AoC number
Primary domain
Description
With the national airspace system (NAS) increasingly interconnected to partners and customers both within and outside the U.S. government, the danger of cyberattacks on the system is increasing. Because of low-cost computer technology and easier access to malware, or malicious software code, it is conceivable for individuals, organized crime groups, terrorists, and nation-states to attack the U.S. air transportation system infrastructure. As of 2016, the aviation sector faced at least 1,000 cyberattacks per month, of various scales and complexities. Most vulnerabilities identified occurred in ground-based systems streaming up to the plane, although some I.T. experts have claimed they could hack a plane through its own in-flight entertainment system.
Securing the Next Generation Air Transportation System, or NextGen, is paramount. NextGen is the large-scale transformation of the NAS that will make the system more dynamic and flexible by enabling aircraft to fly more efficient routes. But NextGen also requires increased connectivity with commercial aviation entities and foreign civil aviation agencies, meaning more potential points of entry for cyberattacks. Even without malicious intent, the risk carried by these integrated cyber-systems is high. In May 2017, British Airlines suffered an IT failure which led to the cancellation of all flights from Heathrow and Gatwick; although it was not caused by a cyberattack, it still took days to fix and led to thousands of cancellations and delays. The importance of securing these systems from such failures and risks is paramount.
Computer and communications networks used in the NAS and NextGen, like networks everywhere, require new defenses against rapidly evolving cyber security threats. To help the Federal Aviation Administration address these threats, MITRE has developed the NAS Enterprise Information System Security Architecture. Meanwhile, the EASA started a program called AV-CERT for its member nations, with the goal of identifying and fixing holes in aviation cybersecurity. Mistrust and unwillingness to share information have compromised this effort, but the EASA will continue the initiative with its new program, the ECSP. Saudi Arabian airlines, meanwhile, are offering insurance and training to combat cyberattacks. Given the advanced persistent threat of a sophisticated cyberattack, and the commonality of such attacks already, further security measures must be considered.
The aviation sector now relies on computers for almost every aspect of its business. And with this growing reliance, the industry faces an increasing threat from cyber risk, including cyber terrorism, extortion, data breaches and network outages.
“In the next five to 10 years, cyber will become the biggest focus of the aviation industry,” according to Henning Haagen, Global Head of Aviation, AGCS. Cyber risks are not currently excluded in aviation insurance policies, however, the aviation industry and its insurers will need to develop their understanding of the risk to prevent losses and risk accumulation, he adds.
Potential hazard
- Cyber attacks on data links, databases, EFB’s and iPads and digital/ electromechanical systems, jamming resulting in loss of RF signals used for critical CNS functions and FADEC operation. Airport operations rely on computers to a huge degree, including for releasing aircraft for flight; therefore, cyber attacks can cause major disruptions to airline operations.
- Increasing sophistication and proliferation of explosive materials, biological/chemical toxic agents, and anti-aircraft weapons.
- Increasing frequency of distraction, glare and temporary flash blindness from easily available and low cost of high-power lasers
- There were 1527 laser pointer “attacks” on civilian aircraft in 2009. That number increased to 3,984 in 2014.
- Increased use of in-flight electronic devices and the Internet of Things weakens security against cyber-threats.
- Even without deliberate malice, server crashes and IT issues can lead to massive disruptions.
- Increasing complexity of necessary code means additional risks of loopholes and errors within that code, making it easier to exploit.
- In an increasingly global aviation market, system errors or attacks in one region can disrupt flight patterns around the world.
Corroborating sources and comments
February 1, 2015: Alaska B739 near Bakersfield on Feb 1st 2015, laser beam injures pilot
An Alaska Airlines Boeing 737-900, registration N431AS performing flight AS-249 from San Diego, CA to Portland, OR (USA), was enroute at FL360 near Bakersfield, CA (USA) at about 02:40Z (Feb 2nd) when the aircraft was hit by a green laser beam causing an eye injury to one of the pilots. The aircraft continued to Portland for a safe landing about 110 minutes later. The FAA reported a flight crew member received an unknown eye injury when a green laser beam hit the aircraft, flight AS-249, near Bakersfield, CA at 02:40Z (Feb 2nd).
