Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

F-Secure Looks to Address Cyber Security Risks in Aviation Industry

Aviation Cybersecurity

Aviation Cybersecurity

Aviation, as part of the transportation sector, falls within the critical infrastructure. While it may not have the same security issues as ICS/SCADA-based manufacturing and utilities, it has certain conceptual similarities; including, for example, a vital operational technology infrastructure with increasing internet connectivity, and the associated cyber risks.

It also has one major difference — the close physical proximity of its own customers. Catastrophic failure in the aviation industry has a more immediate and dramatic effect on customers — and for this reason alone, a trusted brand image is an essential and fragile part of success in the aviation industry. Without customer trust, customers will not fly with a particular airline.

Historically, aviation security has primarily focused on physical safety, and has become highly efficient in this area. But in recent years, the customization of new aircraft to provide newer and unique passenger experiences — such as the latest in internet-connected in-flight entertainment systems  — has added a new cyber risk.

Matthieu Gualino, deputy director of the International Civil Aviation Organization Aviation Security Training Center, described the three current areas of cyber risk as flight control (the critical systems needed to fly the aircraft — high impact, low likelihood); the operational cabin (systems used to operate and maintain aircraft — medium impact, medium likelihood); and passengers (systems with direct passenger interaction — low impact, high likelihood).

The problem today is that aviation security is experienced in operational technology, security and safety; but less experienced in the rapidly evolving world of cyber security. To help counter this risk, Finland’s F-Secure has launched its new Aviation Cyber Security Services to help secure not just aircraft, but the entire aviation industry: aircraft, infrastructure, data, and — most importantly to F-Secure — reputation. Customers are unlikely to fly with companies they do not trust; and successful cyber-attacks rapidly eliminate customer trust and confidence; even, suggests F-Secure, a minor breach of something like an in-flight entertainment system.

“Off-the-shelf communication technologies are finding their way into aircraft, which makes security much more complicated than in the past,” said Hugo Teso, head of aviation cybersecurity services at F-Secure and a former pilot. “Because these off-the-shelf technologies weren’t necessarily created to meet the rigorous safety requirements of airlines, the aviation industry is making cyber security a top priority. But they need a partner that understands both cyber security and the details of airline operations, because it’s an industry where those details make a big difference.”

The new service integrates security assessments of avionics, ground systems and data links, vulnerability scanners, security monitoring, incident response services, and specialized cyber security training for staff. 

The primary problem is not unknown to the security industry — the need to protect safety-critical systems from less significant but more exposed and vulnerable systems (such as those with an internet connection).  “A key protection measure is separating systems into different ‘trust domains’,” explains F-Secure’s head of Hardware Security Andrea Barisani, “and then controlling how systems in different domains can interact with one another. This prevents security issues in one domain, like a Wi-Fi service accessible to passengers, from affecting safety-critical systems, like aircraft controls or air to ground datalinks.”

Data diodes are typically used for this type of system segmentation, because they provide unidirectional data flows where complete bidirectional isolation is not possible. “It is essential for any data diode to be implemented in a manner that allows no attack, parsing errors or ambiguities, failures to affect their correct operation,” Barisani told SecurityWeek. “Our team is routinely involved in testing data diode security to provide assurance on their operation, improve their design and fix any issues well before their certification.”

Learn More at SecurityWeek’s ICS Cyber Security Conference

Diodes are part of the separation of the vulnerable passenger facilities from the critical flight operations. “In-flight entertainment and connectivity (IFE/IFC) are two of the most exposed systems in modern aircraft,” explained Teso. “Facing directly the passengers, those systems are a major cyber security concern to any operator as any incident would have important brand damage for them. Not to safety though. Due to the way aircraft are designed, built and upgraded any incident involving or originating in the cabin of the airplane will be isolated from the most critical, and safety related, systems.”

F-Secure is keen not to promote its new service with the ‘fear factor’. The aviation industry already does an excellent job at maintaining the safety of its flights. The new cyber risk is currently primarily against aviation’s brand reputation, and the threat of a cyber hijack taking over an aircraft in flight, is, suggests Teso, more likely in the movies than in reality.

But that doesn’t mean it can be dismissed or forever ignored, or even limited to civil aviation. The aviation industry, including both civil and military aircraft, shares a common core of technologies, although the threat model differs between the two. Nevertheless, commented Teso, “F-Secure aviation cyber security services is not limited to any specific part of the aviation industry. If it’s part of Aviation, our services have it covered.”

Related: Hacking Threatens Airline Safety: Aviation Chiefs 

Related: Poland Eyes Cybersecurity in Skies

Related: Proposed Cyber AIR Act Would Force Cybersecurity Standards for Aircraft 

Related: The Ever-evolving Cyber Threat to Planes

Learn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.

ICS/OT

Schneider Electric in recent months released patches for its EcoStruxure platform and some Modicon programmable logic controllers (PLCs) to address a critical vulnerability that...

ICS/OT

Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.