Airplane Mode: Cybersecurity @ 30,000+ Feet

[Music] it's time to get back going so this is going to be interesting because you know i like to think whenever i'm high up in the air that i'm relatively safe and normally when i come to these events i don't really hear a whole heck of a lot of like good news or things that make me feel very safe so this should be very interesting i am personally scared but i am also excited so without further ado olivia stella everyone round of applause awesome thank you you should not be scared i flew out here so you'll be fine uh first i want to say thanks to all of our sponsors they are the reason why i fly out here whenever i

can um this is my second time at b-sides and i'm just really happy to be back out in kansas city as you said i'm olivia stella i'm going to talk to you today about aviation cyber security so if we have any experts in the audience anybody from the aviation industry sweet okay cool and of course because i like my job and where i live i'm going to have my general disclaimer about everything is from my own experience our opinion working in the cyber security or aviation industry because i like my job and they give me money and i get to come fly out here so i want to keep it that way most importantly everything was found on

the open internet and i list all my references at the end so you have any comments or questions all the links are there if you scan that qr code that's for my own little mini survey if you have if you're expecting a certain topic and you're like dude you completely missed this you can put a note in there so i can follow up with you and then it'll give you a link over to my website where you can find the presentation so a little bit of background on me why should you believe the things that i'm saying i've been in industry for over 13 years now and i i started by as a software dev and

then i quickly found out that coding all day doesn't spark joy so i wanted to um expand more to the system level so i did a lot of field engineering integration tests systems engineering i like systems engineering so much i'm going to torture myself again after 11 years of not going to school and i actually started my phd a couple weeks ago so we're going to figure out some complicated problems in uh safety critical systems and critical infrastructures that's the goal of my research does anybody know what sport this is yeah when i'm not working or doing security stuff i i like to curl in the middle of the desert i was super fortunate when i started off

to work on a variety of transportation related programs straight out of my undergrad i was on an air command control system it was this long like 20 something year dod project and i caught it in the last two years i could see the whole thing wrap up and finished so that was pretty cool and i was on the process side for a gts program used by aircraft for a little bit on that and eventually i found my way to an in-flight entertainment company so anytime you fly seat back might be my my ex company and i focused on the functionality related to the flight crew so the terminal that they use to work the system

so i started with integration tests and then quickly i found out that i really like product security and i got a great chance to work with that company's product security team and once i've jumped into cyber i've never looked back i'm like if it doesn't have some sort of cyber component you're going to quickly lose my interest so before i jump into the specifics i really want to set the scope of this conversation if you came here expecting to hack a plane you're going to be very disappointed because i'm not going to cover that at all [Music] so the scope is going to cover regulatory aspects um the players in the ecosystem and the components that make

up the aviation ecosystem so let's jump into the fun regulatory part there's a lot of things to go over and i'm gonna base my background from someone who is a third-party supplier and a commercial airline to keep that into perspective so all these suppliers and manufacturers need to comply with several government agencies right your plane just doesn't fly in one country or one airspace i'm going to primarily reference u.s regulation because it's the most common and it's actually very similar to what they have in europe and a lot of the small civil aviation authorities so specifically for aviation cyber security there are three key documents uh that you should read if you're interested and here starts all of the wonderful

government acronyms do stands for document order so we're going to kick off with a do326a so the intent of this document is to highlight why do we need additional process what um happened was when safety assessments were originally created for aircraft they weren't thinking malicious intent it was all focused on operational capability to make sure that there's not any operational failures so this document fills that gap by defining a security scope for the certification process when it comes to developing a new system or sub-systems onto an aircraft or if you're going to modify any type of system on on that aircraft it also highlights a really long list of requirements including the need for security risk assessments

and other effectiveness requirements next is do356a and this explains what methods could be used to show compliance from the previous document so for example if you're developing a security architecture what are your corresponding measures that you would show any assurance guidance for verification activities like threat assessments what systems should you monitor what logs you should look at in order to aid for incident response the last one do 355 was the one i cared about the most when i worked at a commercial airline so the press two were hey you're the original equipment manufacturer oem some sort of bigger supplier you're making like the engines or whatnot this last one is once the plane is flying and it's been handed over

