Though aviation industry stakeholders remain highly skeptical about whether it’s feasible to hack inflight entertainment (IFE) systems on inherently analog, legacy aircraft to gain access to flight controls, all can agree that cyber security measures were thrust into sharp focus when a FBI report emerged alleging that security researcher Chris Roberts had made an attempt to do just that.
Admired by some and shunned by others, the infamous white hat hacker recently asserted to Runway Girl Network that – whether we agree with his methodology or not – his goal is to help industry tackle the very real threat of hacking in aviation head-on.
The first step, according to Roberts, is putting our egos aside.
“We are our worst enemy insofar as dealing with security. We get in the way and we simply can’t fix the problem because of ourselves, so we have to remove ourselves from the equation,” he told RGN in an exclusive interview. “When you eventually work out that we’re all living the same lie then let’s talk, and let’s talk about how to cooperate. But if your only view is that of what’s been presented by the media or you live by Twitter then we are not going to agree, and that’s fine too.”
Roberts believes that in continuing to use off-the-shelf technology, the industry is weaving a web of breachable systems behind which sit vast troves of sensitive information. Add this to the high public profile of aviation in general, and you get an environment that’s pretty tempting to those with a malicious agenda.
“The digital age is opening up a whole set of attack vectors that were not there before for many reasons,” he says. “Our desire to use off-the-shelf technology in a system that demands more protection will increase the issues. Our desire to remain constantly connected no matter how or where we are [and] our reliance on vendors and their ‘we’ve got security covered attitudes’ – there are a heap of things that simply come together.”
Is the industry still in a reactive mode? Yes, he suggests, noting, “A lot of what’s being done is reactive or is covered in so much paperwork that it’s almost impossible to actually get something done. Taking a more proactive approach to security, training the people who actually design the systems and starting with security in the design as opposed to it’s an afterthought attitude is crucial.” This is especially true as aircraft become truly e-enabled.
Global Eagle Entertainment, in a new White Paper about what broadband connected aircraft will mean for airline operations, notes, “For today’s aircraft, legacy avionics networks and third-party aircraft interface devices segregate operational data collection and transmission from consumer browsing activity on board. However, tomorrow’s digital aircraft – including the Boeing 737MAX and the A320neo family – will isolate the on-board aircraft network used for avionics and aircraft control from the connectivity networks used for consumer browsing. Airlines that make connected aircraft investments must consider which data sources are critical for operations and which interfaces share internal and external networks with critical avionics and aircraft control components.”
Roberts agrees that “the newer stuff’s more digital, however even the older stuff (737/747) still has digital to analog interfaces and a lot of the public/cabin facing stuff is digital.”
For its part, the US Federal Aviation Administration has proposed guidelines for operators to create an Aircraft Network Security Program (ANSP) for all truly e-enabled aircraft, and has established a new industry working group to provide guidance on how to further bolster aircraft cyber security.
Meanwhile, since the media maelstrom that followed his now infamous tweet from on board a United 737 – which led to the aforementioned FBI report detailing alleged past exploits – Roberts says he has been more in-demand as a conference speaker than ever before.
“I’m somewhat of an animated speaker, so I’m fortunate that I’m regularly called upon to stand on stage, wave my hands around and entertain. But I honestly do hope to provide insight and messages that people will remember,” he says. “The fed thing did bring out a few more people from the woodwork though.”
As media partner of the upcoming inaugural Digital Traveller conference (10-11 November in Shoreditch, London), RGN has known for a while that Roberts was scheduled to appear in one of the first day sessions, and we had a feeling it might cause a stir. Sure enough, when the conference schedule was publicly announced several weeks later, emails from industry colleagues began to roll in. “Why are we giving this person a voice? Is this some kind of PR stunt?” asked some. Admittedly, these were questions we had also pondered. “I don’t think he can teach us anything,” said others.
We decided to ask Dr. Paul Galwas, security architect at Digital Catapult (the man charged with interviewing Roberts on stage in November) as well as Memphis Media, which is organizing The Digital Traveller, about what they hope the session will uncover. Galwas is acutely aware that his session will come under deep scrutiny. He intends to keep the conversation focused on what we can and should be doing, rather than wading into murky waters of speculation on what may, or may not, have already happened.
“I will avoid general security ‘hot topics’ that add little to the debate around the specificity of this particular market sector,” he says. “But rather try to shape clear messages to answer the question: what should I do next and with whom?”
Karim Halwagi, managing director of Memphis Media, organizer of The Digital Traveller believes that Galwas’ knowledge and understanding of the security protocols and identity/asset protection will enable him to both challenge and support Chris’s perspective on this critical topic. “Our hope is that this session will provide key insights into the issues that exist and that may have been ignored, or remain a lesser priority, when looking at the development of connectivity in the air travel channel.”