Aircraft have become increasingly more digitally sophisticated. That is a glaringly obvious fact. However, with that digital complexity comes an increased potential for cyber attacks.
So with Aviation Cyber Security such a severe issue, why does it appear like the aviation industry is falling behind other industries in regards to industry-wide cybersecurity strategies?
Last summer, in the sweltering desert heat of Las Vegas, Gerard Duerrmeyer, Norwegian's chief information security officer stood alone amongst a crowd of thousands, at one of the world's largest and most notable hacker conventions, DefCon.
Surrounded by pen testers, hackers, software and hardware engineers, law enforcement agents, and companies there to explore the latest in cyber technology, Duerrmeyer was the sole representative of the aviation industry.
For years, many other industries have embraced these types of hacker conventions. Testing their technologies against some of the best pen testers and hackers in the world, to gain insights on how to better protect their investments. In many cases, these conventions set a benchmark for what can be done to hack various systems—and subsequently, how to protect against just those types of attacks.
Behind closed doors
As the world becomes more driven by digital technology, the idea of forcibly pinpointing system weaknesses is becoming more of a standard process for cyber-security. Events like DefCon are setting the stage for representatives of many industries to allow "hackers" access to their systems and software, for the sole purpose of trying to probe for weaknesses, report their findings, and develop patches for those holes in security.
Events like these are not the only form of pen-testing a system for vulnerabilities, but opting out of them doesn't present questions. Can the industry stay on top of cybersecurity, if there is a general unwillingness to be open about potential security weaknesses?
The Aviation Village was the first of its kind during last summer's DefCon. To bring security researchers, and the public together under a common goal: To provide safe, reliable, and trustworthy air travel.
There wasn't much commercial airline presence— with the exception of Norwegian Airlines—but their credit, more governmental and military aviation agencies saw the opportunity in participating. The US Department of Homeland Security (DHS), the US Air Force, the Department of Defense's Defense Digital Service were all present to enhance their knowledge on aviation cybersecurity.
In-house security
That is not to say that airlines are being complacent in regard to cybersecurity. Quite the contrary. A surprising amount of cyber work is done in-house by the aviation industry. What is standing in the way of a greater industry consensus and community around preventing cyber attacks is the same thing that plagues many other areas of the industry: an aversion to openness.
That said, other industries have been embracing "industry-hacker co-operation" for many years, leading to events like DefCon growing from a simple hacker gathering in 1993 to a leading event frequented by some of the largest industries and governmental organisations in the world.
Aviation will again feature at this years 2020 DefCon in Las Vegas. So only time will tell if the industry will soften to the idea of allowing hackers – or "cyber-researchers" as they're sometimes called – access to the backdoors of their systems in an effort to expose any weaknesses.
Falling behind in setting industry standards
With the consequences of an aircraft cyber attack so high, why is there no unified industry standards for staying ahead of the threats?
It is just this year that the ICAO will publish the Assembly Resolution A40-10. It is a resolution which "addresses cybersecurity through a horizontal, cross-cutting and functional approach, reaffirming the importance and urgency of protecting civil aviation's critical infrastructure systems and data against cyber threats and calls upon States to implement the ICAO Cybersecurity Strategy."
While this is a fundamental step in the right direction towards a universal industry framework regarding cybersecurity, drafting the strategy is just the first step.
There will need to be a mindset change amongst many airline officials regarding cybersecurity to avoid the conversation losing momentum at the strategy stage— and never evolving into action. Cyber threats evolve at a rapid pace, and action is what is needed.
What more can airlines do?
New forms of cyber threats occur rapidly, so what can airlines do to keep themselves, their systems, and their passengers safe from cyber-attacks? There are industry toolkits that airlines can lean on for advice. IATA's Toolkit provides an analysis tool to help identify, assess & mitigate risk, as well as training seminars. The FAA is rolling out a project called Next Generation Air Transportation System, or NextGen.
But without including cybersecurity experts from outside the industry, is this enough?
Putting aside the argument for more open industry/hacker collaboration, it seems that the industry also is falling short in the recruitment of qualified people to fill cyber-focused roles. In an article with Flight Global, former pilot and now advisor to the UK Ministry of Defense, John Cooper said:
"Aircraft operations are different from normal enterprise IT security, and today cybersecurity tends to be viewed through an enterprise prism. So, most aviation companies are going to have to find an operations expert with the passion about cybersecurity to go through an "upskilling" process."
He went on to say that regardless of whether independent researchers—cyber-researchers, hackers, pen testers, or whatever you want to refer to them as —go through the process of joining an airline's cybersecurity team, they need to be embraced either way. Often times these individuals publish their findings about specific security weaknesses independently amongst their communities, because they do not have a direct line those whom there finding might benefit the most. And if an airline isn't privy to that community—due to lack of participation, well...
In other words, and as they say, hug a hacker. They're often not the perpetrators they are made out to be in popular media.