Cyber Wars

When the check-in services failed shortly after a high profile opening of a new airport terminal in June last year, the incident could easily have been written off by those inconvenienced as teething problems. But the industry knew better. It was in fact a malicious attack, writes Aimée Turner.

The incident which saw a total of 50 flights delayed and which caused knock-on delays elsewhere in the network was, in fact, nothing as innocuous as an embarrassing hiccough in the early days of the new terminal’s operations.

Following an investigation, three software engineers who worked for a sub-contractor found themselves accused of disrupting operations.

It turns out that when they didn’t get a pay rise, in a fit of frustration, they sabotaged the programme code.

The incident which featured in a paper presented by the International Coordinating Council of Aerospace Industries Associations (ICCAIA) at the ICAO 12th Air Navigation Conference cited this as an example of the devastating effect that a breach of an airport’s systems can have.

So serious does ICAO – the UN specialised agency charged with setting global standards for the aviation industry – view the risk of increasingly connected computer systems being targeted by malicious attackers that it has placed cyber security at the top of its list of strategic issues facing global air navigation.

ICCAIA – which groups together industries that develop and manufacture the hardware that keep aircraft flying – reckons that ICAO must take control and assume a top-down strategic approach to deal with the heightened potential cyber threat  at a time when data exchange between critical air navigation, control and business information systems is only going in one direction. That means setting up a Cyber Security Task Force responsible for a global security architecture where all parties are singing from the same hymn sheet and one that can deliver up to the minute guidance to help tackle the ever change nature of the threat.

Today, cyber security is held to be a relatively minor issue in civil aviation – but this is changing – and fast. The reason why stems from the pace and extent of new information technologies which is unleashing a proportionate risk of cyber attacks – both in number, quality … and effect.

Why? Simply because as ICCAIA sees it, the industry is relying on a small number of technologies such as Linux, Windows, IPv6  protocols and Ethernet.  These are common currency in the IT industry with the result that there is a pervasive understanding of these technologies’ weak points. Not only is there an increasing likelihood therefore that a discreet system fails, but one can expect a far more devastating domino effect. This would see a whole range of interdependent systems fail as air transport systems around the world start to be transformed over the next decades. A security lapse in one will likely affect many others in a daisy chan of damaged defences .

Faced with the theoretical potential for a cyber attack to affect multiple connected systems, ICCAIA evokes the volcanic ash crisis of recent years to press home the need for a coherent response. A cyber attack in a future interconnect air system could, it argues, have an analogous effect, shutting down air  travel across parts of Europe for several days – at a an estimated loss of 3 million euros in ATM revenues alone.

ICCAIA applauds the efforts of the many industry initiatives but judges them to be too fragmented and lacking the overall oversight and global framework leaving the potential for gaps, overlaps and inconsistencies.

“There is the potential for unforeseen systematic problems due to weaknesses in oversight. This is mainly due to a lack of coherence between the many groups working on cyber security, and a lack of expertise and understanding amongst those who might provide the coherence. Some knowledge of these problems exists within the industry, but knowledge of the big picture is more limited,” it notes.

The paper cites the work of Dr Andrei Costin who demonstrated earlier this year that with just $2 000 worth of store-bought electronics an ADS-B beacon could be ‘spoofed’ to show that a non-existent aircraft was coming in to land.

But the authors also point to other areas of electronic attack outside the obvious theatre of the terrorist such as the potential for an insider attack as in the case of the three software engineers who sabotaged the programme code of a new terminal’s operations.

One such cause for concern is the vulnerability of the GPS system in a world that increasingly relies on position, navigation and timing (PNT) services. “Too much reliance on GPS thus puts aviation services at risk if alternative PNT sources are not available,” notes ICCAIA.

Interestingly, ICCAIA also flags up the hitherto little mentioned vulnerability of the use of electronic flight bags by flight crew, remarking that it knows of incidents involving crashes or tail strikes when flight crew have made errors in calculating take-off performance parameters using electronic flight bags (EFBs).

“These were the result of human error, but there is the potential for the EFB programming to be corrupted maliciously (hacked), particularly when these devices are connected to external networks to receive updates,” says ICCAIA.

Within ICAO, some work is already underway with the ICAO Aeronautical Communications Panel developing global procedures for the aeronautical telecommunication network (ATN) to be based on the internet protocol suite.

“Although basic security provisions will be in place, resources need to be applied to developing a robust architecture that will adhere to the necessary cyber-security policies and practices. Of special importance are the associated Internet addresses and domain names, which will require both personnel and financial resources to secure and retain them,” notes ICCAIA.

In ICCAIA’s view, only an ICAO-led cyber security task force has the high level vantage point to close the potential for gaps, overlaps and incompatible standards. “What is required is oversight and coordination by ICAO; a recognised global authority is necessary to insure a viable resolution, facilitate the cost-effective use of limited resources (both in terms of people and funds) and also to resolve any parochial issues. To be fully effective, the solution for this situation must be globally applicable.”

Cyber Security featured as the cover story in Issue 4, 2012. Subscribe to Air Traffic Management today. Details can be found here.

Posted in Features, Security Tagged with:

Comments are closed.