Avionics CyberThreat Airplanes Are Hard!
Disclaimer The subject matter of this presentation is provided for educational purposes only. The information presented relates to a dynamic and complex cyber security environment. This landscape is constantly changing; however, the content is presented in good faith and is currently accurate to the best knowledge of the presenter. The views and opinions expressed in this presentation are those of the presenter and do not necessarily reflect those of Delta Air Lines.
Discussion Points Introduction Landscape Assessment Thoughts & Considerations Questions
Introduction CyberThreat Why the Sudden Importance? Technology Evolution: In-Flight Entertainment / Media Servers Power Plugs / USB Ports WiFi, etc.
Introduction CyberThreat Why the Sudden Importance? Consumerization of Aircraft Technology Creating a More Connected Experience for the Passenger & Crew Centralization of Aircraft Computing From Flintstone to Jetsons Avionics
Landscape Responsible Parties: Aircraft Manufacturers Avionics Engineering Component /Engine Suppliers Airlines Maintenance Repair Overhaul Government Agencies Federal Aviation Administration International Civil Aviation Organization Local Civil Aviation Authorities
Landscape Source: AIAA A Framework for Aviation Cybersecurity Aug2013
Landscape Threat Actors: Aircraft Crew (Pilots, Flight Attendants, etc.) Airport Logistics (Air Traffic Controllers) Corporate Support (Operations and Control Center, Aviation Engineering, Maintenance) Passengers Remote Attackers Turnover Crew (Cleaning, Catering)
Landscape Threat Technology: Smart Phones, Mobile Devices Software Defined Radio (SDR) Supervisory Control and Data Acquisition (SCADA) / Industrial Control Systems (ICS) Global Positioning System, Graphic Flight Following (public), Aircraft Situation Display to Industry (ASDI) ElectroMagnetic Pulse (EMP)
Assessment Goals: Translate Threat Concepts from Traditional IT to Aircraft Systems Evaluate IT Governance of Avionics Assess Attack Surface of Sampled Airframes for Vulnerabilities
Assessment Targeting Specialist Expertise within the IT Space: Limited Aircraft Experience Automotive, Manufacturing, Power, etc. Focus on penetration testing and SCADA/ICS exposure Lots of small players but what can reputable vendors deliver? Reinforces & adds credibility to report Help drive positive action & results
Assessment Challenges: Multiple Fleet Types & Configurations within Fleet Types Multiple Component Areas (Scoping Specific Test Areas is essential) Many types of manuals each based on standard, but customizations go to tail number detail Ability to perform validation testing of theoretical concepts but cannot damage or compromise actual aircraft Non-Standard Interfaces (i.e. AIRINC 429/629) Inconsistent Stakeholder Ownership Depending on Part or Aircraft
Assessment Diverse but Limited Test Environments Environment Pros Aircraft Test Benches Simulators Fully Integrated Real World Environment Targeted Environment Easy Accessibility for Testing Configurable for Testing Needs Cons High Cost Not Integrated Hardware Only Not Reflective of Real Environment (Software Designed) False Positives in Testing Considering These Options, Which Do You Choose?
Thoughts & Considerations Integration Between IT and Avionics Engineering Escape Traditional Ownership & Approach, Increase Collaboration What are the Different Levels of Responsibility and Ownership for Each Stakeholder Work Together to Secure Environment, Share Information to Enhance the Industry Build on the Successes of Traditional IT Controls: Attribution, Authentication, Authorization, Encryption, Segmentation, etc.
Thoughts & Considerations Red Teaming Mindset Look At This From the View of an Attacker Compliance vs Security Eliminate Checklist Mentality Focus on Securing Your Airline s Environment Governments Require Reports of Security Assessments from Manufacturers
Questions What does your airline do to cover these risks? How involved is your airline with local and international agencies to identify credible threats? How does your airline keep up with threat evolution versus security enhancements? What should audit do in this space? Your turn