Airplane Mode: Cybersecurity at 30,000+ Feet

[Music] hey everyone happy saturday morning thanks for waking up early all right so today we're going to talk about cyber security in the aviation industry and if you're expecting this to be a presentation on hacking airplanes i am sorry to disappoint you well we'll cover a little bit of background information but it's really going to be more on the uh overall posture of the cybersecurity ecosystem in the aviation industry so of course i have my disclaimer because i like what i do and i want to keep presenting at conferences like b-sides so none of this is endorsed by or sponsored by any producer uh employers that i have because i still like working for them and it's an

overall reflection of my experiences in the aviation cyber security industry most importantly everything that i found you can find on the open internet nothing is a proprietary and i'm a huge advocate of showing your references so i will give all of that at the end of this presentation the little qr code is i would love your feedback it's for a quick survey i have if this was what you expected or if there's any topics that i didn't cover that you'd like to hear in future presentations so one of the times i gave this presentation someone wanted more information on the uh sort of like the the certification process so i was able to uh try to dig out some

more information to answer more questions all right so just a little bit about me um so you know i'm not full of uh fud and i'm not making all of this up but about 12 years ago i began as a software developer by degree that wasn't a huge fan of coding all the time it doesn't spark joy but i love interacting with people so when i'm not doing cyber security i'm a curler by trade so that would be awesome to keep doing again once the pandemic is done

i was super fortunate that when i started my career out of college i was able to work on a bunch of transportation related programs so i worked on a air commander control system i worked on a gps system used by aircraft and eventually found my way to uh avionics where i got to work on an in-flight entertainment system which was really cool so i focused on the uh the crew terminal and its functionality specifically for the ife system and i got very lucky again that i was at the right place at the right time where i found the cyber security product uh director and was able to make a connection and since i got into security i just

never looked back so i've been geeking out for about six years doing that

all right um scope so to cover that before i start talking about anything in specifics i want to just frame the scope of the discussion so we're going to talk about some regulatory aspects the players and components in the aviation ecosystem and then i end with some use cases and experiences i had which is great so the um not specific hacking i'm not talking about hacking on planes because please don't do that but more of here's potential use cases that may lead to vulnerabilities so for anybody who works in the industry this is an overview probably no more than i do or what i'm going to present so if you have questions stick them in discord i'm gonna hope to

to look at things when i can but i know our moderator is gonna do an excellent job of pinging me as well cyber security regulation so regulation varies depending on the location that you're in and for a supplier manufacturer it's important because they have to comply with several different government agencies specifically for this presentation i'm going to focus on the current u.s regulation but it's very similar to the eu and other regulatory authorities so specifically for aviation cyber security there are three key documents and here come all the fun acronyms and numbers uh d o stands for document or document order and when you get the hard copy printouts they are these like big thick books that uh

if you have insomnia they're great for like bedside reading and we're going to start with do uh 326 a so airworthiness security process specification so why do we need this process when safety assessments were initially developed they focused on a failure of onboard systems and not failure caused by a malicious intent so this process fills the gaps by defining security scope for the certification process for new development of systems or modification of existing systems so in addition to the scope it lists a long list of additional requirements including having a security risk assessments and other effective requirements the next one is do356a it explains the methods to show compliance to the profit processes reference in do326a so for

example if you're developing a security architecture what should be your corresponding measures for that if there's any assurance guidance for verification activities like threat assessments or what systems should you have logging enabled so that they're properly monitoring your environment so you can be aided in incident response lastly there's do-355 so once the plane is flying how do you ensure the cyber security of that aircraft once it's been handed over to the air operator so this uh regulation and document was really important when i worked at american airlines this is the one that the security team specifically looked at so it highlights what you should have in regards to incident response what personnel roles you need from an

aircraft information security specialist which is relatively new type of role all right