to the airline how do you ensure that it's going to be safe to fly from a cyber security perspective right because once you hand it over it's not like okay it's in this perfect bubble and nothing's ever going to change right parts need to be switched out media changes items like that it highlights who is responsible and the importance of having incidence response management the certain personnel rules needed and to us in the industry we we take this for granted right because this is common practice on on the i.t side but if you think about it from like an operational standpoint the the maintenance people that are handling the aircraft that might not necessarily be something that is assumed

right off the top also a 355 handles the development of an aircraft information security program and i'll talk about that more in a few slides all right so who needs to follow these lovely huge thick documents and when i don't fly for a conference i'll bring like these three books and it's really really heavy so aircraft with special conditions are the ones that have to follow these regulatory aspects and what causes an aircraft to have a special condition so this is straight from the faa and i'm going to read this nice really long sentence this airplane will have a novel or unusual design feature when compared to the static technology envisioned in the air worthiness standards for transport

category airplanes these new connectivity capabilities may result in security vulnerabilities to the airplane's critical systems for these design features the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access these special conditions contain the additional safety standards that the administrator considers necessary to establish a level of safety equivalent to that established by the existing standards in a nutshell dude we built this plane we didn't imagine we're going to like put networks and internet what not on it so this is going to fill the gaps between that and now so examples of aircraft that have to follow this special condition are boeing

77 737 max and airbus a350 a short list of examples so these special condition aircraft have to have a corresponding ansp that is an aircraft network security program yay more security programs and what's cool about this is that it is an agreement between the air operator aka the airline and the manufacturer on how they plan to secure the aircraft so they have this agreement and then it's signed off by the government regulator so it would be the faa in the u.s a lot of those plans are built off of a nist cyber security framework right faa government-based government likes nist it makes sense and a lot of other aviation security plans um are leveraged as well so if you have uh

within your corporate structure some sort of network policy and stuff like that a lot of them will combine it into it as well so the main takeaway from all this lovely documentation is that the emphasis is on safety of flight in regards to cyber security so keep that in the back your mind and the way that they do that is through a defense in-depth security approach all right who is involved in following all these rules there are six players listed and there's a lot of like sub lists out there of who's involved in the aviation ecosystem but i really like the list that was defined in the 2018 u.s national strategy for aviation security once

again us-based so keep that in mind and their six a's start with aircraft so back pre-covert there were over um 24 000 commercial flights daily over the u.s but this category also includes any government aircraft or any private aircraft as well next group are airlines and back when i used to work for an airline i really appreciate how it was defined in this document because it highlights that there are airlines of multiple sizes right there's big ones small ones we all recognize that they have different bandwidths and you have to consider that different enterprise networks of an airline can span more than just the aircraft right they have ground systems it may be in the airport or not

and my favorite sentence from the document was how an airline is managed has an impact on its safety and the security of the aviation ecosystem and i took that really to heart because every player has an equal impact within that ecosystem so we need to all keep each other accountable the third category airlifts i was like what what is this term and it's just meaning that they're a cargo carrier and you may think oh hey um they're just transporting cargo not passengers the regulations shouldn't be as strong but it's they follow the same regulations as regular passenger airlines and they do have a great economic impact the international air transport association or iota they reference that

about 35 percent of world trade by value which is about six trillion dollars is being transported by airlift carriers so that is a lot if anything was to go wrong next are airports there's over 44 000 globally and about 19 000 within the us and this covers your traditional large airports small municipal airports but also helipads uh package delivery hubs and logistical airports does anybody know what a logistical airport is they're super cool so anytime you need to like film like a cool plane scene out in the middle of nowhere that's that's where they're at and when um a lot of airplanes were grounded in the past like they would store them there in the middle of the desert because it was

