|Year : 2016 | Volume
| Issue : 1 | Page : 23-26
Cyber security in civil aviation
Adrie Stander, Jacques Ophoff
Department of Information Systems, University of Cape Town, Rondebosch, Cape Town, South Africa
|Date of Submission||08-Mar-2016|
|Date of Acceptance||26-Apr-2016|
|Date of Web Publication||7-Oct-2016|
Department of Information Systems, University of Cape Town, Rondebosch, Cape Town
Source of Support: None, Conflict of Interest: None
Introduction: A number of recent claims in the media suggest it is possible to hack into avionics systems and control aircraft from a distance. While cyber security is not seen as a critical issue in aviation at the moment, it is likely to become much more important in the future through the accelerated adoption of information technologies in aviation.
Objective: This study aims to determine if there are grounds for such claims. The aim of this paper is not to show how to compromise the information systems of an aircraft, but to indicate that this is not impossible and that vulnerabilities exist.
Methodology: Since experimental work in this area is difficult, for obvious reasons, an extensive literature survey was conducted in order to find material related to the subject. Most of the material found is of a theoretical nature and even where possible vulnerabilities were identified it is difficult to show that it could be exploited in real life.
Results: The study has found that steps are taken by aircraft manufacturers and controlling bodies to prevent the occurrence of such incidents. However, possible vulnerabilities exist and coordinated action is needed by the aviation industry as a whole, to determine and eradicate such vulnerabilities. Vulnerabilities are likely to increase with the move towards fly-by-wire aircraft.
Keywords: Aircraft security, cyber-attacks, cyber security, digital forensics
|How to cite this article:|
Stander A, Ophoff J. Cyber security in civil aviation. Imam J Appl Sci 2016;1:23-6
| Introduction|| |
Ever since the first hijacking of an airplane, security has been one of the most important issues in the airline industry, with large amounts of money spent annually on this aspect. While the aspect of cyber security was certainly not unknown in the industry, events during the year preceding the writing of this paper have raised questions about the safety of commercial airlines in the media. These events include claims that certain aircraft systems could be hacked and speculation that the disappearance of a plane from a well-known international airline could have been caused by such an incident.
Denials by spokespeople from aircraft manufacturers, that this is in fact not possible, can easily lead to the assumption that they are trying to hide something. This is not accurate, as manufacturers and other parties in the industry have acknowledged this through a number of initiatives and actions over an extended period. While it is certainly not impossible to compromise the systems in question, there are continued activities aimed at minimizing the possibility of such an incident.
While cyber security is not seen as a critical issue in aviation at the moment, it is likely to become much more important in the future through the accelerated adoption of information technologies in aviation.
The aim of this paper is not to show how to compromise the information systems of an aircraft, but just to indicate that this is not impossible and that vulnerabilities exist. Some of the examples used will show not only that manufacturers acknowledge the possibilities of a compromise but also that they address the problems.
These examples only serve to highlight a small number of the better-known vulnerabilities, but it is important to note that detailed information about many of the technical aspects related to aircraft is available online.
The research furthermore hopes to show that knowledge of this problem is important to the field of cyber security, as proper use of such knowledge can not only help to prevent such incidents, but it is also conceivable that digital forensic techniques might prove valuable after future incidents to provide information in addition to flight recorder data, about the cause of the incident.
| Background|| |
The first question that needs to be answered is if a cyber-attack on an airplane is indeed possible? Compared to typical commercial systems, the complexity of the systems on a typical airliner can be seen as highly complex. It is well known that commercial systems cannot be protected fully and for the same reason the assumption can be made that aviation systems also cannot be guaranteed to be fully protected if exposed to an intense attack.
The aircraft industry is certainly taking this very seriously, and the possibility of such incidents is supported by many applications to the Federal Aviation Administration (FAA) for changes in systems that also include measures to prevent such incidents, even if it is not always explicitly stated. Another example is the AIAA Framework for cyber security, showing that the industry recognizes the growing importance of this threat.
This situation is brought about by an increased reliance of avionics on a small number of well-known technologies from the information technology field. This includes Linux, Windows, IPV6, Ethernet, and others. To speed up development time, manufacturers also use “Commercial off-The–Shelf” software and hardware in the development of onboard systems, again adding to the potential risk as this means that the vulnerabilities of these technologies are widely understood.
Not only are there many interlinked systems involved, both on board and on the ground, the systems are also becoming more connected so that security problems in one system can have an effect on other systems.
In addition, there is a lack of coherence between the different groups working on these issues, and while knowledge of problems exist in pockets within the industry, it might not necessarily be known in the wider community.
Even if vulnerabilities are known, the implementation of countermeasures can take a long time in the aviation industry, as changes cannot simply be implemented without proper testing and certification for safety. Rolling out such changes to all affected devices can take a long time.
