There is no shortage in this world of IT experts and aviation experts. But as any journalist who covered the Chris Roberts “did he or didn’t he” inflight entertainment hacking affair can attest, there are few true experts who cover both fields extensively. This lack of cross-disciplinary expertise poses a problem for an industry that is seeking to buttress its cyber security…and fast. That’s why a vocal minority, including some pilots, are calling for airlines and airframers to open their proverbial kimonos to non-aviation IT professionals so that all parties can learn together.
“If someone does something to the inflight entertainment system and concludes he can access systems on the plane, we arrest him. How is that going to help?” asked KLM Boeing 777 pilot Jeroen Kruse today at the first annual Aviation Cyber Security Think Tank in Washington DC, and in apparent reference to Robert’s April arrest.
Kruse, who serves as vice chairman security committee of the Dutch Airline Pilots Association – itself a member of the International Federation of Air Line Pilots’ Associations – added, “The information security guys cannot tell us what to do because they don’t know how the aviation systems work and the aviation guys know that we need to do something in cyber security [but] we really don’t know what and how to get into the problem.
“And our problem with it is that, especially from the aviation side, airlines and aircraft manufacturers specifically are reluctant to get into the same room as IT specialists and see what the problems are, and get solutions. We’d like to see more cooperation there and we think that way we can make the skies safer.”
Removing ego from the equation is a view that happens to be shared by the now infamous white hat hacker Chris Roberts, who recently told RGN: “We are our worst enemy insofar as dealing with security. We get in the way and we simply can’t fix the problem because of ourselves, so we have to remove ourselves from the equation. When you eventually work out that we’re all living the same lie then let’s talk, and let’s talk about how to cooperate.”
Having a more defined cyber vulnerability reporting system in place on an operational level would be a solid first step towards developing contingency plans in the event of a hack attack, suggested Kruse. Since the 9/11 terrorist attacks, most airlines have developed a security culture that entails ‘if you see something, you say something’, he noted, and the International Civil Aviation Organization (ICAO) has security risk assessment provisions in place for airlines. “We think that should be extended to cyber as well” though every state would impose different requirements on the airlines in their country. “It’s going to be different for a central African country than it is here obviously.”
“You need information on threats, actual attacks that worked, others that didn’t. That information – somehow we need to find a way to share that. And at this time, the aviation industry is reluctant to share that information and [is] not embracing possibilities to do things with it,” he added.
Some attendees of today’s event shared an interest in seeing the creation of a national vulnerability database for aviation.
@RunwayGirl excellent idea, but can you imagine the politics. Closest is EU airline safety audits – they focus on safety – not security.
— John W (@jpwoodh) November 17, 2015
But would greater transparency – be it in the form of a database of cyber security events or something akin – simply serve as a treasure trove of sensational headlines waiting to be written by media? Kruse believes it would actually have the opposite effect, noting that commonplace aircraft safety incidents barely receive any proverbial ink at all these days (rather, more uncommon disasters seem to command the headlines).
“For example, I myself hit a ground power unit with an aircraft half a year ago because the brakes on my aircraft were not functioning during parking and then we report that, it gets into the newspaper this big [he pinches his fingers together] and nobody cares. And why doesn’t anybody care because we give this information free every other day and so the press thinks [it’s just another day]. If we keep everything secretive and one thing gets out, then it gets blows up because [press say] ‘oh, I didn’t know that could happen.’ So I think the first few [occasions where vulnerability is observed] are bound to have a lot of attention but in the end, I don’t think it would hurt them. I’m trying to sell that; it’s not working yet,” he quipped.
Photo at top courtesy of RGN contributing editor John Walton