actually really good for the environment for the aircraft all right fifth is aviation management so that's your national or international bodies so it would be the faa in the u.s eos and europe some countries have their own small regulatory group and it also includes air traffic control for us last but not least our actors and i i don't really like how they just made this as the catch-all at the end i think they could have probably defined it a little bit more but it claims it's for people or entities that operate maintain or utilize any aspect of the aviation ecosystem the scope's super wide it's not limited but also includes the original equipment manufacturers suppliers like the inflam entertainment

company i used to work for and uh it also references nefarious activity coming from within this group so security researchers would probably be dumped into there as well all right so how do the players fit into the ecosystem next i'm going to tackle it from like the operational aspects within the ecosystem keep in mind i am not a pilot the best way when i was trying to teach myself how everything fits in was to go from the mindset of a passenger because that's what i'm familiar with so what happens before during and after flight in regards to networking security those types of items so what a passenger sees barely scratches the surface so once again

this graphic is awesome because it sort of covers everything but it's from nasa they're great just remember that it's a government group so it's going to be skewed a little bit towards that way

okay before you even think about buying your ticket um or ordering your amazon package that is also shipped on a plane there are a lot of things that go on so that you can buy your item if we think back to our certification we need to make sure that the plan is certified if you ever are sitting in the seat on the aircraft and you see another aircraft you see people wandering around it it's most often the pilots doing their safety checks looking around make sure that they don't see anything because the aircraft needs to be certified safe to fly by your civil aviation authority you also have a lot of staff from different groups that also need to be

equally certified in whatever their prospective role is so we have tsa if you're flying internationally border patrol all the flight crew has been vetted and and they count in that ecosystem as well in regards to planning what staff is needed if you have pilots that only know how to fly regional jets you don't want them on your big 787 right you want to make sure that they have the right skill sets and you want to make sure that if you have a six or a long haul flight that you're not scheduling a regional jet so regards to reservations do you have the same configuration do you have the right items you need for your passengers in order to get to where

they need to go and what locations are available so this is a bunch of high level general stuff during the flight as your package is hanging out in cargo or you're watching your favorite movie on the seat back there's still more things going on of course we have the avionics that are helping control the plane you have your cabin uh passenger functionality so in case of turbulence you know the light goes on and whatnot there's things that trigger it crew and passenger functionality and i'll give a little story on that later and then air traffic management providing navigation information so something we sort of take for granted is that when we're flying they're doing their best to avoid turbulence and one

important thing is making sure they're getting accurate weather data in as often as they possibly can because i've heard of cases where the weather changed and they couldn't re-route them quick enough and like flight crew have actually like broken their arm and stuff like that because it was that severe so little things you wouldn't necessarily think are making your flight as comfortable as possible or included in that okay so after you land what's going on same deal right pilot gets out check the plane see this needs maintenance you want to make sure that your bags are getting rerouted the right way right so that it's on the plane with you on your next flight it's a bunch of networking

as well getting you to your next flight um communication with the ground system so i know some of you i hopefully are just only yawning because of like food coma after lunch but this sets the scope of the ecosystem right so so keep that in mind all right therefore what is aviation cyber security securing every single thing that i previously mentioned in all those slides right it is a crap ton of work but it was super super fun so i'm going to talk about my past experience do you have any pilots in the room private pilots sweet cool call me out on stuff i'm not a pilot i don't get offended i just want to

learn more i love this graphic because it has a great overview of how all these technical systems flow within the aviation ecosystem and it comes from the american institute of aeronautics and astronautics or aia and they had an amazing white paper come out in 2013 called a framework for aviation cyber security so if you have like no background and you want to like get into this area this is one of the good papers to start out with if you don't want to pile through a bunch of like government regulatory type documents and they reference a section highlighting aviation the evolution of information and communication technology so it's just highlighting that the plane was a nice pretty closed

system with no networks on it and we didn't want to add internet to it yet and then we did all of that and then it changed the environment and i'll go into more detail with that later so now you have to secure the data for each part of the system and it's a lot and even if you want to do it by yourself if you have all the money to do it by yourself you still can't because you are dependent on all your suppliers and your vendors and the government jurisdiction that you fall under so i'm going to start from the airplane point of view because that's how i started and uh there's different experiences right so

