The notorious “WannaCry” and “Petya” computer attacks this year affected hundreds of thousands of computers around the globe and could ultimately cost affected organizations $4 billion.
Although airlines and the aviation industry were not specifically targeted in those cases, many were affected merely because their systems were susceptible to the vector of the attack – generally, unpatched systems (mostly Windows). Other cyberattacks – many deliberate – have caused computer outages, airplane groundings, disruption of the Air Traffic Control (ATC) system, and other interruptions of air transportation.
Given the ever-increasing complexity of the nation and world’s aviation system, the industry urgently needs to adopt a comprehensive approach to cybersecurity, according to Embry-Riddle cybersecurity expert Gary C. Kessler, speaking at the Safeskies Australia Conference in Canberra on Oct. 5.
“While it’s important that all members of the aviation industry understand their vulnerabilities and the adversaries that wish to exploit them, that should not be their focus,” Kessler explained following his presentation. “The best way to prepare is by taking an `all-hazards approach’ to managing the risks related to being part of cyberspace – that is, pay attention to the basics of cybersecurity, maintain due diligence, and mandate employee and user education ... and think like an attacker, rather than a defender.”
Cybersecurity “must be built into the design of every system,” added Kessler, a professor of Cybersecurity and chair of the Department of Security Studies & International Affairs on Embry-Riddle’s Daytona Beach, Fla., campus. “Current attack vectors range from airport operations, airline and reservation systems, and the aircraft itself, to cargo and shipping, manufacturing, and air traffic control.” Inflight Wi-Fi networks, for example, increase the cybersecurity risk posture of an aircraft, as well as unencrypted radio broadcast systems, and even Global Positioning System (GPS) devices, he noted.
During his presentation, Kessler reported on some past events that offer sobering confirmation of the risk. A cyberattack launched by a Russian hacker team called APT28 jammed Sweden’s air traffic control capabilities, grounding hundreds of flights over a five-day period in November 2015. Hacks into aircraft communications systems were suspected in the grounding of United Airlines planes in May 2015 as well as 10 airplanes at the Warsaw Chopin Airport the following month. In 2014, dozens of aircraft vanished from air traffic control systems in Austria, the Czech Republic, Germany and Slovakia – twice in a six-day period. The prior year, passport control systems at Istanbul Atatürk and Sabiha Gökçen airports were shut down by a cyberattack.
Kessler described various categories of cyber attackers, including cyber criminals who are motivated by money, cyber spies engaged in espionage, cyber terrorists driven by an ideology, and cyber warriors working on behalf of a nation-state to advance strategic geopolitical goals. According to Kessler, “We cannot underestimate our adversaries. You have to assume that an adversary knows everything about your network that you do ... and is smarter than you. That might not be correct but that's the way to bet.”
To date, he said, responses by the aviation industry have included A Framework for Cybersecurity, set forth by the American Institute of Aeronautics and Astronautics (AIAA) in 2013, which called for the establishment of common cyber standards for aviation systems, and the Aviation Information Sharing and Analysis Center (A-ISAC). The European Aviation Safety Agency, U.S. Department of Homeland Security and other federal agencies have also launched initiatives to try and respond to cybersecurity threats to aviation, as well as the International Air Transport Association (IATA) and International Civil Aviation Organization (ICAO), Kessler explained. Embry-Riddle has several research and outreach initiatives related to aviation cybersecurity within several departments at both the Daytona Beach and Prescott, Ariz., campuses.
In 2016, Kessler explained at the conference, an Aviation Cybersecurity Study supported by Rockwell Collins and Aviation Week Network found that aviation and airline stakeholders recognize the risk of cyberattacks, but there seems to be a lack of urgency. For example, only about 75% of the more than 750 respondents rated the cybersecurity risk at a level of 8 or above (on a scale of 1-10). While a third of the respondents reported that their organization mandates some cybersecurity training for all employees, another third reported that no such training is even made available to employees. And more than 40% reported that they neither follow any third-party security guidelines nor have any plans to.
“The global aviation system is complex and the components are all highly intertwined, offering a vast number of potential attack vectors,” Kessler said, in conclusion. “Everyone in the industry needs cybersecurity response, contingency and business continuity plans. Hoping for the best is not a plan.”
Embry-Riddle’s Department of Security Studies & International Affairs offers two undergraduate degree programs, in Homeland Security and Global Conflict Studies. In collaboration with Embry-Riddle’s Worldwide Campus, the department also offers two master’s degree programs in Cybersecurity Management & Policy as well as Human Security & Resilience. The department also offers a face-to-face and, in conjunction with the Worldwide Campus, an online minor in Cybersecurity, focusing on application and management of the cybersecurity process.