By Jeff Zacuto, Director of Product Marketing, Commercial Aviation
Securing the Future of Aviation Through Improved Regulations and Cyber Resilience
The aviation industry is a critical component of the global economy, which also makes it a highly-visible target for cyber threat actors. A single event affecting any part of the ecosystem could have a rippling effect with dramatic consequences. The Aviation ISAC Annual Cybersecurity Summit last week in Orlando, Florida, brought together experts from across aircraft OEMs, airlines, regulators, and suppliers to reflect upon the progress made over the last year regarding cybersecurity measures, and to address the hard work ahead to keep those consequences at bay.
“The aviation industry has become a vast landscape of interconnected systems, and new risks will inevitably continue to emerge.”
Welcoming regulators to the stage
A common creed among attendees was “We’re all working towards the same goal,” which was made clear by representation from not just airports, operators, and manufacturers, but from regulators too. This was reportedly the first time A-ISAC had given regulators the stage at a summit, with keynotes presented by heavy-hitters like Matt Hartman, Deputy Executive Assistant Director for Cybersecurity for CISA and David Pekoske, Administrator of the Transportation Security Administration (TSA).
Their participation in the summit is indicative of the growing eagerness of regulators to work with operators and OEMs in a more open and inclusive environment. “There’s great concern for the unknowns,” Goldstein said. “The aviation industry has become a vast landscape of interconnected systems, and new risks will inevitably continue to emerge.” Pekoske echoed that sentiment, saying “Today’s airplanes are extraordinarily powerful, complex computers with wings. And it really requires a community approach to help secure these critical assets.”
This public-private partnership also comes at a time when threats to organizations within the aviation ecosystem are escalating. Most recently, the Russian hacking group Killnet targeted and took offline 14 US airports. Just prior to that, hackers targeted, stole and published customer data from Portugal’s TAP Airlines. As the threats grow, these newly strengthened partnerships are an encouraging sign that the most critical constituencies inside the aviation ecosystem are working together to make air transport efficient, reliable, and most of all safe.
Operators need better alignment between global regulators
There are many disparate governments across the global aviation ecosystem. And with more regulatory involvement across the industry, and across the world, there are bound to be conflicts, redundancies, and confusion. We can’t drive common solutions if we don’t have a common understanding of the problem.
As such, it was mentioned in more than one session that more cross-functional collaboration is needed across the world’s regulatory bodies, trade groups and working groups like the Aviation-ISAC. For example, ensuring groups like Airlines for America (A4A) and the Aerospace Industries Association (AIA) continue working together to identify and share the nuances of aviation regulations emerging from the European and American regulatory bodies.
Working together, these groups can help highlight differences in regulations and reporting requirements with a goal of enabling greater coherence and coordination between regulatory requirements. And with better alignment, the overall objective of security can be laid flat across the globe to bring common solutions across the space.
Operational technology risks come into focus
Over the last several years, we’ve watched the headlines as threat actors moved from IT systems to Operational Technology (OT) systems in critical industries like manufacturing and the energy sector. The aviation community, including civilian oversight agencies like CISA, are keenly aware that adversaries are targeting OT systems today. Combatting these threats requires a coordinated approach among all members of the aviation ecosystem, and should include a common, baseline framework across all critical industries.
The Biden Administration’s National Security Memorandum (NSM), “Improving Cybersecurity for Critical Infrastructure Control Systems” includes cybersecurity performance goals (CPGs) that are voluntary, high impact security outcomes and associated actions for critical infrastructure owners. These CPGs address common adversary tactics to help reduce risk to both IT and OT systems. These CPGs are designed to be used with the NIST Cybersecurity Framework (CSF) as a comprehensive program to drive organizational maturity and alignment with risk tolerance.
“What I’m particularly excited about is that this is the first US government effort to provide stakeholders with a simple, distinct, and actionable set of security outcomes and measures to achieve a basic level of cybersecurity capability across both IT and OT assets,” said CISA’s Matt Hartman. “These CPGs can be thought of as a quick start guide — a place to start driving and prioritizing investment towards the most critical practices across both IT and OT environments.”