While determining the likelihood of a cyber-attack on an airplane would be nearly impossible to determine, it would be safe to conclude that it is not impossible that it could happen.
| Vulnerability Vectors|| |
The scope of this paper does not allow for a comprehensive list of possible vulnerabilities, and for this reason, only a number of possible vulnerable areas will be discussed. It only acts to show that these vulnerabilities exist and it should be noted that many of these problems are addressed by the relevant manufacturers.
The existence of many untested devices and long delay times might mean, however, that some problems might still exist. In addition, some protective measures might simply not be possible as can be seen from the following comments taken from an FAA change application:
”The design shall prevent all inadvertent or malicious changes to, and all adverse impacts***,” the wording “shall prevent ALL” can be interpreted as a zero allowance. According to the commenter, demonstration of compliance with such a requirement during the entire life cycle of the aircraft is quite impossible because security threats evolve very rapidly. The only possible solution to such a requirement would be to physically segregate the passenger information and entertainment domain from the other domains. This would mean, for example, no shared resources such as satellite communications (SATCOM) and no network connections. “***Maintained that such a solution is not technically and operationally viable, saying that a minimum of communications is always necessary.”
While the bias of this paper is toward commercial aircraft, indications are that private airplanes might even be more vulnerable since less control exists over the devices used onboard.
The following sections discuss some of the likely vulnerabilities. First, it looks at transmissions to the aircraft, then some onboard systems are discussed, and finally, human aspects that could have an influence are briefly discussed.
Global positioning system
The global positioning system (GPS) is a satellite-based positioning system using passive receivers of signals from 32 satellites. It is highly accurate, which makes it an attractive alternative to ground-based systems. The passive nature of GPS makes it vulnerable to replay attacks, and unauthenticated nonmilitary signals can be spoofed. Since a GPS attack needs to send a signal, ground-based attacks on airplanes would be detected by nearby receivers, making this type of attack unlikely.
Automatic-Dependent Surveillance-Broadcast (ADS-B) is the satellite-based successor to radar in aviation. It is based on the concept that every participant obtains their own position and velocity from on-board GPS equipment and periodically transmits a message with this information via the ADS-B Out subsystem. This information is then received by air traffic controls (ATCs) as well as other aircraft that is equipped with an ADS-B In subsystem.
Research has shown a number of security vulnerabilities in the ADS-B protocol, including eavesdropping, flooding, jamming, injection, modification, and deletion of messages. Since the protocol does not require authentication, message tampering with fairly unsophisticated equipment is relatively easy.
While large-scale jamming attacks might prove difficult, tampering with the ADS-B messages might be difficult to detect.
Traffic Information Service-Broadcast and Flight Information Service-Broadcast
Traffic Information Service-Broadcast (TIS-B) is an aircraft position reporting system using the same data format as ADS-B. It is transmitted by FAA ground stations and includes aircraft positions from radar-based aircraft tracking systems. This allows aircraft equipped with ADS-B to know about aircraft using a transponder only. Flight Information Service-Broadcast (FIS-B) provides several kinds of real-time information such as weather data, overlaid over an aeronautical chart, and time-sensitive pilot advisories. Like TIS-B, FIS-B is also a broadcast service provided by the FAA.
Both TIS-B and FIS-B show similar vulnerabilities as those in ADS-B. Since ADS-B, TIS-B, and FIS-B are all transmitted over an unauthenticated UAT link, all these technologies are vulnerable to spoofing as well.
Aircraft Communications Addressing and Reporting System
The Aircraft Communications Addressing and Reporting System (ACARS) is the air-to-ground data communication infrastructure used by most airlines to communicate with ATC, national aviation authorities, and their own operations centers.
They use ACARS very high frequency (VHF) and HF ground stations as well as SATCOM to send and receive ATC and airline operational control (AOC) messages. Depending on where the aircraft is, ACARS messages are routed through a global network of thousands of ground stations or satellite links that cover the earth. When the aircraft is over land, a network of VHF stations delivers ACARS messages. Over the ocean, a message can be delivered via HF data link ground stations, Inmarsat, or Iridium SATCOM.
AOC messages include takeoff and landing confirmation, weather information, gate information, and engine reports. ATC messages include navigation information, aircraft positional reporting, departure clearances, oceanic clearances, runway conditions, and weather data.
ACARS transmission is unencrypted and easy to decode as many websites such as Flightradar24 show. Using software-defined radio, it is conceivable that such data can also be transmitted, as was already shown in a simulated environment.
Flight management system
The flight management system (FMS) is the computer that keeps track of many aspects of a particular flight. This includes the courses, altitudes, and speeds involved in the particular flight from takeoff until the destination.
The FMS typically consists of a computer unit and a multi-function control display unit that acts as the human–machine interface. It provides the primary navigation, flight planning, optimized route determination, en-route guidance for the aircraft, and is typically composed of the following interrelated functions: Navigation, flight planning, trajectory prediction, performance computations, and guidance.
