Articles

Cyber Security Awareness Month

Hands up who knew it was Cyber Security Awareness Month? OK, we’ll take your word for it; but who was aware of the cyber threat to aircraft and airworthiness? In this article, SQEP Ltd Principal Cyber Security and Safety Consultant, John Martin, pulls back the curtain on this fascinating area of Cyber expertise.

  • Published

    October 2024

  • Share

Week 1: Cyber in Aviation

As with all cyber-attacks, it’s the human-in-the-loop which presents the biggest vulnerability.

Cyber in Aviation: What’s the biggest threat?

As with all cyber-attacks, it’s the human-in-the-loop which presents the biggest vulnerability. In the world of cyber security for airworthiness, everything is about preventing IUEI: Intentional Unauthorized Electronic Interaction. Focus on the word intentional. We are mitigating the possibility of someone ‘hacking’ the aircraft. It’s not about reliability related failure – an IUEI is safety-critical sabotage.

I know this is a sweeping generalisation; however, modern aircraft are pretty much secure-by-design and if they aren’t, they won’t get certification and remember, flying remains the safest form of travel. Flight controls are isolated from the non-flight related systems and for good reason, right?  There are strict rules and regulations governing hardware and software design for aircraft which prevent someone with a laptop and Xbox controller (other console controllers are available) taking over the aircraft controls. Thank goodness!

So what’s the risk?

In most cases, a successful cyber-attack will likely be the result of good old fashioned social engineering.

Modern aircraft are flying data nodes – particularly military aircraft. They transmit and receive huge amounts of data and operate on devices filled with firmware and software, which all need updating and configuring…and there’s your weak link. There has to be a way to perform software/firmware/configuration updates and ‘someone’ has to do it.

An electronic ‘device’ will at some point during operation/maintenance be plugged in to the aircraft and an exchange of data will take place.  It is these discreet data exchanges which pose the most credible cyber threats to aircraft.

In most cases, a successful cyber-attack will likely be the result of good old fashioned social engineering. Whether it be a complex phishing campaign (more on that in the following weeks), blackmail, sextortion etc, anything bad actors/hackers can do to convince someone to ‘just plug this in’.

So how do we mitigate against aviation cyber threats?

The same way as all cyber threat mitigation: with a rich mixture of people, process and technology (but perhaps with a bit more rigour):

  • Technological mitigations generally involve things which authenticate and identify systems, processes and users. It’s a widget/code which makes sure you (or a system) are who/what you say you are, are only doing what you are authorised to do and only have access to what you are authorised to have access to (part of the cyber security principles of least privilege and defence in depth).
  • Processes can be technical or manual, so it could be a series of software conditions which have to be met, which result in a desired level of access and/or authorisation; or it could be that a user must multi-authenticate, use a swipe card and/or enter a PIN etc; or a function which has to be undertaken by two (or more) people.  There are so many, but you get the gist.
  • People are the hardest. We need to ensure that security is alongside safety as a top priority and that people follow security protocols/ procedures.  This can only be achieved by developing and engendering a just security culture, through effective leadership and Security Education and Training Awareness programme, or ‘SETA’.

What you are reading now is part of the SQEP SETA campaign, as are the security related processes and policies you read. People need to be aware of security requirements and processes and know what to do in terms of security and they must feel safe to report security incidents if and when things go wrong.

John Martin, Principal Cyber Security and Safety Consultant

SQEP Ltd

:::

CONTACTING THE AUTHOR

If you have any questions related to cyber security for airworthiness, please drop John Martin a line. This is the narrowest of snapshots of what is actually a fascinating and highly detailed topic (about which John is very passionate and happy to talk about…for days if you’ll let him!).

john.martin@sqep.com

Follow SQEP on LinkedIn: https://www.linkedin.com/company/sqep-ltd