More data is good, but quality data is better
Having access to more data is certainly helpful, but more data can also create more noise. Automating a way to separate the noise from valuable insights was the topic of several break-out sessions at the summit. In particular, a breakout panel “Finding & Mitigating Cyberthreats to Aviation Using the Latest Data Science Methods” discussed the future of using Artificial Intelligence to determine the right data sets, and Machine Learning to identify the threats.
AI and ML are more than just trendy buzzwords. Today, they can be used to streamline making meaningful sense of large datasets. Examining security logs alone isn’t enough. Which is why it’s so important today to collect data with cybersecurity in mind to help identify potential threats early. Having that content is really helpful. The trick is to ensure sensors are positioned correctly on aircraft and within the ecosystem to collect the right data, especially to get the industry to a place where we can have a true intrusion detection system.
Penetration testing remains elusive
The ever-elusive, penultimate enabler of aviation vulnerability assessment, penetration testing, was discussed several times during the summit. However, pen testing is lamented as too difficult, too costly, and too wrought with airworthiness complications for operators to take this on themselves. Still, even in the face of those challenges, the value and benefits of pen testing aircraft can’t be ignored.
“It’s not better not to test,” explained presenter Teresa Merklin, a fellow at Lockheed Martin working for its Aeronautics Cyber Range. “A latent vulnerability is there whether or not it’s been detected. Security researchers are sitting out there looking for that thing, and if they look hard enough, they will find it because they’re nation-state adversaries. They’re going to find it.”
“Security researchers are sitting out there looking for that thing, and if they look hard enough, they will find it because they’re nation-state adversaries. They’re going to find it.”
Another complication Merklin highlighted was that if pen testing turns up a vulnerability in the development phase, it can introduce costs to mitigate, or it can delay a program indefinitely. But if a partnership between operators, OEMs, and regulators could turn up fixable vulnerabilities in a platform early in its development, or even soon after they are deployed, that gives the industry an opportunity to get ahead of threats by building intelligence and instrumentation that can help them see and mitigate threats more effectively.
Growing embrace of the research community
One of the more surprising developments of late has been the industry’s embrace of white-hat threat researchers. We first noticed this budding partnership between researchers and the broader ecosystem earlier this year at DefCon 30 in Las Vegas, Nevada. There, Boeing shared the stage with threat researchers who gave a presentation about vulnerabilities they had found in Boeing platforms, and their joint efforts to mitigate those threats.
This is a welcome about-face for an industry that’s traditionally been hesitant to acknowledge publicly threats to its ecosystem. The willingness of OEMs like Boeing to recognize the value of researchers looking at their products and to acknowledge their questions marks an important turning point for aviation security and safety. In fact, Boeing says it’s created a council for researchers and other external parties to work together collaboratively on different aviation ecosystem challenges.
In this way, the aviation industry is slowly mirroring similar relationships between threat researchers and organizations in other critical industries, like healthcare, manufacturing, and the energy sector. Partnerships in these industries have uncovered and mitigated many critical vulnerabilities, and will no doubt yield tremendous benefits for the aviation industry as well. For example:
-
August 2022: Claroty’s Team82 disclosed Evil PLC, a novel attack that uses PLCs to exploit engineering workstations to invade OT networks.
-
June 2022: Forescout’s Vedere Labs disclosed Icefall, 56 vulnerabilities affecting 10 operational technology (OT) vendors.
-
November 2022: Medigate Labs disclosed Nucleus, 13 vulnerabilities that can be used to takeover, crash, or leak information from medical, automotive, and industrial devices.
-
August 2021: Armis researchers disclosed PwnedPiper, 9 vulnerabilities that an attacker can use to take over critical hospital equipment.
What comes next?
As the aviation industry continues recovering from crippling post-pandemic conditions, it’s imperative to focus on enacting cybersecurity measures that help protect that progress. The energy to do so was palpable among the summit’s participants, all of whom appeared committed to the common goal of cyber securing the entire ecosystem. Taking into account the solid progress that has been made over the last year, and the enthusiasm for more collaboration between public and private organizations, the industry seems to have a strong foundation to better secure the future of aviation.
For more information about Shift5’s technology and operational intelligence for commercial aircraft, visit Shift5 for Aviation. Follow Shift5 on Twitter and LinkedIn, and sign up for our newsletter for the latest in Shift5 news.