aviation industry elements potentially vulnerable to cyber attacks:
- Access, departure and passport control systems
- Cargo handling and shipping
- Flight management systems
- Flight traffic management
- Hazardous materials transportation
- On-board computer and navigation systems
- Reservation systems
Cyber threats (such as ransomware and viruses) targeting other sectors may also affect the aviation industry. This was the case with the NotPetya ransomware that saw Ukraine’s Boryspil International Airport in Kiev lose access to its systems in June 2017.
Other instances are the result of deliberate cyber actions, such as the June 2015 distributed denial of service (DDoS) attack on the flight operations system of Poland’s LOT carrier at its main hub in Warsaw airport. The attack led to the cancellation of 22 flights, leaving some 1 400 passengers stranded.
Airports and ATM/ATC operations rely heavily on a range of industrial control systems (ICS) to operate efficiently. ICS integrate IT and OT. OT systems are often the most vulnerable as they incorporate commercial off-the-shelf (COTS) components that use IT protocols (such as Internet Protocol), which can more easily become targets of cyber attacks than better-protected IT systems are. ICS are central to air cargo handling, airfield lighting, fuel distribution, power management, heating, ventilation and air conditioning systems. Any ICS-related incident may affect entire airport facilities.
Cyber risks to avionics systems are also real. The avionics systems potentially at risk include:
- Communication systems to ground control through data-links used to send two-way information between aircraft and ATC when an aircraft is too far away to make voice radio communication and radar observations possible
- Inboard WiFi and entertainment systems which may be used to display false or alarming messages to passengers and crews
A US Department of Homeland Security official hacked into the systems of a Boeing 757 passenger aircraft parked at Atlantic City airport, New Jersey, in September 2016. This was “a remote, non-cooperative penetration” without insider help or being onboard, using “typical stuff that could get through security”. It raises questions about the safety of onboard avionics systems.
Aircraft manufacturers are aware of many of the risks. A panel session on Securing the critical supply chain, held at a June 2018 conference on Managing Cyber Risk in Critical Infrastructure organized by the Financial Times and attended by e-tech, highlighted the steps manufacturers take to mitigate risks. Airbus Head of cyber security architecture Dr Kevin Jones explained that Airbus introduced a number of measures to protect its supply chain. These include secure remote access for suppliers and a certain measure of access segregation, a full audit of the Airbus production facilities and those of its suppliers and the identification of vulnerabilities. Suppliers have to review their processes and make sure they meet Airbus standards. Similar practices are followed by other manufacturers, Bombardier Chief Information Officer Jeff Hutchinson noted at the time.