Subscribe to our Newsletter | To Post On IoT Central, Click here


How PKI & Embedded Security Can Help Stop Aircraft Cyberattacks

 by August 27, 2019 by Alan Grau, VP of IoT, Embedded Systems, Sectigo

 

On July 30th, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) issued a security alert warning small aircraft owners about vulnerabilities that can be exploited to alter airplane telemetry. At risk to cyberattack, the aircraft’s Controller Area Network (CAN bus) connects the various avionics systems–control, navigation, sensing, monitoring, communication, and entertainment systems–that enable modern-day aircraft to safely operate. This includes the aircraft’s engine telemetry readings, compass and attitude data, airspeeds, and angle of attack; all of which could be hacked to provide false readings to pilots and automated computer systems that help fly the plane.

The CISA warning isn’t hypothetical, and the consequences of inaction could prove deadly. Airplane systems have already been compromised. In September 2016, a U.S. government official revealed that he and his team of IT experts had successfully remotely hacked into a Boeing 757 passenger plane as it sat on a New Jersey runway, and were able to take control of its flight functions. The year before, a hacker reportedly used vulnerabilities with the IFE (In Flight Entertainment) system to reportedly take control of flight functions, causing the airplane engines to climb.

InFlightLIStockImage.png
The Boeing 757 attack was performed using the In-Flight Entertainment Wi-Fi network.
 

A researcher with security analytics and automation provider Rapid7 wrote about the security of CAN Bus avionics systems in a recent blog and discussed the challenge at this year’s DEFCON security conference. He explained, "I think part of the reason [the avionics sector is lagging in network security when it comes to CAN bus] is its heavy reliance on the physical security of airplanes . . . Just as football helmets may actually raise the risk of brain injuries, the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyberattack, not less."

A False Sense of [Physical Access] Security

The DHS CISA warning stated, "An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment.” CISA fears that, if exploited, these vulnerabilities could provide false readings to pilots, and lead to crashes or other air incidents involving small aircraft. Attackers with CAN bus access could alter engine telemetry readings, compass and attitude data, altitude, and airspeeds. Serious stuff.

Not all of these attacks required physical access.

These risks should serve as a wake-up call to everyone in manufacturing. Any device, system, or organization that controls operation of a system is at risk, and the threats can originate from internal or external sources. It’s critical for OEMs, their supply chains, and enterprises to include security and identity management at the device level and continually fortify their security capabilities to close vulnerabilities.

Security Solutions for Avionics Devices

Today’s airplanes have dozens of connected subsystems transmitting critical telemetry and control data to each other. Currently, tier-one suppliers and OEMs in aviation have failed to broadly implement security technologies such as secure boot, secure communication and embedded firewalls on their devices, leaving them vulnerable to hacking. While OEMs have begun to address these issues, there is much more to be done.

Sectigo offers solutions so that OEMs, their supply chains, and enterprises can take full advantage of PKI and embedded security technology for connected devices. Our industry-first end-to-end IoT Platform, made possible through the acquisition of Icon Labs, a provider of security solutions for embedded OEMs and IoT device manufacturers, can be used to issue and renew certificates using a single trust model that’s interoperable with any issuance model and across all supported devices, operating systems (OS), protocols, and chipsets.

Much like the automotive industry, the aviation sector has a very complex supply chain, and implementing private PKI and embedded security introduces interoperability challenges. With leading avionics manufacturers introducing hundreds of SKUs per year, maintaining hundreds of different secure boots within a single aircraft is complex, cumbersome, and ultimately untenable. Using a single homogenous secure boot implementation greatly simplifies the model.

Purpose-built PKI for IoT, such as the Sectigo IoT Manager, enables strong authentication and secure communication between devices within the airframe. Using PKI-based authentication prevents communication from unauthorized components or devices and will eliminate a broad set of attacks.

Embedded firewall technology provides an additional, critical security layer for these systems. This is particularly relevant for attacks such as the Boeing 757 attack via the airline Infotainment Wi-Fi Network. An embedded firewall provides support for filtering rules to prevent access from the Wi-Fi network to the control network.

Icon Labs embedded firewall has been has deployed in airline and automotive systems to address attacks such as these. In both instances, our embedded firewall sits on a gateway device in the vehicle or airplane to prevent unauthorized access from external networks or devices into the control network, or from the Infotainment network to the control network. We continue to see interest in this area, indicating manufacturers are beginning to act.

From Cockpits to Control Towers

Securing connected devices in aviation is not limited to airplanes. The industry requires secure communication between everything on the tarmac, from cockpits and control towers to provisioning vehicles and safety personnel. For that reason, Sectigo provides an award-winning co-root of the AeroMACS consortium, which addresses all broadband communication at airports across the world and calls for security using PKI certificates to be deployed into airplanes, catering trucks, and everything else on the tarmac.

Future Proofing with Crypto Agility

It’s worth noting that aviation is also uniquely challenged by the tenure of its components. Unlike devices that are designed to last for months or years, airplanes are designed to last for decades. Advances in quantum computing, which many experts believe is just around the corner, threaten to make today’s cryptographic standards obsolete. Aeronautical suppliers need to be prepared for this coming “crypto-apocalypse” and to update the security on their devices in the field while the devices are in operation. Sectigo’s over-the-air update abilities provide the cryptographic agility to guard against this upcoming crypto-apocalypse (listen to the related Root Causes podcast).

The ecosystem has fast work to do. Manufacturers must secure the CAN buses in their existing, and future fleets – whether those planes idle on fenced tarmacs, or in airplane hangars. In the meantime, CISA counsels that aircraft owners restrict access to planes avionics' components "to the best of their abilities,” leaving passengers to hope security soon extends beyond their TSA experiences.

Read this blog online at https://sectigo.com/blog/how-pki-and-embedded-security-can-help-stop-aircraft-cyberattacks

E-mail me when people leave their comments –

Alan Grau has 25 years of experience in telecommunications and the embedded software marketplace. He is VP of IoT, Embedded Solutions IoT at Sectigo, the world’s largest commercial Certificate Authority and provider of purpose-built, automated PKI solutions. Alan joined Sectigo in May 2019 as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was CTO and co-founder, as well as the architect of Icon Labs' award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security.

Prior to founding Icon Labs, Alan worked for AT&T Bell Labs and Motorola. He has an MS in computer science from Northwestern University.

You need to be a member of IoT Central to add comments!

Join IoT Central

Comments

  • Being in a dreadful need of on-time work in physics the only place I had found to agree to get over it was https://royalessays.co.uk service. To my biggest luck, it turned out to be a great decision! The calculations were correct, and the summary page had all the required material. I am ecstatic of the comments I get on my project. Awesome!

    #1 Essay Writing Service UK Students Trust. 100% Secure.
    Want to perform better and always be on schedule? Hire an experienced subject matter expert to help you do more with less time! Guaranteed quality &…
This reply was deleted.

Upcoming IoT Events

More IoT News

How wireless charging works

Wireless charging technology has been around for over 100 years, but it has only recently found mainstream practical use for powering electronic devices like smartphones. Learn how this technology works and what advancements we may see in the future.

IoT Career Opportunities