Most of us in the cybersecurity industry are familiar with a recent “tweet heard around the world.” Yes, I’m referring to the infamous tweet that caused Chris Roberts to be removed from a United Airlines flight. This incident has undoubtedly generated much criticism aimed at both Roberts and the airline industry. I am not writing this article to speculate about the why’s and why not’s regarding Roberts’ intentions; nor am I writing to argue the validity or invalidity of the FBI’s claim that Roberts took control of a plane during flight, or to reason about the actions or inactions of the FBI, TSA and United Airlines regarding this incident. I am, however, writing this article to help drive a very important message: The aviation industry has failed at implementing the most basic of cybersecurity controls.
Who Are the Key Players and What is the Problem?
Who are the key players involved in the aviation industry? According to Wikipedia:
“Aviation is the practical aspect or art of aeronautics, being the design, development, production, operation and use of aircraft, especially heavier-than-air aircraft.”
Based on Wikipedia’s description, we can safely assume that the key players include those who design, develop, produce, operate and use aircraft. The aviation industry should reflect on the information that has surfaced lately, both as a result of information obtained from authorities related to Roberts’ incident, as well as from other sources, such as the recent Government Accountability Office (GAO) report, which claims that the FAA must address cybersecurity as it transitions to the Next Generation Air Transportation System. Like many other industries, the aviation industry is moving towards Internet Protocol (IP) based systems. The move towards IP-based systems will require the FAA, along with the entire aviation industry, to, adopt a “More Comprehensive Approach to Address Cybersecurity," as stated in the GAO report. The aviation industry will face significant challenges as more and more of the components constituting its overall ecosystem become IP-enabled and, subsequently, Internet-connected. Yes, I know—not all of these components will be connected to the Internet. Regardless, one fact remains: the aviation industry must reconsider how they approach designing, developing, producing, operating and using aircraft as they continue to introduce more aircraft subsystems that use IP-based networks. Particularly, the aviation industry must consider a security-first design principle, instead of following the classical paradigm of adding security later, after systems have been widely deployed. In a recent newsletter, Bruce Schneier makes some similar points:
"…Governments only have a fleeting advantage over everyone else, though. Today's top-secret National Security Agency programs become tomorrow's Ph.D. theses and the next day's hacker's tools. So while remotely hacking the 787 Dreamliner's avionics might be well beyond the capabilities of anyone except Boeing engineers today, that's not going to be true forever. "What this all means is that we have to start thinking about the security of the Internet of Things--whether the issue in question is today's airplanes or tomorrow's smart clothing. We can't repeat the mistakes of the early days of the PC and then the Internet, where we initially ignored security and then spent years playing catch-up. We have to build security into everything that is going to be connected to the Internet…"
Schneier makes two important points here. First, aircraft might be hard to hack today but not necessarily tomorrow. Second, security cannot be an afterthought; it must be a part of an Internet-connected system’s design from start to finish.
Where Did They Fail?
Unfortunately, the aviation industry has moved forward and started introducing Internet-based technologies without considering security first. They introduced these technologies into aircraft subsystems and, in doing so, they have failed miserably at one of the most fundamental elements of basic cybersecurity—they have failed at physical security. Physical security forms a basic foundation for all of cybersecurity. Without physical security, we cannot provide any guarantees upon which to ensure the confidentiality, integrity and availability of information and other cyber-resources. As security researchers commonly say: “If an attacker gains physical access to the box, then you are already owned.” Generally speaking, physical security is concerned with matters such as preventing unauthorized access to resources and protection of said resources from damage or harm. For example, physical security for IT systems includes items such as locking down servers within server rooms and both controlling and monitoring access to said server rooms. Another common and very important component of physical security is to ensure that wired network connections, such as Ethernet ports, within a facility are only accessible to authorized personnel. This is one area where the aviation industry has severely failed at physical security. In particular, they have introduced significant cybersecurity weaknesses into aircraft by placing physical network ports within general cabin areas. I am not talking about adding WiFi service for airline customers, I’m talking about connections that could lead to unauthorized access to aircraft information and associated control systems. If you read the news that started surfacing after Roberts’ infamous tweet, you might have heard something about “network connections under aircraft cabin seats." I have actually seen one of these network connections under my cabin seat in the past. I can tell you that it’s pretty dirty under those seats; the airlines must not get under there to clean very often. I guess they don’t expect most passengers to look under the seats, so no need to clean under there. I suppose the designers who added these network ports had similar thoughts when they made their design decisions. Maybe they thought “surely no one is going to look under his seat and, if he does, surely he won’t try to connect his laptop to this network.” As it turns out, that was a poor design decision. There is absolutely no reason for physical network ports, such as these, to be located in an aircraft’s general seating area. This statement is true even if the designer “thinks” the underlying subsystem and associated networks are protected by devices, such as firewalls. I can safely make this statement because of one particular fundamental principle of security known as the principle of least privilege. The principle of least privilege states that every element within any particular computing abstraction should only have access to the information and resources that are necessary and sufficient for its designated purpose. Rest assured, no one within the general cabin seating area has a designated purpose to connect to any aircraft resources that may or may not be accessible by these “hidden” network ports.