Allianz Global Consulting Services (AGCS) reference: http://www.agcs.allianz.com/insights/expert-risk-articles/aviation-risks-of-the-future/
2014 – Penetration of Sony IT networks be hackers suspected of being in league with North Korea.
September 2013 France: Quantum-Safe-Crypto Workshop
This workshop brought together the diverse communities that will need to co-operate to standardize and deploy the next-generation cryptographic infrastructure, in particular, one that will be secure against emerging quantum computing technologies.
http://www.mitre.org/news/digest/aviation/01_11/nas_cybersecurity.html
4/20/2011 – Cyber intrusions increasing in frequency and success
http://www.gsnmagazine.com/node/23068
2012 Threats Predictions, McAffee, An Intel Company
Several new scenarios will emerge as well as some significant evolutions in even established threat vectors:
Industrial threats will mature and segment, Embedded hardware attacks will widen and deepen, Hacktivism and Anonymous will reboot and evolve, Virtual currency systems will experience broader and more frequent attacks
This will be the “Year for (not “of”) Cyberwar”
DNSSEC will drive new network threat vectors
Traditional spam will go “legit,” while spearphishing will evolve into the targeted messaging attack
Mobile botnets and rootkits will mature and converge
Rogue certificates and rogue certificate authorities will undermine users’ confidence
Advances in operating systems and security will drive next-generation botnets and rootkits
http://www.laserpointersafety.com/news/news/other-news_files/ba42eb9d90335f85f30c2bb056853328-162.php
The FAA has taken recent action (January 2012) to prototype and test devices for locating GPS spoofing transmitters with the intention of reducing that particular future threat.
http://www.euractiv.com/section/justice-home-affairs/news/hackers-bombard-aviation-sector-with-more-than-1000-attacks-per-month/ (As of 2016, the aviation sector faced at least 1,000 cyberattacks per month, of various scales and complexities. The EASA started a program called AV-CERT in response, with the goal of identifying and fixing holes in aviation cybersecurity. Most vulnerabilities identified occurred in ground-based systems streaming up to the plane, although some I.T. experts have claimed they could hack a plane through its own in-flight entertainment system.)
https://www.nytimes.com/2016/12/01/world/middleeast/saudi-arabia-shamoon-attack.html?_r=0 (Saudi Arabia’s aviation agency was attacked, via virus, to “disrupt high-profile government targets”. The virus deleted files from critical networks, allegedly disrupting aviation for several days.)
https://www.nytimes.com/2016/06/09/technology/software-as-weaponry-in-a-computer-connected-world.html (Overview of the omnipresence of internet in our lives, and the risks it may pose. Not just connected with aviation, but still incredibly relevant. Note in particular the increasing complexity of necessary code and the risks it presents. Also note that even world governments are taking advantage of loopholes code can provide.)
http://aviationweek.com/ebace-2017/insurance-against-cyber-attack-plus-biz-av-show-morocco (As of 2017, the Middle East Business Aviation Association is not only offering airlines insurance against cyberattacks, but also training and certification programs for cybersecurity. Other national associations are considering similar plans.)
http://www.bbc.com/news/uk-40069865 (Not a cyberattack, but a cautionary tale. In May 2017, British Airlines suffered an IT failure which led to the cancellation of all flights from Heathrow and Gatwick airports. It took several days to correct, and led to disruptions of the company’s servers, website, and app, not to mention thousands of flights.)
http://www.airtrafficmanagement.net/2017/03/european-fragmentation-hampering-cyber-effort/ (Despite the EASA’s efforts to start a cybersecurity platform, as of March 2017, individual nations are still struggling to coordinate their efforts. Problems include mistrust and an unwillingness to share information with each other. To that end, a second agency will be started, called the ECSP, with fundamental restructuring.)
