By Jeff Zacuto, Director of Product Marketing, Commercial Aviation
After more than two years of a pandemic that nearly destroyed the airline industry, travel is roaring back. At no destination has that been more evident to me than at DEF CON 30 in Las Vegas. Aptly named the “Hacker Homecoming,” this event had everything — biohackers, space suits, utilikilts, and furries — and although my interest was high in every session and village, the Aerospace Village was my ultimate focus. After several days of navigating the standing-room-only crowd, I left Vegas with a few important takeaways about the state of cybersecurity in the aerospace industry.
Cybersecurity in space is a real and growing concern.
Securing space flight, spacecraft, spaceports, and space passengers were hot topics. That’s not surprising, given the dozens of space tourists who’ve traveled to the stars and back in the last year, the recently established and growing Space Force, and concerns around how space assets like Starlink could affect the War in Ukraine. Space and aviation assets also share many common security concerns: signal spoofing and jamming, the need for cyber-situational awareness, and the inextricably linked and poorly secured operational technologies (OT) that power the space ecosystem.
The excitement for securing the next frontier was palpable and appreciated, and you couldn’t miss the prominent presence of the Space ISAC, Blue Origin, and SpaceX in the Aerospace Village. Their participation signals an openness of the space industry’s manufacturers to engage with the broader cybersecurity community, which hopefully results in addressing cybersecurity concerns earlier in the manufacturing process.
But while space now plays a larger role in our overall critical infrastructure protections, and the burgeoning interest in securing the stars is excellent news for the future of space travel and space-based business, we still have a long way to go to tackle securing the aviation ecosystem under the stratosphere.
Attacks on legacy aircraft are getting progressively easier.
Landing an A320 in the DEF CON 30 Aerospace Village.
There are several enormous orders for new aircraft to replace legacy aircraft over the coming years, but manufacturers will deliver only a few of these in the near future. The problem from an aviation cybersecurity perspective is that when manufacturers designed older, legacy aircraft and the OT components that keep them in the sky, they did so without considering cybersecurity concerns.
Meanwhile, operators are busy extending the lives of legacy assets by retrofitting aircraft with new interiors and deploying new technologies. Customers who demand better flight experiences will no doubt be pleased by this, but it also worsens an existing and growing problem. And as the global fleet of in-service commercial aircraft ages, it becomes increasingly more exposed to cyber risks.
There are a handful of reasons for this. First, the software used by systems and components on legacy commercial aircraft is notoriously difficult to update with fixes and security patches. What might be patched in the IT world in days or weeks could take months or even years in aerospace—if they get addressed at all. Second, bolting new technologies onto legacy aircraft further complicates the maintenance and security of an intricate web of systems and suppliers in the aviation ecosystem. Lastly, and perhaps most concerningly, the gap between vulnerabilities and patches, coupled with the extended in-service life of aircraft, enables bad actors to advance their skills over time.
“Adversary capability is highly dynamic, so any adversary that persistently invests resources in offensive cyber capabilities will become more advanced over time,” said presenter Teresa Merklin, a fellow attached to the Aeronautics Cyber Range at Lockheed Martin. “If you consider the long service lives of the platforms we’re protecting, it’s silly to think that the adversary’s capabilities will remain a fixed value.”
“If you consider the long service lives of the platforms we’re protecting, it’s silly to think that the adversary’s capabilities will remain a fixed value.”
Today, operators actively balance the need to cyber-secure legacy assets while planning security for their new connected aircraft. “United has been transforming its security program from just data protection to cyber resiliency,” said Deneen DeFiore, Vice President and Chief Information Security Officer at United Airlines. “Building a framework that can be resilient so that your business can operate and come back is really important.”
We must get much better at sharing more cyber information.
The lack of transparency between manufacturers, suppliers, operators, regulators, and the cyber community was mentioned several times on stage and on the village floor. Manufacturers and suppliers have detailed security information about the systems they develop, but they hold those details close to their chests. Often, these details include confidential intellectual property or sensitive threat information, which surely makes sharing them more difficult, but not altogether impossible.
“Everyone is working towards a common goal,” said Olivia Stella, a senior systems engineer at Southwest Airlines, focused on aircraft and OT cybersecurity. That mission is challenging for operators who bear regulatory responsibility for securing aircraft systems and the safety implications that failing to do so could create. They’re starved for aviation cybersecurity information, creating a situation that frustrates security professionals and exacerbates the widening security gap for legacy aircraft. It also handicaps the broader aerospace cyber security community, which has no access to the information or resources it needs to discover, responsibly disclose, and thereby help mitigate vulnerabilities on aircraft.
That could be changing, though. Aircraft manufacturers are beginning to open up to the cybersecurity community. Boeing hosted an ARINC 429 lab providing attendees with hands-on experience with the most common serial data bus protocol found on modern commercial and transport aircraft. Sean Sullivan, Chief Engineer for Cabin, Network Systems, and Product Security at Boeing, presented the basics of aircraft networks and security design. Boeing also enabled vulnerability disclosures in the Aerospace Village — which was virtually unheard of at past DEF CONs.
Perhaps soon, airframers and avionics manufacturers will welcome the hacker community onto airplanes in the same way that Tesla embraces hackers who help verify the security of their cars. Only time will tell.
Regulators are catching up with new aircraft technologies.
The latest regulatory guidance for cyber securing connected commercial aircraft is over a decade old. Since the FAA published Advisory Circular AC 119-1 (among others), the technology landscape across the entire aviation ecosystem has evolved. Today, it resembles modern-day enterprise cyber environments more closely.
Tim Weston, Director for Strategy & Performance in the Transportation Security Administration’s (TSA) Office of Strategy, Policy Coordination, and Innovation, said TSA is leading the charge as the primary cyber-regulating authority for aviation. In fact, new guidance for the aviation industry, similar to TSA’s published guidance for pipelines and rail, may drop soon. Rebecca Ash, a strategy and performance analyst with the TSA, said help on that front is coming, too. Federal agencies, including CISA, are working on improving reporting processes and getting actionable threat information out more quickly, she said — a welcome improvement for everyone involved.
A significant component of any new regulation is harmonizing the baseline for what cyber security looks like for commercial aircraft. That’s a complicated problem, though. There are over 25,000 commercial aircraft flying today, and every aircraft’s data and behavior are unique. Without a way to collect and interpret that data at scale, regulators and operators will be challenged to understand, let alone see, a massive, growing, and uncertain threat landscape.
For more information about Shift5’s technology and operational intelligence for commercial aircraft, visit Shift5 for Aviation. Follow Shift5 on Twitter and LinkedIn.