Pete Cooper, Atlantic Council
Deborah Lee James, Atlantic Council, former secretary of the US Air Force
Alan Pellegrini, Thales Group
Elizabeth Wharton, City of Atlanta/Hartsfield Jackson Atlanta Intl. Airport
Pete: Planes are more interconnected than ever. Wifi is not limited to the passenger section, it’s available in the pilot’s cabin as well. What is being connected?
Alan: All tech to increase connectivity is very beneficial to the crew and passengers; but it creates another attack surface for hackers. Pilots are increasingly communicating with air traffic controllers using data, which also increases attack vector. The aircraft itself is becoming part of IOT, not just in the aircraft but actual sensors embedded in it. For all of these there have been examples of hacking; but so far there have been no safety issues, only disruptions.
Elizabeth: The airports are becoming mini cities. We are looking at advancements such as autonomous transit to the terminal, device based check-ins, facial recognition technology and others. Technology is impacting all domains of the airport even beyond passenger processing: baggage sorting and delivery, retail, medical services and other systems are increasingly getting an IOT footprint. The challenge is to sort out what is connecting to what?
Disruption happens not only by hacking; system failure can cause increasingly more havoc as well.
Pete: So we have not had a safety issue yet, but will it be targeted?
Deborah: Yes, the whole ecosystem is interconnected, and aircraft are becoming flying computers. As to what to do, I identify four “D”s and one “S”: Deny, Disrupt, Degrade, Destroy and Steal. The potential attackers range from individual hackers through disgruntled employees and all the way up to nation states.
Alan: Aircraft manufacturers are beginning to put a lot of effort into penetration testing, however, there isn’t enough of a holistic view.
Elizabeth: Airline carriers and airports reach out to the security community to get more information.
Pete: The airline industry is highly trusted, due to its very consistent record of safety. How can that be maintained?
Deborah: The security area must be constantly reviewed, always looking at the periphery for attack vectors. There need to be multiple layers of defense.
Alan: Part of the problem is that many of the systems that are put on the plane for entertainment and customer service have been selected because of their “coolness”, with security being secondary. These are not as rigorously tested and hardened for security.
Pete: Airlines can demonstrate an aircraft is safe, but how can they show it’s secure?
Elizabeth: They need to be answering multiple questions: for any attack vector they consider, are there alternative attack routs B and C, and have those been vetted? What lessons-learned activities were taken? How well are existing issues and past incidents responded to, and how do you improve on the response?
Pete: When you consider airplane software is written for dedicated airplane hardware, and that it needs to be distributed to a global fleet of airplanes, and when you consider the cost of taking an airplane out of circulation (even for a short time) to install a fix, the cost of changing even a single line of code across an entire airplane model can reach a million dollars. How do you address threats fast enough and in an economic way?
Alan: These statistics are improving through the connectivity that is being put into the airplanes. New data pipes are being built to enable things like bug fixes – but again the trick is to make these secure. Nowadays a code change can be distributed across the entire fleet in a single day.
Pete: If there’s an aircraft accident, the aircraft is rebuilt from the wreckage, so that investigators can study what went wrong. That level of detailed lessons-learned is not done with cyber attacks.
Deborah: There may not be enough sense of urgency yet. Unfortunately, it may take a cyber “Pearl Harbor” to get sufficient focus on the matter.
Pete: How do you break down the barriers among the organizations that need to work together on this?
Alan: It’s getting better – airlines are paying more attention to the issue.
Deborah: Top leaders of arilines and government are not necessarily educated enough about the issue, and that it’s an ongoing effort, not a one-and-done fix.
Pete: While we are talking, adversaries are advancing. What do in preparation?
Alan: We need airlines to adopt security standards and hold vendors accountable to them. Today security is built into new systems, but not necessarily into the old systems, which are still vulnerable.
Elizabeth: We need a way to find a happy medium, because the government does not move fast enough.
Pete: There is a culture of safety in the industry, but there isn’t yet a culture of security.
Q: What is the impact of consolidation of airlines on cyber security?
Alan: It’s positive. It increases attention, provides larger IT teams and larger budgets.
Q: What are the risks and vulnerabilities of automation taking over pilot functions on an airplane?
Pete: Automation is not yet an issue, the pilot is still in control. However, there is a danger of changing the information displayed to a pilot, that can be dangerous.
No comments:
Post a Comment