Ultra Electronics 3eTi

FAA Chided on Air Traffic Cyber-Risk: Some Experience-Based Observations

March 9th, 2015 / By

As a primary 3eTI contact for clients with US defense agencies, I am often asked to weigh in on cyber-threat stories that appear online and on broadcast news programs. We have long been in the business of helping secure critical systems and infrastructure for Army, Navy, DHS and other organizations, so I took particular interest in the reports recently of the Government Accountability Office warning that “FAA Needs to Address Weaknesses in Air Traffic Control Systems,” released to the public March 2.

The report cited FAA for not fully implementing its agency-wide information security program as required by the Federal Information Security Management Act of 2002. GAO recommended that FAA take 168 specific actions to address weaknesses in security controls. The recommendations were included in a separate report “with limited distribution.”

Some of the steps were identified in trade and federal publications, including those published in Security Week:

  • Finalize the incident response policy for ATO (Air Traffic Organization) and ensuring that NAS (National Airspace System) system-level incident response policies specify reporting timelines.
  • Establish a mechanism to ensure that all contractor staff complete annual security awareness training.
  • Ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively.

While the recent news seemed to highlight risk to the PC security systems, my colleagues, clients and I have been heavily focused on potentially catastrophic threats to aircraft and flight control. I recently shared some thoughts with a working team representing a large defense agency. Some of my colleagues suggested that, in light of the FAA news, aspects of this evaluation might be of interest to UltraTalk Blog readers.

Vulnerabilities of Aviation Systems

In general terms, transportation, like most automation-based industries, relies on control systems – SCADA, DCS, and GCS among them. Railways, ports and airports are heavily reliant on support utilities such as power and water, so an indirect attack on one of those systems will have an impact on these operations. As networks that are run by businesses, attacks can severely disrupt operations.

Two interesting examples come to mind of what could happen when a supporting system is hacked:

  1. The PUCKINFLIGHT aviation blog investigated how the TSA encodes pre-check into boarding passes and published the findings. Because passenger and flight information contained in the barcode of boarding passes is not encrypted, much can be learned relatively easily that can be used for nefarious purposes. The blog post helped generate interest in improved physical security which, unfortunately, hasn’t consistently translated into improved cyber or information security.
  2. When British Airways opened Terminal 5 at Heathrow in 2008, a series of technical issues on supporting systems (made worse by human factors) caused, among other problems, a collapse of the baggage system. A cyber-attack could potentially cause similar technical issues. If there is insufficient incident-response training for staff, similar chaos and impacts could likewise be seen with far worse consequences.

Both examples seem particularly relevant to GAO’s training and security-controls directives. There is, however, far more to be considered on this topic.

In More Specific Terms

I followed Hugo Teso’s presentation, Aircraft Hacking, Practical Aero Series, on the inherent weaknesses in ACARS (Air Transportation System Addressing and Reporting System) and ADS-B, which is a surveillance technology of ACARS. Much of the information, particularly the flight-spoofing element, was not new to those in the industry yet may still come to bear in other bad ways with the increased use of technologies such as CPDLC for datalink communications.

The ability to execute code and manipulate flight management computers is more hotly debated, with many decision-makers ruling against change. Just read some of the exchanges between Airbus, Boeing, and FAA on the 787-8 information system architecture to see the arguments regarding vulnerabilities in newer aircraft. The Federal Register is one credible source. I do not suggest that the 787-8 is insecure or vulnerable; I only point out that these issues remain under debate. It will take some time to get to the level of familiarity and assurance that we now have in safety design across the industry with vendors, regulators, and owners.

Many industry vendors disagree that ACARS needs strong message security. My view is that the measures in place are essentially vulnerable because they often are proprietary and not robustly tested. As demonstrations at conferences like Black Hat and ShmooCon have powerfully illustrated, unless we do crypto correctly, as guided by FIPS 140-2, such measures can easily be torn down by even unsophisticated attackers.

For the time being, it seems that much of ACARS is done unencrypted (in the clear). I would, however, advocate for regulatory adoption of a standard for end-to-end datalink encryption such as ARINC 823, with a strong requirement for independent validation. Despite what some vendors may say, secure ACARS is not widespread or fully tested.

Some authorities are pushing for increased use of datalinks with ADS-B while stating that there is no need for message security. Proponents of ADS-B call it a proven and certified standard that is a sound and low-cost replacement for conventional radar. I question this assessment for a variety of reasons, many of which are nicely laid out in a research report released by the Air Force Institute of Technology titled “Exploring Potential ADS-B Vulnerabilities in the FAA’s NextGen Air Transportation System.” It notes official documents claim that operational requirements necessitate unencrypted datalinks, and examines the premise that there is a low likelihood for malicious exploitation.

As with most technical industries, acronyms and different technologies abound. Understanding which, and what, bears on the operation and management of aircraft is not easy. But, considered collectively, there is too little security. The security that exists too often has not been independently validated from a security perspective, even if from a safety one. Moreover, there is no official demand or directive to correct the insecurities that are in this way introduced.

Evaluation for validated cyber-hardening must occur prior to deployment for all systems — datalinks, avionics, maintenance, management, support, even passenger entertainment. There is no better way to independently ensure and implement comprehensive security. This should be the guidance that FAA receives and models.