so cyber security regulation so who needs to follow these three documents specifically it's for aircraft with special conditions and what causes an aircraft to have a special condition so this is directly from an faa document that says this airplane will have a novel or unusual design feature when compared to the state of technology envisioned in the airworthiness standards for transport category airplanes these new connectivity capabilities may result in security vulnerabilities to the airplane's critical systems for these design features the application the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access these special conditions contain the additional safety standards that the

administrators consider necessary to establish a level of safety equivalent to that established by existing standards uh very long-winded but in a nutshell back in the day when these planes were created we didn't have these networks and systems on the planes therefore this special conditions is going to cover those gaps so what types of aircraft have these special conditions examples would be like the 787 737 max a350 anything that has um the newer types of networking systems on board so what do we do for these aircraft we have something called an ansp which is an aircraft network security program and this ansp is an agreement between the air operator and the manufacturers on how they plan to

secure the aircraft and that's signed off by your regulatory body which would be the faa in the u.s so the ansp captures um guidance and so that like if there's any system modifications or updates they're not going to negatively err impact the continuing airworthiness due to cyber security vulnerabilities and most often the ansp is leveraging existing cyber security frameworks like the nist cyber security framework and it uses common standards as well so the main takeaway from these documentation is that its emphasis is on safety of flight and framing that in the aspect of cyber security so how do we do that by using a defense in-depth security approach

all right so who needs to follow these regulations there are a lot of players in the aviation ecosystem and there's several lists but the one i like the most is a compilation from the 2018 us national strategy for aviation security and they highlight uh that there are six a's or six players in the game and the first one is aircraft so of course the plane itself and prior to covid there were over 24 commercial flights daily over the u.s and the category includes government and private aircraft in that figure the next player are the airlines so what's highlighted in the airline section is that there are airlines of multiple sizes covering functional scope of operations and maintenance

so you want to consider that there are several different uh enterprise networks of an airline that span more than just the aircraft so you may have a separate passenger system or a ground system but that all flowing information my favorite sentence in regards to the airlines is how an airline is managed has impact on its safety and the security of the aviation ecosystem every player on the slide has an equal impact to the ecosystem none of them is more important than the others uh the next one is air lift and when i first read about this i was like huh what is that but airless are just the cargo version of airlines and even though they don't

have passengers they have the same stringency of regulation so just because it's cargo doesn't mean it's any easier and more importantly they have an amazing great economic impact uh the air international air transport association said that the uh world trade by value of these cargo airlifts is about six trillion dollars that is being transported so any impact to them is huge to the economy next are airports there's over 44 000 airports globally and about 19 000 in the us so when you think of airports you might think of like the big hubs that you see or maybe some small regional ones but they also include package and package delivery hubs and logistical airports and logistical airports are

really cool because uh if you have ever seen them they're where like aircraft scenes are filmed for movies or where aircraft our airlines store aircraft when they're not being used right now in addition to the physical uh airport location itself the entity that runs the airport is also included in this category and that could vary some are privately owned some are owned by a city or public authorities so that's included as well next is aviation management so that is your national or international regulatory body and they manage the operation administration of the aviation ecosystem so of course the faa in the u.s eos and europe and there are several individual civil uh aviation authorities in other

countries so that's for the us that would be where air traffic control would reside lastly our actors and this group is categorized as people or entities that operate maintain uh or utilize the aspects of the aviation ecosystem so this includes i see it as a very wide catch-all bucket which i'm not a huge fan of but it includes the original equipment manufacturers also known as oem's suppliers so like in-flight entertainment companies or internet connectivity providers and contractors so your cleaning crews your food service suppliers they also include [Music] threat actors in this group which i don't i don't think it's fair or insider threats because they can exist inside of their specifically can exist anywhere

inside either of these six groups listed all right so now we know how the players fit into the operational aspects of the aviation ecosystem excuse me so now i know who the players are we know the regulatory background now i'm going to talk about how the players fit into the operational aspects of the ecosystem i'm not a pilot so when i was trying to frame the scope of how i was going to talk about this i took it as a passenger because most people can relate to flying so i'm going to talk about in regards to what happens before a flight during a flight or after a flight so what a passenger sees barely scratches the surface

