Shipping giant Maersk suffered close to half a billion dollars in losses in 2017 when it was infected by the NotPetya sabotageware. Maersk was not even a target of that attack. Could the same thing happen in aviation?
The realization is beginning to dawn on the aviation sector that, yes, it could. In the Maersk attack, the business was hit, not the vessels. But as security researcher Chris Kubeka reported last month, cybersecurity risks in aviation extend to planes in the air.
Modern aircraft are "flying data centers" that "travel around the globe," but the aviation industry poorly understands how to protect passengers from cybersecurity risk, according to a new report from the Atlantic Council on aviation cybersecurity.
Now, without fully understanding the risk, without the technical expertise to mitigate that risk, and without sufficient financial or regulatory incentives to do so, the industry is stumbling into the future, and hoping nothing bad happens while they figure things out.
If the aviation industry seems unprepared to meet this challenge, the new report offers insight into what's holding it back.
Risks and rewards of going digital
The aviation industry has leapfrogged ahead of security to reap the efficiency gains to be had from rapid digitization, and is now looking over its shoulder realizing security issues can come back to bite it at any moment, with consequences ranging from disruption of land-based systems, to malware infections of aircraft, or even — at the extremely unlikely end of the spectrum — a class break that affects hundreds or thousands of aircraft all at once.
A Luddite might say leaving analog behind was a mistake. But the efficiency gains from the shift to digital should not be underestimated, Pete Cooper, an aviation cybersecurity expert at the Atlantic Council, tells CSO, pointing out that aircraft safety has improved with more granular data collection. "For example, if data from a system means that you service it based off its actual operating life and not arbitrary dates/times, it can drastically reduce engineering downtime," he says. "Additionally, if that system data suddenly shows a high rate of wear (for example), then it means that it can be brought in early for checking based on condition."
Increased data collection also leads to more efficient flight paths, reduced flight times, lower fuel usage and CO2 emissions, and so forth, he points out.
The flip side of that coin, however, is the risk of a catastrophic cybersecurity incident. Unlike analog safety issues, such as a part wearing out or a flawed procedure that leads to pilot error, security issues, like the software they corrupt, scale. It only takes a single vulnerability for another Petya or NotPetya to happen.
Safety vs. security
Flying remains one of the safest ways to travel, and that's due in large part to continuous efforts to improve air safety. Cultural norms in aviation have rewarded and incentivized a whistleblowing culture, where the lowliest mechanic can throw a red flag and stop a jet from taking off if he notices a potential safety issue.
Contrast that with the often-fraught issue of reporting security vulnerabilities, where shame and finger-pointing and buck passing are the norm. The report highlights the problem, writing, "Across much of the cybersecurity landscape, there arguably remains a stigma about discussing cybersecurity vulnerabilities and challenges that go beyond managing sensitive vulnerabilities."
A wormable exploit or a backdoored software update — like the backdoored MeDoc software update that started the Petya worm — could cause safety issues at scale. It’s unclear that the aviation industry’s traditional safety thinking is sufficient to meet this challenge.
For instance, the report calls out the need for greater information sharing on aviation cybersecurity threats, acknowledging the risk of a Maersk-like scenario and observing rather drily that "other sectors have seen the scale and costs from a single vulnerability and 'wormable' exploit. Given the criticality of the sector, combined with disruptions that could scale rapidly, there remains much to do to understand the aviation-cybersecurity landscape."
The report also calls out the growing awareness that good-faith security researchers are needed but figuring out how to deal with them is causing some consternation in the industry. "There was strong agreement that good-faith researchers were a positive thing for the aviation industry, but perspectives on guidance, legal clarity, and ease of vulnerability disclosure all remain unclear or difficult to navigate," the report notes.
In the meantime, fasten your seatbelt and stow your tray table. We may be in for some turbulence before we get where we all want to go.