In May, SAS Scandinavian Airlines suffered a cybersecurity breach in which the attackers reportedly demanded a ransom of $175,000 to enable the carrier to restore full operations. Cyber attacks on major U.S. airports are becoming increasingly routine, with both Los Angeles International and Orlando International airports hit in 2022.
The aviation ecosystem is vulnerable to cyber attack and regulators are scrambling to develop standards and rules requiring airlines and airports to beef up protections.
The U.S. Transportation Security Administration (TSA) in March said it was taking “emergency action because of persistent cybersecurity threats against … the aviation sector.” It promulgated a new emergency amendment related to “cyber security resilience” for airlines and airports.
“I think there’s a lot of great work going on—I’m involved in some of it myself—in writing standards,” Bill Bryant, a technical fellow with Modern Technology Solutions (MTSI) who specializes in aviation cybersecurity solutions, told Avionics International. “That’s all wonderful. But we can’t expect too much of it. We can’t expect that we will ever be able to write a completely perfect standard that will make airplanes and airlines unattackable. Because, whatever approach we took, attackers will come around and come in another way. It doesn’t mean stop [developing standards and regulations]. It just means you’re never done. Because when a solution closes one hole, attackers are going to try to create another one.”
TSA has ordered airlines and airports to “develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised.” According to TSA, airlines and airports need to develop a cybersecurity plan creating “access control measures to secure and prevent unauthorized access to critical cyber systems.”
In addition, airlines and airports have been directed by TSA to implement “continuous monitoring and detection policies and procedures to defend against, detect and respond to cybersecurity threats and anomalies that affect critical cyber system operations.”
Airlines and airports are also directed to “reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology,” according to TSA.
Bryant said cybersecurity attacks on aviation are becoming more frequent, including a number of specific attacks against airlines and airports that are in the broader realm of ransomware attacks.
“There is a pretty big wave of ransomware attacks where malicious actors will get into a system and they will steal the data for themselves, and then they will encrypt the data on the drives or in the storage system,” he said. “They will try to get to the backups as well as they can. And then ask for a ransom.”
“It seems like about weekly there’s a story of some particular airline getting hit with one of these types of attacks,” he added.“Airlines have a lot of those traditional IT systems: ticketing systems, logistics systems, and maintenance systems. Attackers like going after organizations that have real difficulty saying no. So, if you’re an airline, and you lose your ticketing system, how long can you be down? And the answer is probably not long. So there’s going to be tremendous pressure for them to pay up, whereas other types of organizations may be able to survive better without their systems for a longer period of time.”
Bryant said airlines are used to closely following redundant safety regulations that prevent a catastrophic scenario, and that mindset can be applied to cybersecurity, with a caveat.
“There’s a fundamental difference between safety and security,” he said. “They have many, many similarities and you actually use many similar analytical tools and then similar approaches. But with safety, you’re normally worried about random events. The lightning strike is not directed. It happens to hit this airplane, but not that airplane. It’s essentially random. Cybersecurity is different because you have a thinking attacker. If I put a better firewall at point A, attackers are going to go around to point B or C or D or E. It’s a much more dynamic, challenging environment.”
Bryant said that there are four pillars to developing a strategy for preventing cyber attacks on aviation systems. First, airlines and airports need to harden their systems to “make it as hard to attack as possible.” This mostly involves traditional security strategies like using strong passwords, putting up firewalls, and making it difficult for an attacker to get any particular system, he said.
Second, organizations must expect to be attacked.
“You assume that they are going to get through,” Bryant said. “You assume that your hardening pillar is going to fail because historically we know it probably will. So, then you also build in damage tolerance. Regarding safety, you build an airplane so that the wings can handle the expected stress plus about 50%, so that if you have to fly into a thunderstorm, the wing structure can handle it.”
“You do the same thing with cybersecurity,” he added “If an attacker gets in, you need to make sure you can still function, you can still accomplish at least your minimum mission. For an airliner, for example, that would be returning all the passengers and crew and the airplane safely to the ground. So, if somebody cyber attacked your airplane, you can switch to backup modes so that you can recover safely. That’s damage tolerance. You have to be resilient to attacks.”
Next is defensibility, which Bryant said is an area “that I don’t think enough people are talking about.”
“Attackers are dynamic and they will come at you in different directions. The key way you address that is with dynamic defenders,” he said. “A big organization that’s serious about cyber security has cyber defenders who are monitoring the networks, watching for attacks, watching for anomalous traffic. But you can’t just roll up to a modern airliner and take a set of cyber defensive tools and plug them in. So, all those capabilities to watch for adversaries, to look for anomalous behavior, are going to have to be built into the baseline of the system. We’re not there yet. But we’re starting to get there. People are starting to build those capabilities into platforms.”
The fourth pillar is recoverability, according to Bryant.
“Once you’re attacked, how quickly can you respond? How quickly can you get the system back up and running in a way that is safe and that you are confident that whatever bad thing somebody was able to do to you is no longer there?” he said.
Click Here For The Original Source.