and uh this graphic that i'm showing right now is courtesy of nasa and it captures the major components but just remember that they're framing it from a government perspective so if you're like there's something missing uh that's the reason why all right so before the flight before you buy your ticket there's several activities in place so that you can reserve your seat or ship your cargo on an airlift carrier if we go back to our certification the aircraft needs to be certified uh safe to fly by your civil aviation authority and you need to have approved staff to do that so you have your approved pilots that know they they do their check around the aircraft

even when you walk before you walk into the airport you have your tsa your transportation security in the u.s customs and border patrol staff you have your airport ground crews your airline gate crews additional flight crew that have all been embedded beforehand then you go to planning so what staff is needed you need a staff certified certified to fly that specific aircraft how many flights are needed overall what type of aircraft do you need for example you're not going to want a regional jet for a long-haul international flight and then you jump into reservations so what passenger and cargo options are available to to offer to the public do you need next day delivery do you need full uh internet

connectivity on those long haul flights and what locations are you gonna offer that at next you have what happens in the ecosystem during your flight so as your amazon prime package spends so many hours on the aircraft or you're sitting in your seat there's even more going on behind the scenes you have your avionics system that's active on the aircraft you have your cabin functionality which either is available to the passenger or to the clerk to the crew so a good example i like to give from a a crew standpoint is that weather is very important so you want to make sure weather information uh is being accurately transmitted to the aircraft so that the

flight crew can make accurate decisions on the best course of travel and then you have your air traffic management that's providing navigation information lastly you have after your flight so once you land there's still a lot going on once you're on the ground so your plane gets checked again by the pilot uh they may need to call the ground crew or the ground crew does their own checks to say that there needs to be maintenance you want to make sure your bags get routed to either the baggage claim if you're done with your journey or to the next flight that you're going on and then there's information regarding the flights themselves so are you going to run to the other end of the

airport because your next flight is in the other terminal and then there's even uh continued comms with ground systems so if you put everything i said together that is the operational aspects of the aviation ecosystem awesome now we have to secure all of this what is aviation cyber security so it's every single system related to the functions that i previously referenced so now i'm going to speak about the experiences i've had in the industry so i was on a aviation cyber security team when i worked for american airlines and then panasonic avionics so their point of view is from a third-party supplier here is another nifty graphic that i really like it's from the american institute of aeronautics

and astronautics and in 2013 they developed a white paper entitled a framework for aviation cyber security and they had a section that references that aviation and the evolution of information uh and communications technology and what it highlighted was that once the plane was a closed system and then due to events in industry it expanded based off of demand and i'll give more specifics on that later in my presentation and if you're thinking oh i want to read this paper don't worry i have everything referenced at the end of my presentation with links so that you can find it later if you want to read up on that more importantly i have this presentation in pdf format on my website so you can

go to olivia stella.com if you want to get a copy of that all right

so now that you're thinking about securing all this data you have to do it for each part of the system and it's a lot and you can't do it by yourself no matter how big of a company you are and more importantly you're dependent on others in the ecosystem and you're under the watchful eye of your government jurisdiction so i'm going to start with the focus from the airplane because that was my initial point of entry into the ecosystem so the ecosystem employee experience versus the passenger experience is a little bit different so when you think of onboard systems there's the native ones like the avionics then there's your third-party systems like your passenger internet

connectivity in the internet uh the entertainment systems so how do we uh talk to the rest of the world via these systems well ground communication is different than connectivity in flight so if you think about your your wi-fi and your cellular versus your satcom you're just and then you have to support all the infrastructure for these communication systems then you have your external environment the systems that support that so if you're thinking from an airport perspective you'd have your ticket kiosks your baggage claim systems and any on-site maintenance systems if you go another level removed you can think of all the uh iot internet of things devices and systems that your third-party companies are using so for instance the catering crew

