July 4, 2016
Advances in technology have improved the safety and efficiency of business aviation in many ways. However, increased reliance on digital tools in the cockpit, flight department and the companies that support business aircraft operations also place aircraft and passengers at increased risk.
“The difference in the security discussion today is due to all of the mobility available,” said John Zban, chief information officer of Satcom Direct. “There are more opportunities to be compromised than there were previously.”
COCKPIT TECHNOLOGY THREATS
Increased use of some new types of cockpit communications, including controller-pilot data link communications (CPDLC), means the cockpit is at a higher risk of hacking or interference than ever before. CPDLC enhances ATC surveillance and intervention capability. It also plays an instrumental role in reducing mid-air collision risk, while also decreasing voice traffic on radio frequencies. But these communications – whether between the cockpit and the ground or between aircraft – are unsecured.
“These communications often contain very sensitive information,” said Jim Kazin, NBAA’s Security Council chairman and a flight department captain and aviation security advisor. “Since the transmissions are not encrypted or otherwise protected, there is a possibility of someone injecting false information.”
“Awareness and education are key to mitigating the cyber security risk,” said Kazin. For example, when communicating with ATC, consider your CPDLC instructions. “Do they make sense for your current scenario, or are they random?”
Language, syntax and context should all be considered when assessing the authenticity of communications to cockpit crews. Also, knowing which airspace may pose greater risks (such as Russia and China) can help pilots be more atten-tive and cautious in accepting and following instructions.
Listen to the related NBAA Flight Plan podcast titled “Keep Your Data Secure in the Air and on the Ground”.:
GETTING INSIDE THE FLIGHT DEPARTMENT NETWORK
Security threats also can come in through the digital tools used in flight department administration, including scheduling software, digital document solutions, cloud backups and other remote systems. These tools, while essential to business continuity and efficiency, are vulnerable to hacking, viruses and other interference.
As an industry, we do a lot of risk assessments for safety and physical security, but not usually for cyber vulnerabilities.
.
“Data and software is everywhere within the flight department,” said Kazin. “Almost everything we do is in some type of software-based system. These systems are subject to hacking and data corruption.”
“With social engineering-type attacks, the idea now isn’t to ‘jump the fence,’” explained Zban. “Instead, most hackers aim to get someone from inside the company to let the nefarious activity in.”
Zban said this can be done through the use of social media. For example, a flight department team member could receive an email that supposedly is from their child’s soccer coach. A hacker can identify an employee’s child’s school or team through Facebook or other social media outlets. Then they set up an email account that looks like it comes from the school, with a link to contribute to a fund-raiser or RSVP to a team party. That link is then the doorway into the company’s entire network and can threaten an individual’s personal safety and lead to compromised company security.
“These types of attacks are more popular than ever,” said Zban. “Building a bigger fence just isn’t an option anymore. Monitor, monitor, monitor. Watch for changes in your network, and when something looks different, investigate it.”
TAIL-NUMBER BLOCKING NOT FOOLPROOF
Business aircraft operators have benefited from the Block Aircraft Registration Request (BARR) program for many years, and NBAA has fought hard to ensure that business aircraft operators can retain the ability to block real-time broadcast of their flight information. (The FAA currently refers to this program as Aircraft Situation Display to Industry.)
However, many business aircraft operators don’t realize that, although the tail-number-blocking benefits of the BARR program are still available, the new technology of ADS-B negates some of these benefits, enabling certain flight-tracking providers to see the aircraft registration information.
FlightAware, FlightRadar24 and some other tracking providers have agreed to abide by BARR program requests, but certain other applications enable people to track aircraft all over the world – and very inexpensively.
“ADS-B transmits aircraft data in real-time,” explained Kazin. “That data isn’t limited by participation in the BARR program, and there’s no law that prohibits publishing or distributing that data.”
While most U.S. tracking providers have agreed to honor privacy requests, Zban cautions that international guidelines vary greatly, and he suggests operators talk with their service provider to discuss options for preventing access to your aircraft’s data, regardless of where you are flying.
CYBER THREATS OF INTERNATIONAL TRAVEL
Hacking of company and personal electronics in certain high-risk regions can be mitigated by teaching users about the threats involved.
For example, aircraft crews and passengers should be advised that a company’s exposure to hacking or corporate espionage may be elevated when flying to certain countries, such as Russia and China.
