On July 30th , the U.S. Department of Homeland Security and Cyber Security Infrastructure Agency (KAG) published a Security Warning to warn small aircraft owners of security vulnerabilities that can be exploited to alter the aircraft’s telemetry. The aircraft’s controller area network (CAN bus), which is at risk of cyberattacks, connects the various avionics systems – control, navigation, detection, monitoring, communication and entertainment systems – which enable the safe operation of modern aircraft. This includes the engine telemetry data, compass and position data, flight speeds and the angle of attack of the aircraft. All of this could be hacked to provide false readings to pilots and automated computer systems that help the aircraft fly.
The CISA warning is not hypothetical, and the consequences of inactivity could prove fatal prove. Aircraft systems have already been compromised. In September In 2016, a U.S. government official announced he and his team of IT professionals The Boeing 757 passenger plane is on a runway in New Jersey found successful from the Hacked and could take control of its flight functions. In the year previously a hacker reportedly had vulnerabilities exploited in the IFE system (In Flight Entertainment) to control to take over the flight functions and the aircraft engines for climbing bring to.
The Boeing 757 attack was carried out via the in-flight entertainment WLAN network.
A researcher from security analysis and automation provider Rapid7 recently wrote a blog about the security of CAN bus avionics systems and discussed the challenge at this year’s DEFCON security conference. He explained, ‘I think part of the reason [the avionics sector is lagging behind in terms of network security in relation to the CAN bus] is the heavy reliance on the physical security of aircraft. Just like football helmets can actually increase the risk of brain breaches, the increased perceived physical security of aircraft may paradoxically make them more vulnerable to cyberattacks, not less. ‘
A false sense of [physical] security
The DHS CISA warning states: ‘An attacker with physical access to the aircraft could connect a device to an avionics CAN bus that could inject false data, resulting in false readings in the avionics equipment.’ Vulnerabilities can provide false readings to pilots and lead to crashes or other air incidents involving small aircraft, and attackers with CAN bus access can alter engine telemetry data, compass and attitude data, altitude and airspeed.
Not all of these attacks required physical access.
These risks should serve as a wake-up call for everyone in manufacturing. Any device, system or organisation that controls the operation of a system is at risk, and threats can come from internal or external sources. It is critical for OEMs, their supply chains and organisations to incorporate security and identity management at the device level and continuously improve their security capabilities to close security gaps.
Security solutions for avionics devices
Today’s aircraft have dozens of interconnected subsystems that transmit critical telemetry and control data. Currently, top-tier aerospace suppliers and OEMs have not comprehensively implemented security technologies such as secure boot, secure communications and embedded firewalls on their devices, leaving them vulnerable to hacking. While OEMs have begun to address these issues, there is still much more to be done.
Sectigo provides solutions that enable OEMs, their supply chains and enterprises to take full advantage of PKI and embedded security technology for connected devices. Our industry-first end-to-end IoT platform, enabled by the acquisition of Icon Labs , a provider of security solutions for embedded OEMs and IoT device manufacturers, can be used to issue and renew certificates with a single trust model that is interoperable across any issuance model and for all supported devices, operating systems, protocols and chipsets.
Similar to that Automotive industry, the aviation sector has a very complex supply chain, and the implementation private PKI and embedded security leads to interoperability problems. in view of the fact that leading avionics manufacturers produce hundreds of SKUs a year introduce it, it’s complex, cumbersome and ultimately unsustainable, hundreds to carry different safe boots in a single airplane. The Simplified use of a single homogeneous secure launch implementation the model significantly.
An specifically for the IoT developed PKI, like the Sectigo IoT Manager , enables strong authentication and secure Communication between devices in the airframe. The use of the PKI-based authentication prevents communication from failing authorized components or devices and prevents a variety of attacks.
The embedded firewall technology provides an additional critical layer of security for these systems. This is especially true for attacks such as the Boeing 757 via the airline’s infotainment Wi-Fi network. An embedded firewall supports filtering rules to prevent the Wi-Fi network from accessing the control network.
Icon Labs’ embedded firewall has been used in aircraft and automotive systems to prevent such attacks. In both cases, our embedded firewall sits on a gateway device in the vehicle or aircraft to prevent unauthorised access from external networks or devices to the control network, or from the infotainment network to the control network. We continue to see interest in this area, which indicates that manufacturers are starting to take action.
From the cockpit to the control tower
The backup connected equipment in aviation is not on planes limited. The industry needs secure communication between everyone Parts of the asphalt, from cockpits and control towers to deployment of vehicles and security personnel. For this reason, Sectigo offers an Award-winning co-root of the AeroMACS consortium, which deals with the entire Broadband communications at airports around the world and after Security calls by PKI certificates for airplanes, catering trucks and everything others are used on the asphalt.
Future-proof with Crypto Agility
It is worth noting that aviation is also due to the duration of its components is challenged in a unique way. Unlike devices designed for Airplanes are designed for a lifespan of months or years designed to last for decades. Progress in the area of Quantum computers, which many experts believe to be immediate impending, today’s cryptographic standards could become superfluous do. Aviation suppliers must face this upcoming “crypto-apocalypse” be prepared and update the security of your equipment on site while the devices are in operation. Sectigo’s wireless update functions offer the cryptographic flexibility to face this upcoming Protect crypto-apocalypse (see the associated podcast to the causes ).
The ecosystem needs to work fast. Manufacturers need to secure the CAN buses in their existing and future fleets – whether those aircraft are on fenced tarmacs or idling in aircraft hangars. In the meantime, CISA advises that aircraft owners restrict access to aircraft avionics components ‘to the best of their ability’ and let passengers hope that security will soon move beyond their TSA experience.