At some stage in our lives, most of us will have been told that flying is statistically the safest form of transportation and up until recently, we’d have had little reason to doubt this assertion. However, the recent spate of crashes involving Air Algérie, TransAsia Airways and of course, Malaysia Airlines, has got people asking questions about the safety of air travel. According to the Aviation Safety Network, 760 passengers and crew have been tragically killed so far in 2014– a 186 per cent increase on the previous years’ fatality count with five months of the year still remaining.
The industry has been quick to downplay fears, pointing out that there is no common root cause linking the accidents. Bad weather has been blamed for the fate of the TransAsia and Air Algérie aircraft, while Malaysia Airlines flight MH17 was reportedly shot down. However, the disappearance of the other Malaysia Airlines flight not to reach its destination this year – flight MH370 – remains a mystery. In the immediate aftermath, the Internet was awash with a whole host of possible theories ranging from the sublime to the ridiculous. Sally Leivesley, a former scientific adviser to the UK’s Home Office, even went so far as to claim the plane may have fallen victim to cyber-terrorists who hacked into it and flew it off course.
Although I am not suggesting this happened, such a scenario isn’t actually as far-fetched as it may at first seem. Boeing was certainly worried enough to have additional security installed aboard several of its 777s prior to the disappearance of MH370. The fear was that hackers could use USB ports in the in-flight entertainment (IFE) system to gain access to the flight management system (FMS). As a result, a so-called “network extension device” was added to separate the two systems. Furthermore, researchers at the U.K.’s University of Cambridge revealed back in 2012 they had discovered a way for hackers to disable the security on Actel Corporation’s ProASIC 3 chip that is designed into many flight-critical applications on the 787 Dreamliner. Boeing countered these findings by claiming that “spurious inputs, even if they somehow made their way through to the system, would be ignored.”
There are some in the industry who feel the growth in passenger in-flight connectivity (IFC) represents the most dangerous attack vector of them all. Six years ago, when IFC was still a nascent market, the U.S. Federal Aviation Administration (FAA) ordered Boeing to demonstrate that certain flight critical domains on the 787 could not be tampered with by hackers. The reason being that the design of the aircraft meant there was some level of integration between the network used by passengers to browse the net and send email, and the network used to relay flight-safety, navigational and maintenance data to the ground. To alleviate concerns and comply with FAA demands, Boeing made use of air gaps – an airtight security measure that physically separates one network from another.
By the end of 2014, over 4,000 aircraft will have been equipped with the requisite hardware to enable in-flight Wi-Fi, in-flight mobile phone use, or a combination of the two. That’s close to 20 per cent of the total global active commercial fleet. In order to help underpin the business case for this IFC (SATCOM systems and airtime don’t come cheap), there is a growing desire among airlines to use the connectivity pipe to improve business operations as well as support passenger connectivity. For example, critical engine data can be sent to engineers so that preventative maintenance can be carried out at precisely the right time. The idea being that unwanted downtime and the frequency of purchasing and replacing costly parts is kept to the bare minimum.
While airlines may want to combine networks in this way to realise operational efficiencies, the industry is taking great care to ensure the appropriate level of security by keeping them physically separate. ARINC 664, for example, is a standard that defines a formalised organisation of the aircraft systems and airborne networks into domains. The Aircraft Control Domain (ACD) comprises systems which control the aircraft from the flight deck, the Airline Information Services Domain (AISD) provides operational and administrative information to the flight deck, cabin crew and maintenance services, and the Passenger Information and Entertainment Services Domain (PIESD) provides IFE and access to the public Internet.
This strong partitioning of domains is intended to ensure that the ACD and AISD cannot be compromised by someone tunneling through from the PIESD. As was the case with its involvement in the 787 design process, the FAA was so concerned about precisely this that it imposed special conditions on Boeing before allowing the 747-8 jumbo jet to take to the skies. The Seattle-based airframer was obliged to prove that the ACD and AISD were protected “from access by unauthorised sources external to the aeroplane, including those possibly caused by maintenance activity” and that “effective electronic system security protection strategies are implemented to protect the aeroplane from all adverse impacts on safety, functionality, and continued airworthiness”.
Today, the majority of ACD data – such as communications between the cockpit and air traffic control – is sent via the Aircraft Communications Addressing and Reporting System (ACARS) protocol over Inmarsat’s legacy classic Aero L-band services. Because classic Aero provides extremely limited bandwidth, these SATCOMs are generally unsuitable for supporting passenger connectivity. This means that ACD and AISD data is kept apart from PIESD data on many aircraft as a matter of course. This is because a passenger network is either not yet installed, or if it is, it relies upon Inmarsat’s much faster SwiftBroadband service, Gogo’s air-to-ground communications or various Ku- and Ka-band-based satellites. However, with SwiftBroadband set to be granted approval for the transmission of ACD data, otherwise known as flight safety services, keeping these domains separate will soon become much more complicated on L-band equipped aircraft. When this happens, expected to be sometime in late 2015, there will likely be some airlines using a SwiftBroadband SATCOM to support all three communications domains.