the passenger versus the employee that's working on it so if you you think of the onboard systems like native avionics those definitely have a higher level of criticality than something like passenger system then we jump to communications how do you talk to the rest of the world right it's not just the aircraft itself you gotta go talk to ground cell it's like similar to cellular versus wi-fi availability satcom versus eight cars who knows what eight cars is sweet okay next we're going to look at the external environment so if you're thinking that you're at an airport right you have a lot of systems there's ticket kiosks does the airline own that does the airport own that whose network are they

using baggage claim systems any on-site maintenance systems like see the airline had a hangar there available if you take it at another level removed think about all of the internet of things devices we love iot devices and it could be that third parties are using it right so your cleaning crew or the the sky ships that are trying to figure out hey how many meals need to be on this flight and of what type so all that data is flowing and they're all sharing infrastructure all right here's a nice meaty bit i know a lot of you are like i don't care about any of this background stuff tell me about the plane so here are the domains on the

plane these are highlighted within the special conditions document and this cool graphic is courtesy of connected aviation today and the domains are listed in order of criticality to the safety of flight so we're going to start with the aircraft control domain and that is where all of your core cabin functionality falls in right and your avionics anything you need to run your plane the in the middle domain is called the airline information services domain so the aisd and it's been described as providing services interconnectivity to other domains while providing a security perimeter so this is i don't like calling it a firewall but it's it's the in between and it can be categorized into two

subdomains so you have your administrative subdomain which provides operational and airline administrative support to the flight deck and the cabin and then the second sub-domain is for passenger support so that sends information to the passenger system so for instance if you're ever looking at the entertainment system and it's a map of here where you are on your 12-hour flight that data is being flowed from the aisd domain lastly is the domain that we're all very familiar with which is the passenger information and entertainment services domain also known as pisd and this is the most dynamic domain out of all of them because it has to keep up with the functionality that we're demanding at home right we want to

bring on all of our ipads and laptops and tablets and whatnot and they have to have the functionality to support it so it's the most open and potentially the most dangerous okay we understand the rules from the regulatory aspects the players in the environment the ecosystem and the aircraft data domains how do we treat the system would you think it's more of like an um operational technology type environment or an information technology type environment yes you can yell it out yes yes that is the best answer yes and that's why when i i worked at the airline my job was so much fun um when i think of an ot environment i think of like

electricity grids nuclear power plants water treatment systems stuff like that that if there was a failure there is going to be a negative impact some of them severe to human life anybody here ot professional anybody sweet if you have any specific ot professional questions ask the guy in the back

so does that mean an aircraft is like your typical industrial control system i'm not going to say yes because it's not it's it's in the middle it's in that lovely little fuzzy gray area where that airplane is on my my diagram and when we incorporate more tech it's becoming even blurrier than it was before so if you think of the avionics aspect of the aircraft with systems that are in the aircraft control domain it's it's very much like an ot scada type system that something goes wrong high risk of potential loss of life items like that and then if we go down to the pi's d domain that's all your fun i.t related items where it's definitely

more vulnerable than before so i like to point it as we're an integrated control system in a commercial environment with ot like regulations and it needs from passengers and businesses does that sound like fun does anybody want to do that all the time if you're new to integrated control systems or you just want more info whatnot there's actually really cool online trainings from dhs but then you have to uh decide whether or not you want to give your information to dhs so i'll let you make that call but they're they're really good if i had a chair i would sit down now because it's story time we're going to talk about um aviation unicorns and this is my my favorite section

because it's going over use cases from items that i've seen or experienced within the industry good old software patching and updates so i'm going to have two slides on this so the first one i'm going to talk about is when i used to work at the in-flight entertainment company and i was on [Music] integration test team and there would be times where like customer wanted some sort of update or we needed a patch whatever and we would rush to get it out as soon as possible right because we want a quick turnaround time and we'd have this nice pretty package and whether it's a physical or virtual and we'd hand it over to the airline

