Eighty-five percent of airline CEOs have expressed concern about cybersecurity — a whopping 24 percentage points above CEOs in other industries, according to a recent report by PricewaterhouseCoopers. That’s because the aviation industry has to worry about more than just the theft of passenger data; it has to worry about customers’ physical safety.
Remember in 2015 when security researcher Chris Roberts claimed he hacked into a United aircraft’s inflight entertainment (IFE) system, issuing a “climb command”? While it remains unproven whether it actually happened, the prospect doesn’t surprise Hugo Teso, Head of Aviation Cybersecurity Services at F-Secure.
Teso, who gained his commercial pilot’s license in 2000 and has been working in cybersecurity for 17 years, caused somewhat of a stir back in 2013 with his presentation on aircraft hacking as part of the Hack in a Box security conference in Amsterdam. Since then, he’s presented research on topics from drones to ACARS, ADS-B and Air Traffic Management at a range of events also including 22, SEC-T and NATO’s CyCon.
He created F-Secure’s Aviation Cyber Security Services offering two years ago and has stayed with them since. Thankfully, he’s committed to making sure airlines are safe from cyber threats, and in this Q&A, he talks with UP about how and why carriers need to protect both themselves and their passengers.
“Systems placed in the most restrictive domains are being connected to non-certified devices such as pilots' Electronic Flight Bags, as well as to the open world to increase productivity — so cabin systems are more exposed than ever to all types of uncontrolled devices.” — Hugo Teso, Head of Aviation Cybersecurity Services at F-Secure
Teso: No airplane will be hijacked or taken over by cybersecurity-related means any time soon; OEMs, regulators and manufacturers take care of that even before a new aircraft is designed. Instead, it’s an airline’s brand and business continuity that are threatened by cybersecurity [breaches], and operators are the ones responsible for protecting their fleets against any risk.
It is quite easy for a random attacker to, for example, compromise the web page that passengers use to access their inflight connectivity offering and, while such an attack won’t have any impact on flight operations, the consequences would end up in the media with very dramatic headlines. Such news would have a deep effect on passengers’ trust in the operator and in aviation, trust is everything.
Teso: Suppliers (like Panasonic Avionics) are responsible for the cybersecurity of systems that will operate in diverse environments and that, every day, behave more like a framework than a closed product.
The industry is witnessing the slow but constant fade of separate aircraft domains due to increased connectivity, systems integration and cabin services such as IFEC and cabin-management systems. Systems placed in the most restrictive domains are being connected to non-certified devices such as pilots’ Electronic Flight Bags, as well as to the open world to increase productivity — so cabin systems are more exposed than ever to all types of uncontrolled devices.
The blurring of the aircraft domains with other devices means that suppliers and airlines are having to increasingly share the responsibility of keeping aircraft systems secure, and new consumer technologies mean they must ensure the security of products in an evolving environment.
Differentiation also makes the supplier’s job harder. No operator wants to offer the same services as other airlines if they can provide a better, more customized experience. These circumstances force suppliers to invest more in cybersecurity to cover all possible scenarios and, to some extent, prevent cybersecurity issues related to operator-specific developments.
Teso: For most of our customers, embracing cybersecurity for their aviation assets is still a management decision in the first place, as it requires long-term commitment from the company. As such, our advice would be to take that first step and include aviation cybersecurity in their planning for the following year and make sure the necessary resources are assigned.
The next steps depend on the specifics of each operator and the level of support they need. In any case, it is highly recommended to get a partner with experience in this processes to help avoid previous mistakes.
Security is an important element of the passenger experience, and regulators are taking note. Legislative bodies around the world are working to proactively address aviation cybersecurity; the European Centre for Cyber Security in Aviation is currently being developed by EASA, while in the U.S., senators reintroduced the Cyber Air Act for consideration earlier this year.