needs to know how many meals for this specific flight your cleaning crew if you're doing a wide body aircraft you're probably going to need maybe two to three times as many people as an air body aircraft and they could be all sharing the same infrastructure depending on how it's set up within the airport so how do you secure all the data for each parts of those systems those were the slides the past slides i referenced was the world i was living in when i was working at the airline and it's a really interesting problem when you think about it how to keep everything secure so uh before i jump into more specific aspects of aviation cyber security

i want to spend a little time focusing on the aircraft when i gave this presentation at a pass conference people were like where's my plane information i wanna have the plan please don't do that but i will give you a little bit of background of how the data domains on the aircraft are split up and what exactly exists so this graphic is courtesy of connected aviation today and they list the domains uh in criticality to safety of flight so remember we're referencing safety of flight again so remember safety of flight and data security so the first domain is the aircraft control domain this is the most critical to safety operation of the aircraft including the flight control

applications and core cabin functions next is the airline information services domain or the aisd more acronyms and one of the best descriptions that i found for that was from iko's 2014 uh description saying that it provides services and interconnectivity to the other domains while creating a another security permit permit it's too early for a saturday also the isd can be categorized into two subdomains so there's an administrative subdomain and there's a passenger support sub-domain so the passengers support one of course supports uh pastor systems and then the administrative sub-domain includes airline administrative information to the flight deck and the cabin the third one is the one that you would be most familiar with when you are flying

yourself so that would be the passenger information and entertainment services domain or pi's d as a lot of people call it and it's the most dynamic in regards to functionality because we need to keep up with the devices that you're bringing on the plane so like how apple just announced their new their new cell phones if they had any new functionality you may need to have a ife system that could interact with it i doubt there's new functionality but this includes any live connectivity it could also include like if you have one if you're in happened to be in business class and you have a fancy seat it could be the seat actuators um or the passenger message messaging

systems all right so this is one of the reasons why i really love the aviation industry in regards to cyber security so we understand the rules that came from all these awesome regulatory books and i gave a highlight of the ecosystem and its data domains so how do we treat this unique ecosystem is it really i.t information technology or is it more of ot operational technology when i think of an ot environment i see electrical grids water treatment plants nuclear power plants facilities that if there were a failure there would be a negative impact to the safety of human life and if you happen to be an ot professional sweet i am not an expert

hit me up on discord afterwards if there's any other details you have because i'd be really interested in finding that out

so does that mean the aircraft is industrial control system uh not exactly but it's not your traditional it system either due to the safety of flight aspect more of our environment became open in regards to detecting connectivity and the more that these two areas uh converge it just blurs in the middle so from the avionic aspects of the aircraft um systems in the aircraft control domain could be comparable to ot scada like software if something goes wrong there would be a high risk to loss of life similar to like a nuclear plant disaster but if you think about the passenger devices and the the pi's domain that's your i.t aspect with the latest and greatest tech and software

that's um potentially more vulnerable than your ot software so living in that fuzzy gray area where it ot collide is is really unique and you don't see too much like that and i like to phrase it as uh we're an industrial control system in a commercial environment with ot like regulations and it needs from passengers and the business so sometimes it's clear as mud but it really keeps your uh your day job very interesting and if you're like most people that originated from the it world ics could be relatively new to you and if you want to learn about it there's some cool free web-based trainings brought to you by dhs and it's up to you

if you want to give them your information because i think you have to give like an email address and your your first and last name but you give your info and you get the a lot of cool information from these classes all right this is my favorite part of the presentation that i lovingly like to call aviation unicorns so i wanted to provide a few unique use cases that i have seen and or experienced when i was in industry that sets uh aviation apart from typical i.t and ot environments

software patching and upgrades back when i worked at panasonic this is something i personally experienced so it was very important to have a good communication path with your customers for example if we needed to get either a patch out or a software upgrade and it didn't matter if it was security related the teams were always we'd go into major crunch if we had to to make sure the software was properly tested and bundled in the appropriate way that it could be handed to the customer in less than a day if we needed to yay for processes because we were able to recreate all of our stringent guidelines and make sure that the software was in