“Once you’re outside your corporate [computer] networks, you’re at much greater risk,” said Zban. “Add mobility and free will, and often the protections of the corporate network no longer apply.”
Zban explained that in some parts of the world, airborne internet traffic is automatically routed to the satellite earth station for the geographic region. This occurs when entering Chinese and Russian airspace, for example.
Satcom Direct recommends utilizing geolocation-based services that can send an alert to pilots when they enter Chinese, Russian or similar airspace. This will raise awareness of this Internet traffic transfer so aircraft pilots and passengers can decide whether to terminate or continue their internet connection. Once outside your own network, but especially in sensitive airspace, security should not be assumed.
ESTABLISHING AN EFFECTIVE CYBER SECURITY POLICY
“As an industry, we do a lot of risk assessments for safety and physical security, but not usually for cyber vulnerabilities,” said Kazin.
Experts recommend that flight departments implement several measures to bolster cyber security and reduce the risks of hacking, data theft or interference.
The first step to mitigate risk is to develop and implement a formal policy regarding cyber security, including flight department data – schedules, itineraries, ground transportation information and especially personal information. An effective policy should include a requirement to vet service providers, such as flight-plan transmission vendors, ground transportation providers, etc. The policy also should detail how vetting will be accomplished. In addition, flight departments should contact their service providers to learn about those companies’ policies on data security, including protection of aircraft registration and tracking data.
The difference in security today is due to all of the mobility available. There are more opportunities to be compromised than there were previously..
Flight departments should also establish policies regarding use of social media by both individual employees and for the company or brand as a whole. Obviously, no one should post aircraft tail numbers on websites or social media outlets.
In addition, a cyber security policy should include guidance on traveling with electronic devices, including how to secure laptops, cell phones and other equipment that hold sensitive information. Even a personal cell phone can pose a danger to the company if it contains a contact list for company personnel, for example.
Some companies prohibit use of standard electronic equipment in certain regions of the world and instead issue “burner” devices. This type of device is totally “clean,” meaning it contains no sensitive data. Once a user returns from a region of concern, the device is wiped clean. Although corporate or industrial espionage is often a key concern in these regions, individual security is also a risk, as personally identifiable information is a target for hackers in these areas.
In addition, flight departments should develop protocols for maintenance activities. For example, how are your aircraft databases, such as electronic charts, updated? Who uploads them? What device is used, and how do you ensure that the device used is sterile? A simple thumb drive can transfer a virus to your aircraft databases and wreak havoc on cockpit efficiency and safety.
Aircraft operators should con-sider contracting for a cyber audit. Specialized firms will look at a company’s network, including flight department software and tools, for cyber vulnerabilities. These assessments can also include penetration tests. A company’s IT or risk management department might have internal auditing procedures, but those experts need to be made aware of the specific tools used in the flight department. An objective look at any organization’s cyber security can identify threats and provide an opportunity to enhance security before a breach occurs.
Flight departments should also consider obtaining cyber liability insurance. This coverage not only covers an organization’s liability in the event of hacking of digital confidential information, but it also can compensate for accidental loss of critical information and even loss of certain paper documents.
With social engineering-type attacks, the idea now isn’t to ‘jump the fence.’ Instead, most hackers aim to get someone from inside the company to let the nefarious activity in..
Finally, educate flight department personnel and aircraft passengers about your new, improved cyber-security policies. Be sure company personnel know how to identify suspicious emails or websites, and that they understand the severity of the consequences of a network or data breach. Knowing the potential outcome of clicking a link in a suspicious email can prevent a harmful loss of data.
SITUATIONAL AWARENESS IS CRITICAL
In the rush of day-to-day flight department operations, it’s easy to overlook or downplay the risks of a cyber attack. However, by raising awareness among flight department personnel and aircraft passengers, you can empower them to help assess and mitigate risk.
“As an industry, we are just beginning to wrap our arms around the cyber threats we face every day,” said Kazin, who added that the NBAA Security Council will continue to educate member companies on flight department cyber security. “We understand the risks our digital world presents to our flight departments, aircraft and passengers, and we plan to bring awareness and understanding to the business aviation industry.”
Learn more at www.nbaa.org/security.
International Business Aviation Council Ltd.