From IATA to airlines and suppliers, everyone in aviation is concerned with ensuring that growing threats from cyberterrorists and the criminal element pose no threat to operations, financial stability, and safety.
During IATA’s Annual General Meeting in Dublin, the industry was alerted to the scope of cybersecurity threats to commercial aviation. It was a sobering talk, but it represented only one element in the ongoing battle against cyberthreats in which airlines, like all travel companies, and all industries, are entrenched.
Tony Tyler, director general and CEO of IATA, said: “The challenge of maintaining the security of systems grows relentlessly.”
First line of defence
He continued:
“We use IT solutions to design aircraft, sell tickets, process passengers, roster our crew, fuel our aircraft, manage flight operations, assign gates, guide air traffic, and even to entertain and connect our passengers in flight. And even this long list is only a very partial view.
“Additionally, we have to keep sensitive personal data secure—on our passengers, crew, employees and business partners. Equally sensitive are our financial transactions in a world that is increasingly paperless. Then there are issues of theft—including intellectual property, personal identity or simple fraud scams.”
IATA offers members a Cybersecurity Toolkit, and advocates for appropriate regulation and increased cooperation within the industry and with government bodies. A dedicated IATA working group collaborates directly with IATA itself, the International Civil Aviation Organization (ICOA), airports association (ACI), the Civil Air Navigation Services Organisation (CANSO) and the International Coordinating Committee of Aerospace Industries Associations (ICCAIA).
“Our first task is the development of a Civil Aviation Cybersecurity Action Plan,” Tyler said. One step towards that action plan took place this past week as IATA’s working group and ICAO drafted a policy statement which calls on states to take specific actions to protect airlines and all of the civil aviation infrastructure from threats.
Helpful hackers
During his speech in Dublin, Tyler said that airlines are making technology investments “to stay ahead of those who would make them a target.”
At least one airline has taken a creative approach, following the best-practices of technology leaders such as Apple and Google.
United, which was plagued by systems malfunctions as a result of integration last year, challenged the hacker community to test the integrity of its computer systems. A 19-year old Dutch hacker, Oliver Beg, reaped the reward of one million United MileagePlus miles (roughly a $25,000 bounty) for identifying 20 security flaws.
Suppliers to the industry are as concerned with and affected by cyberthreats as the airlines themselves and have taken actions to protect their systems and their airline customers.
Panasonic this month coordinated a special Hack-a-Thon event during DefCon to enlist the help of the white-hat community in identifying potential risks to their systems.
When asked what it had learnt from the process, Panasonic's director of security engineering Michael Dierickx said:
“Our focus centred on our wireless eXW platform, which uses our In-Flight (IFAPI) software architecture. We chose this system first because our customers want more opportunities to interface with our IFE system, and IFAPI is our gateway.
"While our program's initial focus is on IFAPI, and our ultimate goal is to include all of our systems. During the event, we were able to open up a nice dialog and even find some things to approach a bit differently.
"And the good news for Panasonic and its customers is that nothing was found that could impact the security of an IFE system onboard an aircraft.
“Since we’ve returned, the level of interest to participate has been beyond what we could have hoped for. However, since our system is such a unique platform, we want to work closely with HackerOne and researchers to make sure our process is successful. Our ambition is that after six months to a year, we will open the program to the public.”
But reaching out to the hacker community, Dierickx says, is only one part of Panasonic’s overall cybersecurity strategy.
“We have always taken a proactive approach to security...We have extensive processes in place to identify potential and emerging vulnerabilities, and we also engage with security consultation firms who provide penetration testing and other services.
“Still, the Internet of Things is now a part of our everyday lives, and as technology advances so do the potential threats.
“The hacker community brings a fresh perspective and innovative ways to search for potential issues. We want to harness this out-of-the-box thinking and create a win-win scenario that rewards both Panasonic and this community for our hard work and dedication".
Big data, big money
Panasonic is not alone in taking action. In fact, the industry’s suppliers, especially in the technology and communications space, have customers beyond aviation which require them to maintain high levels of security.
Thales, which provides aviation with a host of technology solutions ranging from avionics to communications, in-flight entertainment and cloud-based data storage, is one example. Like Panasonic, the company is concerned with reassuring airlines of systems integrity and also of ensuring that the vulnerabilities of whichever combination of their products airlines use is protected against cyber threats.
Speaking at a dedicated cybersecurity panel at the IATA Dublin AGM, Thales VP and CEO of US operations, Alan Pellegrini, addressed the importance to airlines of securing their big data assets, namely the data which passes between operational “nodes” and within the aircraft.
Security requires what Pellegrini describes as “an evolutive approach to data protection.”
While no one in the industry underestimates the level of threat, some claims of the vulnerabilities of aviation systems may also be exaggerated. Pellegrini notes:
“There have been some very grandiose and highly publicised claims made by hackers or self-proclaimed security experts of late, [such as] the possibility of hackers taking control of aircraft by hacking into connected IFE systems or even avionics.
"Thales has helped several investigative bodies on such matters including the FBI, and whilst these claims turned out to be untrue, we naturally take security very seriously and we continue to monitor and evolve our response to any threat,”
“One thing we need to remember is that there is a whole host of technologies and a number of ways to protect oneself but there is no silver bullet. We must continuously monitor threats as they materialise.”
Meeting demanding clients' needs
Another industry supplier ViaSat, which like Thales and Panasonic provides inflight connectivity services to the airline industry, has a strong encryption and security focus, working with government and intelligence applications.
The company recently announced that it will provide communications which will power fully functional situation rooms in the sky for the US government's Air Force One aircraft fleet, as well as other military planes. It also recently received NSA certification on new powerful encryptors for military and intelligence applications.
"For decades, ViaSat has been safeguarding US government, military and defence missions by securing classified information sent over IP," says Jerry Goodwin, chief operating officer of the government systems division, ViaSat.
For commercial aviation, the enemies are constantly at the gates, but powerful friends are also guarding them.
Related reading from Tnooz:
Delta’s outage is an airline industry wake-up call (Aug 2016)
Cyber security moves up the airline agenda as threats are no longer an if (June 2016)
Should airlines offer bounties to hackers who find security flaws in avionics? (May 2015)
NB Image by Lucasantilli/Big Stock