the right state when it was released so we'd hand over the soft software to the customer and the customer owns the system so we have no control over when it would get updated because we don't own the aircraft and every airline is different so how did we overcome that uniqueness in our industry you need to have great communication and there's so many segments in the supply chain being able to know who you need to involve is very important so if you compare that to it and you think of your cell phone again software updates get pushed and eventually your phone's gonna get locked if you don't upgrade we all see that we all say yeah we agree

to whatever updates they're gonna do you don't want that to happen on your aircraft especially in an ot environment what's nice is that operators have the luxury to make updates based off of recommendations of the manufacturer and they have compensating controls in place too to say you know what if we're not going to do this update we have controls xyz in place until we can do this update so if if it was that closed environment that has no internet connectivity it might be okay to wait to do that type of an update but more importantly the system owner has that option so how do we combat against that in this unique situation i'm going to refer to defense in depth

again so for instance the hardware only allows certain software packages to be loaded to it it's it's looking for that the software is signed and uh roots of trust exist more importantly the uh aircraft is an embedded system it's not an open operating system that's caught off the shelf the hardware is more robust as well in that if you see that it's running lennox or what a lennox or some type of common operating system it really is not it's severely stripped down and for example the software can only be loaded via an official manual push to the aircraft subcomponent so there's a lot of different items in place to make sure that there's additional checks

all right the ever expanding attack surface since uh iot technology has been incorporated it's drastically changed our attack surface because the aircraft was designed to be a closed system initially but due to its long life span new technology continues to be added we want that new functionality uh when we fly and the moment we added satcom and internet connectivity everything exploded as we've seen through hacking claims and the first time i learned about how interesting iot was i was actually at a conference and the speaker was talking about a wi-fi water kettle and i am an avid tea drinker as i've been holding my mug the whole time and the wi-fi kettle and similar devices

are just an unsecure entry vector into your home network and luckily when you compare that back to the aircraft it's an embed system with defense in depth and there are several safeguards so when you think of iot it's not really comparing it apples to apples so for example uh experience i had the usb ports on the aircraft though you may see a lot of them several of them have been they've had wires clipped in it so that it's power only the data's physically been turned off via that wire clipping so the main point i want to make for this one is just that iot is something that the industry really cares about it's on their radar and they know that

they're going to have to increase their scope to accommodate that and back when i i worked at american the scope of our team was aviation cyber security and internet of things technology so they were looking at that uh software patching and upgrades so when i talked about this topic it was interesting i got called out in person on stage because someone cut me off early so the great thing about virtual conferences is that i get to talk about it first and that doesn't happen but it's an awesome segue into a potential future state of what's being discussed which are over-the-air updates so depending on the software that you're trying to update and load it could take minutes to hours

to load an update and in in the industry when a plane isn't flying because it's either out of service or you're doing updates or maintenance uh that's bad because you're not flying you're not transporting passengers so the thought process was if a car can do an over-the-air update why not a plane well there are multiple reasons first there are initial talks that if this were to happen it would be in the pi's d space so the passenger domain space you definitely do not want to do this on an avionics or a critical system in the aircraft control domain while in flight because there are specific items listed that you need to have testing and verification that the

software was loaded correctly it's signed off on it's it's not taken lightly at all that you would want to do that over the air but if you compare that to your flight entertainment system if it doesn't update properly the system could be shut down the unfortunate that the passengers don't get to use the system uh whether it be purchasing items or whatnot but depending on the airline's risk tolerance that may or may not be okay so it's it's up to uh the business case of of that airline in that specific instance so for instance how much revenue are you willing to lose

more robust system that's backwards compatible and that can fail over gracefully if the update happens to not work so all of those things are items to think about but once it becomes successful in one aircraft a proof of concept there i i see that it's probably going to creep into the other domains but luckily we have the stringent safety standards and anything that happens in the aviation industry does not happen overnight it is very very slow and there's a lot of steps in between to make sure that items are properly vetted and all of the players i mentioned in the aviation ecosystem get to speak on whether or not they they agree with that because we all work

