The aeronautics sector and security: which cyber risks?

Pirated screens with propaganda messages, airline data stolen and resold, access to an aircraft’s computer system… Aeronautics is one of the sectors most affected by cyberattacks. Pirates who have a multitude of means at their disposal to carry out attacks against civil aviation infrastructure and service providers can, in particular, affect air navigation and control systems, jam radar and communication systems. Also, sabotage airport systems and hijack an aircraft remotely. The aeronautics sector (airlines, aircraft manufacturers, airport infrastructures and authorities) represents a major geostrategic interest and involves “a chain of considerable players that must be secured“.

According to a report by the US Department of Homeland Security, it would be possible to infiltrate aircraft computer systems remotely. As part of a US Department of Homeland Security (DHS) mission, researchers demonstrated at the CyberSat Summit (November 2016) that it was possible to hack a Boeing 757 during a test on the tarmac at Atlantic City Airport in New Jersey. The security experts had thus succeeded in remotely penetrating the aircraft’s computer system (in a non-cooperative manner) using radiofrequency waves. Other examples of attacks on commercial aircraft by white hat are equally significant and alarming. In 2015, American security specialist Chris Roberts discovered vulnerabilities on about 20 aircraft and announced that he had managed to hack into them in mid-flight, via their IFE (In Flight Entertainment) computer system. Roberts had physically accessed the SEB (Seat Electronic Box) boxes in charge of piloting the aircraft’s seat screens. He then connected an Ethernet cable with a modified connector to take control, from his laptop, of other embedded systems such as the “Thrust Management Computer”, which manages the flight plan and the power of the aircraft’s engines. With such hacking or examples of hacking, the aviation sector has become one of the most prone sectors to cyberattacks. Such devices such as aircraft are therefore just as vulnerable as a mobile phone. This article explores the multiple biases that make it possible to target aeronautics and highlights the different vulnerabilities and angles of attack that concern this industry, which cannot neglect cybersecurity.

Increased in-flight connectivity and data protection

With more and more aircraft connected, the number of gateways for attackers is increasing. Wi-Fi connections are notably higher than before, with 7,400 global aircraft with Wi-Fi connection compared to 23,000 in 2027, representing a 60% increase in the global fleet for Air France. These significant figures mark the arrival of the digital giants who will see it as a godsend for equipping aircraft. However, this increase in connectivity does not guarantee better aircraft safety. According to Vincent Megaides, marketing and strategy director of Thales’ training and simulation activities, the lack of “norms and standards” is felt in the complex ecosystems represented by aircraft, reminding us of the need for certification. Connectivity is necessary and wanted, but it opens more doors for hackers.

In 2018, the in-flight connectivity market represented 3.36 billion compared to an estimated 57.45 billion in 2028. In-flight aircraft represent dozens of computers, sensors, software code lines, record, and provide their arrivals with terabytes of data at airports. It is for this reason that airports and more generally, the aeronautics sector, will exceed “the volume of data generated by the GAFAs” from 2022. The development of in-flight connectivity is a real problem and responds first to the passenger experience.

New cyber risks associated with technological change?

Digital changes linked to new technologies have contributed to the emergence of new threats to the Internet of Things ecosystem. Aircraft are increasingly connected, communicating in their design, and commissioning. They are considered as connected objects, especially those of the new generation, called “e-enabled aircraft”, type A380. The Airbus Group’s aviation security manager explains “regulated and harmonized security is essential” for aeronautics. In the airline industry, “cybersecurity” is preferred to “cybersecurity” because this concept is more related to protection against malicious acts, intentional or not, and voluntarily exposing products. This safety concerns a whole range of products, namely aircraft, helicopters, launchers and satellites.

In flight, an aircraft’s industrial environment is “designed” so that its computer access means (ports) are closed by design and therefore inoperable. Even if the construction of an aircraft requires “embedded, partitioned and segregated architectures” and that the so-called critical environments (cabin environment, internal means of communication) are not connected to each other, they remain singularly vulnerable. During production or assembly, industrial control systems (production and maintenance environments) represent a real flaw. The latter must be more secure and be the subject of cooperation with equipment manufacturers during the design of the aircraft and the “integration of security with the supply chain” due to increasingly computerized operations. Supply chains in networks (“Value Webs”), which are increasingly connected, also bring additional cyber risks.

Technological change does not always serve security. The risks are multiplying and go beyond the singular risks such as theft or intrusions. Terrorist risks and drone intrusions have become just as important. The aeronautics sector is not only about aircraft in flight, but also about airports. For nearly 50 years, 38 attacks have been recorded at more than 25 different airports, with a peak in the last two years with the attacks in Istanbul and Brussels in 2016, then Orly and Fort Lauderdale in 2017. In addition, ransomware attacks target airport infrastructure. This was the case with Wannacry, which hit Kiev airport in Ukraine in 2016. Airports also have to address several issues. Their challenges are to “increase their reception capacity” in the face of increasing passenger and freight traffic, but also to “protect infrastructures, people, operations and customer data”. The volume of data has increased considerably with the advent of the Internet of Things as a means of communication (sensors…). Airport structures must therefore intelligently process this data using connected objects that make Big data and Smart data a priority for operators. Data and information system protection is achieved through effective prevention of cyberattacks. Providers are also concerned on all public connection points. These interactions of systems from internal to external also provide gateways to cyberattacks.