Poor Physical Security Followed By Poor Incident Response
Alas, we have another area where the aviation industry has failed—incident response. According to Wired, the FBI issued an alert in response to the reports stemming from investigations that essentially revolved around Roberts’ airplane security research. The alert advised flight crews to:
“…report any suspicious activity involving travelers connecting unknown cables or wires to the IFE system or unusual parts of the airplane seat”
I’m glad that someone advised the aviation industry to be on the lookout for this type of on-board activity. However, these alerts are not long term solutions; it is not a complete incident response. Instead, these alerts are supposed to be used as a temporary mitigation technique until a real solution can be deployed. What is a solution for this specific problem? In my opinion, these physical network ports should be completely removed from any aircraft’s general seating area. In other words, the aviation industry should “respond” to this physical security “incident” by removing these unnecessary and dangerous network ports. The situation is too critical to be avoided, and the potential consequences of not acting swiftly to fully mitigate this physical security failure could be dire.
Where Do We Go From Here?
In the last few paragraphs, I have indeed been very critical of the aviation industry and its failure to not implement the very basics of cybersecurity. I have been critical because the industry has overlooked the need for good physical security of cyber-resources on aircrafts. A salient point I want to relay here is the following: if something as basic as physical security of an aircraft’s cyber-resources cannot be implemented, how can we rely on them to implement “more comprehensive approaches” for the more challenging aspects of their systems that have much more design complexity? I believe the aviation industry has a major challenge ahead of it, which goes far beyond basic, on-board, physical security. Tim Erlin provides a good discussion related to this dilemma. Unfortunately, this topic does not stop here. The underlying issues of this topic are not just applicable to the aviation industry. Up to this point I have been using the aviation industry as a case study. Right now, we are observing rapid adoption of Internet-based technologies across virtually all major market sectors. Indeed, this has been occurring for many years, but adoption is now spreading into sectors that have traditionally been “air gapped” from the Internet. For example, have you heard of the term “Industry 4.0”? Industry 4.0, in a nutshell, is a vision of Internet-enabled “smart factories.” My colleagues and I have been researching the ideas of cloud-based design and cloud-based manufacturing for several years (review my related publications for details). Indeed, many manufacturing facilities are slowly integrating IP-based technologies into their factory floors—the associated economies of scale provided by such technology make this move inevitable. This continuous permeation of Internet-based technology is also coupled with shifting motives underlying most cyber-attacks, a shift that started occurring a decade ago but has been accelerating over the last few years. The days of script kiddies being an organization’s worst enemy are long gone. Modern day cyber-attacks are driven by motivations such as financial, religious, or political gains. What does all of this mean? These emerging market sectors that are beginning to adopt Internet-based technologies are what you might call “newcomers.” These newcomers must be vigilant. They are Internet technology rookies entering a game where they must compete against well-established, significantly-motivated and highly-trained adversaries. They cannot consider cybersecurity later. Instead, they must consider cybersecurity now, at the very ground floor of this new revolution. Title image courtesy of ShutterStock
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.