together with our suppliers our oems so it's something to be aware of and to to i'm i try to keep an open mind but i wouldn't be afraid of jumping on a plane right now and having those types of updates be a concern all right so how do you deal with all these awesome aviation unicorns that uh spin out spit out vulnerabilities and threats as opposed to awesome pretty rainbows and it's it's something simple that people may not think about but it's just having constant communication with common goals so one of the one of the reasons i loved working in that industry and it was one of the hardest things to step back was that every security

team regardless of what organization you're in has the same goal we care about the the safety the privacy and the security of our passengers and their data when they're traveling with us so back i was talking on a daily basis with my competitors with my manufacturers and suppliers to make sure that we were all in the loop when it came to current and future threats and what we could do to improve processes best practices anything in our space and i i thought it was unique to be an environment where you're working with your competitors and it's a non-compute type of atmosphere so if you're lucky enough to be in that type of environment too it's it's really cool and

it makes perfect sense but when you think about it at the end of the day an attack or threat to one player in the ecosystem is an impact to everybody so how is that done it's through information sharing and there are great organizations that already exist that allow this to happen so the aviation isac is one of my favorites it's the information sharing and analysis center and then there's also iota like who i referenced earlier

so through those organizations and individual companies the industry is just growing to to better engage the research community and this is one i really like to harp on with my counterparts in when i was back in the industry because more importantly we need to do better there has been signs of progress so there's a lot more aviation companies that are offering bug bounty programs and vulnerability disclosure programs um for those who attended defcon i i took a break from hacker summer camp this uh this past summer but we're seeing more engagement so when the aviation village now aerospace village came up that was a great step forward um but the flip side too from the industry

standpoint is testing on an aircraft is is a common concern and we know that testing on aircraft shouldn't happen because it's not safe but doing nothing is also not acceptable so how can we be curious while being safe and supporting both sides back to you to goodall regulation and i think it is specifically uh 355. you need to prove that systems are secure and testing is one way of validation so all the parties need to work together and i'm looking forward to coming back to the aerospace village as a potential somewhat neutral third party uh and and come with my uh research hat on to see how we can continue to improve uh the way that we're testing

these systems uh the other item i like to support a lot is that i have a constant issue of a lack of trained cyber security professionals and it's in general it doesn't matter what industry that you're in but to make it even more complex is that you you need a certain specialty to understand how all this works together uh in the aviation ecosystem and that in itself is a unicorn of a person and in order to to build that up we need to train the next set of professionals you just can't say i i hate the job descriptions where it's like it's kind of entry level but we want this experience but how do you get this experience

there's not a class you can take right now for for aviation cyber security that's um in theory open to the public so word where do you start off if you're new my recommendation if you're really new is everything that i mentioned in this presentation go back read those articles do your initial homework because one thing i've noticed uh back when i supported a bug bounty program is that if we had a researcher that provided information that said you know what i found this vulnerability i know it may not be um applicable because of so and so standard or we know you have these safety things in there but we want to make you aware of this as

it sort of it makes you look knowledgeable that you did your homework at first is one one bit of advice and with that i'm going to just prove is in the pudding of all said references and once again this is on my website as well so don't massively screenshot right now but i really want to thank everyone for for attending this presentation on a saturday morning i know it could be nice to sleep in and whatnot but i hope it gave you a little bit of insight into the world of aviation cyber security and that it sparked your interest i i want to leave you with the feeling that the aviation industry really cares about the cyber security

mission and they want to continue to uh work with the research community so keep pinging us please don't have complaints and uh more importantly let's keep the conversation going so uh the top one's my twitter handle if you're on discord uh that's my number for discord uh i'm not gonna lie i'm i'm on discord infrequently so ping me on twitter most of all or through my website and if you have a minute or two i'd really appreciate it if you could give some feedback via my survey

you