customer and then we have no control over when they decide to update it right because we don't own the aircraft that our system is on they purchased our system and it makes it really difficult because if you want to make sure you have that that good ecosystem right you have to trust your partner and vice versa so something that we had to do was just have amazing communication with everybody in play right if you think of from like the id side with your your iphone you get the ability to like update it a couple times before it's like no you really need to do this now before it locks you out and then from like an ot standpoint

you get the luxury of deciding you know what my system is air gapped and i'm going to decide whether or not i want to push this update now or if i'm going to wait till like we're at the end of whatever operational cycle and then we'll do an update but they have the luxury to decide so how do we combat against this unique situation i said it earlier and it's with defense in-depth security so a lot of the aviation software's signed they use roots of trust the aircraft is an embedded system even though like you you may see systems booting up and you see like the cute little linux penguin and whatnot it's not just like an open source

operating system so we know the software and the hardware together have to be more robust than what you would just get off the shelf and one of my great examples i i love to tell people about is like oh you see like a usb plug you're gonna put something in there and they make all these false ridiculous claims that they can like upload software to the aircraft there's like manual switches that you have to like turn so you just can't push stuff the way that people portray it that you can my next story is the ever expanding attack surface thank you iot make everybody's jobs easier said no one ever so i remember one of my first conference

presentations where i saw a security presentation on a wi-fi kettle and how it was just like this wonderful entry vector into someone's like home network right because a lot of these iot devices have little security if any and the passwords are like super easy and it's just wait it makes it way too easy to to access the network so the aircraft was designed to be a closed system no one ever thought we were going to do things like this when it was initially created but because of its really really long life span we just keep tacking on new functionality and we need to equally make sure that there's adequate security to go along with that

another good example i'd like to highlight is that anytime you see those usb ports on aircrafts more often than not the if if it originally was installed with a data connection it's been clipped but more often now they're being installed with no data connections so people are like i can plug stuff in and do things and you you might not be able to to do anything on it at all so the main point of this slide is just to highlight that back when i was working at the airline and the in-flight entertainment company iot items were constantly on our mind and that we included it as part of our security plan how are we going to try to work hard to

combat that as well back to software patching and upgrades so what are things are changing in the future right what are we going to do next good old over-the-air updates right you think that would be nice we'd save time whenever a plane isn't flying you're losing money and if a car can do an over-the-air update why not a plane so many reasons that you don't want to do that if you think about the domains that i listed earlier um there is a lot of stringency when you're doing any type of software updates for the air travel the aircraft control domain and you have to verify it it gets signed off what not so that is definitely a

domain that you do not want to do that initial talks would potentially well hey i need to update my media for my in-flight entertainment system what if we did that over the air and some i think some are getting closer to doing that it's been a couple years since i've been in that space but if you think about it from a risk perspective if the upload fails or whatnot hopefully they have backwards compatibility compatibility to any old media or you just shut off the system their safety levels for the systems on the aircraft and the in-flight entertainment systems have the lowest one that if it doesn't work or something fails the pilot can just shut it off

no impact to any of the people that are on that plane and then the business aspect of that is if it's like a 12-hour flight do you really want to do that are you going to lose money if you're selling things through that system so there's just different sides of it to think about

it's a lot of stuff right there's a lot of things to think about and how do you deal with all of this when i first started i initially got overwhelmed because i'm like okay play needs to be safe software needs to be safe gotta make sure like things are fine at the airport and everywhere else we're going you can get overwhelmed really really quickly and it's it's not like it's easy to do all this but you're able to do it because you have constant communication with your suppliers and vendors and everybody has the same common goal does anybody in security work in a non-compete environment yeah one person okay when i first started i thought