Cobham, a leading avionics manufacturer, recently introduced its next generation SATCOM line that follows ARINC recommendations for keeping these domains separate. The AVIATOR S series offers two or four channels of SwiftBroadband through one unit. In order to help airlines save costs and at the same time, ensure optimal safety, the ACD and AISD data is sent over a shared channel. So-called “data arbitration”, as recommended by the ARINC 781 standard that concerns L-band SATCOM systems, is used to separately de-modulate ACD and AISD signals thus isolating these two domains. PIESD data can be transferred by one or more of the spare channels on the unit if applicable.
Although appearing to have a good grasp of how to maintain data integrity and security across the three domains, Cobham has not been spared criticism by the security industry. IOActive, an information security services firm, published a report in April 2014 evaluating the security posture of the most widely-deployed L-band SATCOM terminals. The company alleged that the AVIATOR 700D product (used for passenger connectivity only and a precursor to the AVIATOR S line), contained vulnerabilities that would allow a would-be hacker to use a maintenance port to bypass authorisation mechanisms and gain control of the satellite link used for transmission of ACD data. Cobham responded by claiming its devices can only be subject to an attack of this nature if the hacker can physically access this port. This means a cyber-terrorist would not be able to exploit the vulnerability from a remote location and would instead, have to gain access to the electronics bay during flight. It goes without saying that this represents an extremely unlikely scenario – unless you’re Harrison Ford in the movie “Air Force One”.
In theory, remote access to the ACD is possible though. Hugo Tesso, a security analyst and licensed pilot, demonstrated that it was possible to launch an attack against onboard aircraft systems using just an Android phone. At the 2013 Hack in the Box security summit in Amsterdam, he revealed how easy it is to collect and analyse ACARS transmissions to determine the specific hardware installed onboard various aircraft. He used this information to send an appropriately modified database to the FMS via ACARS. This resulted in an error message he exploited to execute malicious code that then gave him the ability to remotely alter speed, altitude and direction. It is important to note that these methods were used on flight-simulator software that contains some of the same computer coding as real flight software. That is, Tesso did not hack into a real aeroplane. He has, however, been in touch with the companies that make the systems he exploited so that relevant security holes could be patched.
Even though there has been a huge industry push to ensure aircraft domains are kept separate and secure, there are some who feel that single platform solutions just carry too many risks. A more secure alternative, they argue, is the installation of two totally independent communications systems: one that handles passenger connectivity and another that deals with various cockpit and crew applications. As a result, a number of avionics manufacturers are reportedly fielding requests from a number of airlines for separate systems. Some of Qatar Airways’ 787s, for example, use a line fit L-band SATCOM system from Rockwell Collins to transmit and receive ACD and AISD data, and a second retrofitted L-band SATCOM from Thales.
Increasingly, many aircraft carry an L-band SATCOM for transmission of ACD data and use a Ku- or Ka-band-based system for passenger connectivity. This is, of course, one way of keeping PIESD data and ACD data separate. However, as discussed previously, there is a growing trend for airlines to use the same broadband connection serving passengers to manage AISD data. Southwest Airlines recently signed a deal with Boeing to use its Airplane Health Management solution to collect and evaluate this type of data in-flight. In order to separate the AISD from the PIESD, two different wireless channels will be deployed. The SSID (service set identifier – the more technical term for the public name of a wireless network) for the channel assigned to AISD data can be hidden so that the passenger cannot tap into it.
Unfortunately, as the number of connected devices increases the world over, so too does the probability of hackers and malware writers targeting these systems to exploit networks, steal data, hijack systems, and compromise workflows. Thankfully, these threats are currently few and far between compared to how many connections there are. However, companies do need to properly protect themselves as the consequences of failing to do so, can be serious. The Sony PlayStation Network breach of 2011 cost up to $171 million in damages and that’s without taking into account intangible costs such as reputational damage and investor confidence. Connected aircraft are no exception. Fortunately, the airline industry has taken a number of steps to best protect networks and the very best in the business are constantly looking at how to stay ahead of the game. This includes airframers, avionics manufacturers, well-educated network specialists and helpful security analysts like Hugo Tesso.
So when we begin to question the safety of air travel, we should be mindful of this and thank our lucky stars that there is a lot more caution being exercised than in the maritime world where none-too-dissimilar connectivity is also being deployed. In many cases, vessel operators are yet to adopt even the most basic security practices. Indeed, it is reportedly all too common for the key ECDIS (Electronic Chart Display and Information System) found on many ships to operate on machines with the basic default configuration in place and without antivirus or firewall protection. Alarmingly, hackers were even able to tilt a floating oil rig and shut it down just this April, while last October, drug smugglers infiltrated computers connected to the Belgian port of Antwerp, identified specific containers, escaped with their smuggled goods and deleted the records.