Corroborating sources and comments
February 1, 2015: Alaska B739 near Bakersfield on Feb 1st 2015, laser beam injures pilot
An Alaska Airlines Boeing 737-900, registration N431AS performing flight AS-249 from San Diego, CA to Portland, OR (USA), was enroute at FL360 near Bakersfield, CA (USA) at about 02:40Z (Feb 2nd) when the aircraft was hit by a green laser beam causing an eye injury to one of the pilots. The aircraft continued to Portland for a safe landing about 110 minutes later. The FAA reported a flight crew member received an unknown eye injury when a green laser beam hit the aircraft, flight AS-249, near Bakersfield, CA at 02:40Z (Feb 2nd).
Allianz Global Consulting Services (AGCS) reference: http://www.agcs.allianz.com/insights/expert-risk-articles/aviation-risks-of-the-future/
2014 – Penetration of Sony IT networks be hackers suspected of being in league with North Korea.
September 2013 France: Quantum-Safe-Crypto Workshop
This workshop brought together the diverse communities that will need to co-operate to standardize and deploy the next-generation cryptographic infrastructure, in particular, one that will be secure against emerging quantum computing technologies.
http://www.mitre.org/news/digest/aviation/01_11/nas_cybersecurity.html
4/20/2011 – Cyber intrusions increasing in frequency and success
http://www.gsnmagazine.com/node/23068
2012 Threats Predictions, McAffee, An Intel Company
Several new scenarios will emerge as well as some significant evolutions in even established threat vectors:
Industrial threats will mature and segment, Embedded hardware attacks will widen and deepen, Hacktivism and Anonymous will reboot and evolve, Virtual currency systems will experience broader and more frequent attacks
This will be the “Year for (not “of”) Cyberwar”
DNSSEC will drive new network threat vectors
Traditional spam will go “legit,” while spearphishing will evolve into the targeted messaging attack
Mobile botnets and rootkits will mature and converge
Rogue certificates and rogue certificate authorities will undermine users’ confidence
Advances in operating systems and security will drive next-generation botnets and rootkits
http://www.laserpointersafety.com/news/news/other-news_files/ba42eb9d90335f85f30c2bb056853328-162.php
The FAA has taken recent action (January 2012) to prototype and test devices for locating GPS spoofing transmitters with the intention of reducing that particular future threat.
http://www.euractiv.com/section/justice-home-affairs/news/hackers-bombard-aviation-sector-with-more-than-1000-attacks-per-month/ (As of 2016, the aviation sector faced at least 1,000 cyberattacks per month, of various scales and complexities. The EASA started a program called AV-CERT in response, with the goal of identifying and fixing holes in aviation cybersecurity. Most vulnerabilities identified occurred in ground-based systems streaming up to the plane, although some I.T. experts have claimed they could hack a plane through its own in-flight entertainment system.)
https://www.nytimes.com/2016/12/01/world/middleeast/saudi-arabia-shamoon-attack.html?_r=0 (Saudi Arabia’s aviation agency was attacked, via virus, to “disrupt high-profile government targets”. The virus deleted files from critical networks, allegedly disrupting aviation for several days.)
https://www.nytimes.com/2016/06/09/technology/software-as-weaponry-in-a-computer-connected-world.html (Overview of the omnipresence of internet in our lives, and the risks it may pose. Not just connected with aviation, but still incredibly relevant. Note in particular the increasing complexity of necessary code and the risks it presents. Also note that even world governments are taking advantage of loopholes code can provide.)
http://aviationweek.com/ebace-2017/insurance-against-cyber-attack-plus-biz-av-show-morocco (As of 2017, the Middle East Business Aviation Association is not only offering airlines insurance against cyberattacks, but also training and certification programs for cybersecurity. Other national associations are considering similar plans.)
http://www.bbc.com/news/uk-40069865 (Not a cyberattack, but a cautionary tale. In May 2017, British Airlines suffered an IT failure which led to the cancellation of all flights from Heathrow and Gatwick airports. It took several days to correct, and led to disruptions of the company’s servers, website, and app, not to mention thousands of flights.)
http://www.airtrafficmanagement.net/2017/03/european-fragmentation-hampering-cyber-effort/ (Despite the EASA’s efforts to start a cybersecurity platform, as of March 2017, individual nations are still struggling to coordinate their efforts. Problems include mistrust and an unwillingness to share information with each other. To that end, a second agency will be started, called the ECSP, with fundamental restructuring.)