Flight security

John Lincoln, vice president, marketing (Enterprise Segment), du explains the IT security threats being faced by airlines and the aviation industry

Tags: Emirates Integrated Telecommunications Company
  • E-Mail
Flight security Du’s John Lincoln says that key threats to the aviation industry are caused by not adequately managing network security.
By  John Lincoln Published  October 29, 2012

John Lincoln, vice president, marketing (Enterprise Segment), du explains the IT security threats being faced by airlines and the aviation industry.

The commercial aviation industry is going through a major upheaval. This is even more evident in the information technology domain, with a major transition towards the ‘digital aircraft’. With the next generation of aircraft like the Boeing 777 and the Airbus A380, the industry is moving towards the ‘connected aircraft’. This evolution is propelled by the need for increased efficiency and interoperability at reduced overall cost. This generation of aircrafts has extensive requirements for external information interaction. This is where the greatest data security challenges lie.

Whether it is aircraft avionics communicating with a ground station, or a passenger in the aircraft accessing a service using the internet, great care must be taken to ensure that only legitimate communication or ‘information transfer’ is occurring. On the ground, air traffic control systems have critical information security threat mitigation needs that have to be implemented. There are also a host of data checks that needs to be established before passenger even flies. Finally the traditional information security mitigation strategies need to be implemented similar to any large enterprise security needs.

Security checks

Security checks begin even before a passenger boards an airplane. The TSA (United States Transportation Safety Administration) secure flight programme matches a passengers profile against a no-fly watch list.  One of the other areas where implementing information security is key is air traffic control information systems.

There are identified significant security weaknesses that threaten the integrity, confidentiality, and availability of systems — including weaknesses in controls that are designed to prevent, limit, and detect access to these systems. Key threats are not adequately managing network security, software updates, user accounts and passwords, and user privileges, and logging of security relevant events.

Other information security controls — including physical security, background investigations, segregation of duties, and system changes — are also important to manage.

On the traditional information security threat mitigation domain, we can point to the SANS 20 critical list vis; Inventory of authorised and unauthorised devices, inventory of authorised and unauthorised software, secure configurations for hardware and software on laptops, workstations, and servers, continuous vulnerability assessment and remediation,  malware defenses, application software security, wireless device control, data recovery capability, security skills assessment and appropriate training to fill gaps, secure configurations for network devices such as firewalls, routers, and switches, limitation and control of network ports, protocols, and services, controlled use of administrative privileges, boundary defense, maintenance, monitoring, and analysis of security audit logs, controlled access based on the need to know principle, account monitoring and control, data loss prevention, incident response capability, secure network engineering and penetration tests and red team exercises. While this list is not exhaustive, creating a threat mitigation strategy based on this can be adequate.

Practical mitigation techniques such as DDoS protection for networks, satisfying the identity assurance and data integrity requirements of the civil aviation industry, identity management solutions, based on Public Key Infrastructure (PKI) technology must be deployed.  PKI is a set of policies, practices, and technologies used to create a trust framework for securing digital data and authenticating digital identities. It is extremely essential to protect web facing assets such as web servers, databases through web application firewalls, intrusion prevention systems and network behavior analysis tools.

Since the assets protected is so large it is also essential to deploy some kind of security information and events management tool such as SIEM to correlate security events or incidents into actionable intelligence.

Compliance

There are several specific compliance and regulatory aspects related to aviation information security.  ATA Specification 42 (Spec 42) describes the PKI requirements and specifications for the civil aviation industry, ARINC Report 811, Commercial Aircraft Information Security Concepts of Operation and Process Framework.

ARINC Report 811 was developed by airline and industry participants of the Airlines Electronic Engineering Committee (AEEC) Aircraft Information Security (SEC) Subcommittee, and it was adopted by the airline members of the AEEC in October 2005. ARINC Report 811 describes a three-step risk-based information security process framework, that considers existing airline operations and the organisational impact associated with the introduction of new aircraft information security procedures, particularly with respect to the management of mobile, global aircraft assets.

PCI is a standard that needs adoption as most aviation companies use online reservations and collect credit card information from passengers. Information security in aviation is tightly coupled with safety and reliability, and must not be ignored. Security vulnerabilities are ubiquitous. Most computer operating systems have weak authentication and are relatively easy to penetrate. Most such systems have weak access controls and tend to be poorly configured, and are as a result relatively easy to misuse once initial access is attained. System safety depends on many factors. System safety typically depends upon adequate system security and adequate system reliability. It can be impaired by hardware and software problems, as well by human fallibility.

Threats to security and safety are ubiquitous. The range of threats that can exploit these vulnerabilities is enormous, stemming from possible terrorist activities, sabotage, espionage, industrial or national competition, copycat crimes, mechanical malfunctions, and human error. Attacks may involve Trojan-horse insertion and physical tampering, including retributive acts by disgruntled employees or former employees or harassment. Denial of service attacks are particularly insidious, because they are so difficult to defend against and because their effects can be devastating. Systems connected to the internet are potential victims of external penetrations. Even systems that appear to be completely isolated are subject to internal misuse. In addition, many of those seemingly isolated systems can be compromised remotely because of their facilities for remote diagnostics and remote maintenance.

Potential risks

Perhaps the most fundamental question today is this: How much security is enough? The answer in any particular application must rely on a realistic consideration of all of the significant risks. In general, security is not a positive contributor to the bottom line, although it can be a devastating negative contributor following a real crisis.

As a consequence, organisations tend not to devote adequate attention to security until after they have been burned. However, the potential risks in aviation are enormous, and are generally actually much worse than imagined. Above all, there is a serious risk of ignoring risks that are difficult to deal with - unknown, unanticipated, or seemingly unlikely but with very serious consequences. For situations with potentially very high risks, as is the case in commercial aviation, significantly greater attention to information security is prudent.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code