Proven cyber risks in flight and on land

The plane is an increasingly connected object and the risk of a cyberattack is very real. The digital and physical worlds are intertwined through an interconnection between the Internet and connected devices. The Internet of Things that are implemented inside the devices offers more attack possibilities for attackers who use Internet networks in particular.

Airports are also gateways for pirates. These attacks are generally not lethal but are a lucrative source or highlight for attackers who express their claims. Bristol Airport in the United Kingdom has recently been the victim of ransomware paralyzing internal screens and televisions displaying flight departures and arrivals. Last March, Atlanta’s Hartsfield-Jackson International Airport suffered the same attack and was forced to shut down its internal Wi-Fi network. Airport security systems are included in a network chain that contributes to the safety of the aviation industry. High visibility vectors, the impact of an attack on an airport is global and can paralyze an entire city. Hackers who do not hesitate to exploit vulnerabilities in computer security systems to obtain customers’ bank data very regularly target airlines. The airline Air Canada had thus suffered a direct breach of the protection of more than 20,000 sensitive customer data.

The digital development of the aeronautical ecosystem has brought more exposed media and increases the major and systemic risk factors. In terms of Application Programmable Interface (API), we have gone from a system of interconnections of applications managed in a specific way in terms of network communication protocols, to companies that build APIs to “activate and accelerate the development of new services and oers (Cloud…)“. Collaborative platforms and cloud solutions have replaced integrated management software packages (ERP, or Enterprise Resource Planning, ERP). The risks of information leaks, whether voluntary or not, are therefore multiplied. The integration of technological systems into the airline industry is now carried out in a participatory ecosystem and “requires that the company acquire a real competence in terms of information systems architecture“. This mosaic system is de facto fragile and inevitably increases the risk of cyberattacks.

The challenge of securing subcontractors for the aeronautics sector has recently been illustrated by the cyberattacks that have hit Airbus since the beginning of 2019. The attackers directly targeted the aircraft manufacturer’s subcontractors in order to steal strategic data. Airbus’ supply chain has been a bias towards Airbus. The attackers are looking for all kinds of ways to hit the aviation giants. According to Kaspersky’s CEO, “an attack through the supply chain can reach hundreds of other companies by compromising only one“. Subcontractors Altran and Asco have been targeted by cyberattacks. The Belgian equipment manufacturer was targeted by a ransomware that paralyzed the plant for a week. While Altran was hit by malware paralyzing 400 of its servers. Cybersecurity researchers have been highlighting it since 2018; attacks via the supply chain are growing threats. Small and medium-sized companies are important targets for pirates. They are part of a chain that gives access to the major aircraft manufacturers. Thus, one company can become another’s weak link. The latest report from the French Network and Information Security Agency (ANSSI) deals in particular with the recent attacks on the aeronautics sector, particularly on service providers and design offices of European aeronautical manufacturers. The names of Airbus and Altran have been highlighted in connection with these recent cyberattacks by the VPN of these companies. ANSSI put into perspective the modus operandi of the attackers who target the networks of service providers to recover data from their customers, in this case, aeronautical groups. ANSSI therefore describes their process, namely:

  • Exploitation of vulnerabilities in services exposed to the Internet;
  • The use of legitimate VPN accounts;
  • The use of remote access tools (PlugX malware) and/or backdoors;
  • The elevation of privileges.

Conclusion

At a time of digitization and multiplication of connected objects in this sector – and not only – the probability of occurrences is high against the entire aeronautical sector. Allowing better maintenance and optimization of routes, digitization generates a large volume of flight data, there are up to 100,000 sensors on the new flight programs. In addition, as closed systems communicate one by one, aeronautics has shifted to an interconnected and outwardly open ecosystem model. These new interconnections have therefore multiplied the opportunities of this sector but also the risks of attacks, as the platforms have diversified. The digitization of devices makes them particularly vulnerable to cyberattacks. By 2020, all Air France aircraft will be equipped with Wi-Fi and worldwide, Wi-Fi connections will more than double. Finally, the sensors embedded in modern engines have more than increased and now number 5000 at Airbus. Despite certain ISO safety standards adapted to the aeronautics industry, companies and manufacturers must agree on a methodology for analyzing and understanding risks for better safety. Boeing does not have the same “security culture” as Airbus, i. e. the same security management system (the Aircraft Security Management System (ASMS). Aerospace companies must control risks for each digital and embedded systems initiative and according to Philippe Trouchaud, Cyber Intelligence partner at PwC, IT spending on security could increase from 6 to 15%. Cybersecurity is everyone’s business and requires, beyond cooperation, the security of all connected objects and IT systems in the aviation industry chain, starting with industrial subcontractors.

Sources: 

https://www2.deloitte.com/fr/fr/pages/manufacturing/articles/enjeux-cybersecurite-industrie-aeronautique-et-defense.html

https://www.pwc.fr/fr/industries/aeronautique-defense-securite/enjeux.html

https://www.pwc.fr/fr/decryptages/securite/aeronautique-ultraconnectivite-donne-des-ailes-a-la-cybersecurite.html

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-004.pdf 

https://www.01net.com/actualites/oui-il-est-possible-de-pirater-un-avion-de-ligne-a-distance-1304503.html

https://www.thalesgroup.com/fr/monde/securite/news/securite-et-cybersecurite-priorites-du-secteur-aeronautique