The FMS is linked not only to numerous onboard systems but also to external data links such as ACARS, navigation receivers, and surveillance systems, which makes it potentially vulnerable. It has been shown that it is possible to compromise the FMS in a simulated environment. This will be difficult to repeat in a real-life situation to determine the extent of the threat.
Much of the FMS input is under the control of the pilot and that major deviations from what is considered normal should be noticed and acted upon. The input from other systems is however not under the control of the pilot, and it needs to be determined if it is possible that subtle changes to these data can have an effect on the FMS without the pilot noticing.
Inflight entertainment system
The inflight entertainment system may not seem like a likely candidate for a cyber-attack, but closer inspection shows a number of vulnerabilities. The first being that it contains a USB port on the device underneath passengers' seats. These systems are also connected to a number of other devices including the FMS. In 2013, the Boeing company applied for a change to a type certificate to address this type of issue, showing that unauthorized access is a real possibility, be it intentional or unintentional. These systems use well-known technologies such as LAMP servers, Ethernet, and Android Clients. This means that the knowledge to commit an attack on these systems is readily available. Similar applications exist for other airplane models.
Electronic flight bags
Electronic flight bags (EFBs) act as electronic replacements for paper documents carried by pilots. It can include aeronautical charts, approach plates, aircraft manuals, and checklists. In its simplest form, it is not much more than PDF viewers for these documents, but more sophisticated versions that provide features such as interactive checklists.
The use of EFBs in air carriers requires FAA approval and regulations that prohibit the use of certain functionality such as “own-ship position” in this environment. These limitations do, however, not exist for general aviation.
As these devices are simple general purpose computing devices, it is vulnerable to the same threats as normal computers. If communication is established in any way between such a device and the aircraft systems, the possibility exists that a threat could be transferred. Such a device should, for instance, not be powered from a USB port on an aircraft device.
Vulnerabilities have been identified in certain SATCOM hardware devices. A successful attack on this type of device could impact a number of important systems, including the multi-function control display unit of the FMS. Of particular interest in the hardware that was tested is the vulnerability regarding access control of the device. While the research only tested one device, it is possible that similar problems can exist in some of the numerous other on-board airplanes.
The human aspect
A discussion of this nature cannot be concluded without reference to the human aspect. Some might argue that the pilot will always be able to detect anomalies and respond to it. While no research could be found in this regard, the question could be asked about what would happen if the changes are subtle or if a flood of alarm conditions are raised. Would a well-trained pilot even suspect that an alarm condition is not real and not respond to it?
It might also be assumed that the complexity of avionics systems makes it very difficult to compromise such systems. Security by obscurity is however not enough. It cannot be ignored that maintenance personnel have access to the equipment and that the access control of the devices might be compromised. It would be easy to upload malware to some devices, bypassing the need to gain access via network links.
| Conclusion|| |
From the discussion above, it would be hard to conclude that a cyber-attack on an aircraft is impossible. Since aircraft manufacturers have been addressing some of the issues over a long period, the likelihood of such an attack is probably very low, but it cannot be ignored.
Many factors, in particular, the accelerated use of interconnected information systems will increase the vulnerabilities in the future, and it is important that mechanisms are implemented to share knowledge about vulnerabilities among all parties involved in the industry.
It is also of critical importance that a process to roll out measures to eliminate vulnerabilities much faster is put into place so as to prevent incidents before the vulnerability can be exploited.
Financial support and sponsorship
Conflicts of interest
There are no conflicts of interest.
| References|| |
ICAO. “Cybersecurity for Civil Aviation,” in 12th
Air Navigation Conference, Montreal; 2012.
AIAA. A Framework for Aviation Cybersecurity; AIAA Decision Paper; 2013.
FAA. Special conditions: Boeing model 787 8 airplane; systems and data networks security – Isolation or protection from unauthorized passenger domain systems access. Washington; Government Printer; 2008.
Lundberg D. “On the Security of Cockpit Information Systems,” in 21st
ACM Conference on Computer and Communication Security, Scottsdale; 2014.
Strohmeier M, Lenders V, Martinovic I. On the security of the Automatic Dependent Surveillance Broadcast protocol. IEEE Xplore. 1553-877X; 2013.
Schafer M, Lenders V, Martinovic I. Experimental analysis of attacks on next generation air traffic communication. Applied Cryptography and Network Security. Springer, Berlin; 2013. p. 253-71.
Walter R. Flight management systems. In: The Avionics Handbook. Boca Raton: CRC Press; 2001.
Schuberth PA. Inflight entertainment systems and communication 101 (Presentation). Santa Ana, CA: IEEE Orange County Computer Society; 2011.
FAA. Special conditions: Boeing model 777 200, 300, and 300ER series. Washington: Government Printing Office; 2013
Santamarta R. A wake up call for SATCOM security. Technical White Paper; IOACTIVE Comprehensive Information Security; 2014.