they're my competitors right they're different airlines they're trying to take my market share like why would we want to share this type of data but it's really really important because we all have the same goal in mind we care about the safety privacy and security of every passenger and their data when they travel with said airline what was really cool was on a daily basis i was talking with my counterparts at the other airlines i had connections with my suppliers to make sure hey if they heard of anything how do we make sure that we can identify it within our systems and there's a handful of companies and industry groups that help facilitate that so if you want more information on

what's going on in a specific industry check out here's another acronym information sharing and analysis center so there's several of them there's an automotive ice sac financial services multi-state and of course my favorite is the aviation icesac where we would work doing tabletop sessions or have little conferences like this with everybody to make sure that we understood what was happening within our environment

and it was through those companies and organizations that i realized that we need to do better about engaging research community because any time you hear an article pop up regarding someone who thinks they have to plan or think they did this most of the time you find out it's not true but what if there was a better way to make sure that the communication was a lot better between those two groups and like anything that involves a certain amount of government it's going to be slower right in comparison to commercial industries but luckily i'm seeing that a lot of aviation companies are offering bug bounty programs vulnerability disclosure programs and they're they're turning a corner

they want to hear what the research community is saying and but they're afraid right they don't want to invite anybody to try to like test anything on a live aircraft but it's a catch-22 right because there's no testing environment currently for for open uh security research individuals that don't work for a company to try to figure stuff out

so a question i ask i often think that possibly could be in some of my phd research is how can we be curious on both sides while being safe right because the regular regulation states that we need to prove that the systems are secure and testing is a component of that so both parties need to to try to work together and something that just makes that problem even worse is that there is a constant lack of trained cyber security talent i don't care what industry you're in it just feels like we never have enough and we're never going to be able to catch up and plus in aviation it's just 10 times worse because you're looking

for that perfect unicorn of a person who has cyber security expertise maybe they understand how to fly because they're a pilot they have cyber security degrees or certifications they understand sysadmin aspects from like a ground system and maybe they understand what it's like to be a threat hunter to be proactively looking for issues that person doesn't exist and would be the worst job wreck ever to try to find someone that would fit that so unless we um grow the knowledge base ourselves we're never going to be able to find the right people to fill that so that's why i'm here i try to make sure that the information that i have available with me that i can share can

get put out there so if you're new and you're like olivia i want to figure out how to get into this area it seems really really cool everything that i gave in this presentation is is open for at least an overview some of the regulatory documents you have to pay to get a soft copy of it which is a bummer but everything else you can find on the open internet and i practice what i preach so here's every single link that i went to because i care so i really want to thank you for um coming to my talk i know the guy who wants his money back because i didn't tell you how to hack a plan i'm sorry

but i have stickers so if you want a sticker come up and say hi and i hope i sparked your interest because i if you were zoning out the whole time i just want you to leave with knowing that the industry truly does care about cyber security regardless of what you hear in the media and they really want to engage the research community more so don't forget to take my survey and also the survey for the conference and i would love to take any questions if anybody has any yeah go for it mike rudder mike renner so i have a couple questions uh so the first is your graphic uh that indicated there's three separate sections of like

layers of uh containment in the aircraft right one for the cabin one for the crew that got it yes are those segmented off from one another yeah completely yes okay yes cool i was just curious because it you know seemed to indicate that but i want to clarify when people ask me questions like that i want to dive into the nitty-gritty and i can't so i'm just like absolutely yes totally good second question was the logistical airports i had never heard of those before are they used uh like additionally for like maintenance and testing and things like that and are they uh for specific airlines or do airlines share these no they're they're think of them like municipal

airports out in the middle of nowhere i grew up in southern california and i used to go atv riding out in like the middle of nowhere and we would pass by logistical airports and and sometimes you'll see them do like by they i mean whoever decided to rent out the facility to do whatever type of flying they did but if you want to look up where the 737 max airlines were stored when they couldn't fly a lot of them were logistical airports so thank you yep yes do we all feel somewhat safer flying did i scare anyone i actually feel better okay good just for the record and also plus one the use of i stacks i'm a member of red eyes and

that's paying for your buck on security spend so once again round of applause

you got a little bit of time you can come give her more questions if you want go