Protecting the new frontier: Seven perspectives on aerospace cybersecurity
The aviation community has experienced unprecedented difficulties over the past year in the midst of a global pandemic. But these haven’t eclipsed one of its persistent challenges: cybersecurity. Also happening above the clouds: Space is emerging as an operational domain, a new frontier that presents unique issues for defense organizations’ cybersecurity. The upside is that there are now opportunities for security practitioners across the broader aerospace sector to collaborate with policymakers and civil society on tackling the shared challenges of aviation and space—and to work together on building more resilient systems.
The Atlantic Council, in collaboration with Thales, published Aviation Cybersecurity: Scoping the Challenge in 2019 to map perspectives from across the aviation ecosystem and highlight the need for international collaboration among stakeholders. The report built off its predecessor, Aviation Cybersecurity—Finding Lift, Minimizing Drag, which raised awareness and sparked a public dialogue on the aviation industry’s cybersecurity vulnerabilities.
The Atlantic Council’s Cyber Statecraft Initiative, within the Scowcroft Center for Strategy and Security, is now seeking to advance international stakeholder collaboration in the pursuit of resilient aerospace systems. To this end, the Atlantic Council hosted a discussion on public-private sector cooperation on aerospace cybersecurity and opportunities to apply industry best practices to the defense community. The roundtable included remarks from Will Roper, former assistant secretary of the Air Force for acquisition, technology, and logistics.
Watch the opening remarks
Following the roundtable, seven aerospace cybersecurity experts charted the path forward for securing this new frontier:
Question 1: What kind of challenges exist for cybersecurity in the aerospace sector that didn’t ten, or even five, years ago? What challenges are as old as ever?
Christian Thomasson, chief of cyber assessments for weapon systems, USAF Red Team, United States Air Force: “Some of the challenges that exist today for cybersecurity in the aerospace sector that did not exist ten or five years ago involve some of the democratization and more widespread knowledge of reverse engineering and exploitation tools. This also comes at a time where there have been a number of very public incidents attributed to ‘cyber’ flaws in commercial aircraft (Boeing 737 MAX 8 as an example). This creates an environment where skilled amateurs and professionals alike turn their attention to discovering vulnerabilities and, in some cases, merely claiming the discovery of vulnerabilities within commercial aircraft. These aircraft were in most cases built to address only one leg of the traditional cybersecurity CIA triad of confidentiality, integrity, and availability (that leg being availability). Very little work had traditionally gone into integrity (i.e., code signing) and confidentiality (i.e., encryption).
As for flaws as old as ever: good regression testing to ensure new systems integrate into the federated architecture of an avionics bus is difficult and an ever-present challenge. Additionally, program managers generally abide by the traditional project management triangle, in which they are constrained by cost, schedule, and performance, and they typically get to fix only two of these variables at once. This is not to indict the program manager’s integrity, but merely a reflection of a world driven by strict timelines and budget constraints.
As for remediation of and testing for cyber flaws, in some cases programs are discouraged from these tests as there may be no funding to patch any flaws that may be discovered—add to that the invisible nature of cyber from a funding perspective. If I approach the chief engineer of a program and tell them, ‘We have enough funding for one study and have two to choose from: the first study will get you a 10 percent gain in engine efficiency and the second will look for bugs and we may find something that we will patch’—the engineer will often pick the first study, which will result in a tangible outcome reportable to shareholders. The second study produces very little from the perspective of the chief engineer.”
Question 2: What sorts of challenges do space systems face from a cybersecurity perspective that are different from those faced by aviation systems?
Steve Lee, aerospace cybersecurity program manager, American Institute of Aeronautics and Astronautics: “Space systems are currently providing critical communications and positioning, navigation, and timing (PNT) services, which means that the cybersecurity impacts to space systems multiply across a variety of dependent critical services with impacts far beyond the immediate space industry and ecosystem.
The inaccessibility of space systems, once deployed, constrains engineering of their cybersecurity systems. Similarly, the near-total absence of humans from most (exceptions being very costly and bespoke) space systems all but removes the possibility of reverting to any manual, non-digital backup in the event of digital failure, regardless of how induced.
The cybersecurity culture around space systems—like other technology families with comparatively low installed bases and high barriers to entry (such as commercial nuclear power)—still has a regressive ‘security by obscurity’ component, which is diminishing though still present.”
Question 3: Who has the greater potential (or power) to play a positive role in the aerospace cybersecurity ecosystem: the public or private sector?
Beau Woods, cyber safety innovation fellow, Cyber Statecraft Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security: “Comparing government and industry roles is like comparing engines to flight control surfaces—success depends on both of these systems working together. At its best, government sets the preconditions and incentives toward societal goals and objectives, and industry innovates and competes within that space to deliver the highest value to its shareholders (and in theory the flying public). Both of these stakeholders have individual and supranational representation due to the global nature of aviation. An emerging power that can help keep the balance is the rise of independent security and cyber safety researchers who can provide an independent check if they acquire the right set of access to these technologies and institutions for reporting their findings.”
More from the Cyber Statecraft Initiative:
Question 4: How much of an obstacle is the pace of technological change to more effective public/private collaboration on aerospace cybersecurity?
Brandon Bailey, cybersecurity senior project leader, The Aerospace Corporation: “In traditional technology industries, many believe the rapid speed of new technological developments may outpace an organization/agency’s ability to manage the technology risk, including cyber, appropriately. In the aerospace industry, more specifically space systems, this is amplified due to the constraints of outer space and the necessity to leverage flight-proven hardware and software. Space systems are designed using hardware and software with high flight pedigree that can withstand a harsh operating environment. New technology takes many years to reach flight readiness.
In space systems, technology readiness levels (TRLs) are used as a method for estimating the maturity of technologies during the acquisition phase of a program. TRLs were developed at the US National Aeronautics and Space Administration (NASA) during the 1970s but were also leveraged in the US Department of Defense (DoD), among other departments. The use of TRLs enables consistent, uniform discussions of technical maturity across different types of technology using a scale from one to nine, with nine being the most mature technology.
From a cybersecurity perspective, the utilization of sometimes antiquated technology can bring cyber risk for which newer technologies may resolve vulnerabilities. One concrete example is the industry’s use of MIL-STD-1553 for the main communication protocol on-board the spacecraft. MIL-STD-1553 is a military standard that defines mechanical, electrical, and operating characteristics of a serial data communication bus which is now commonly used for both military and civilian applications in avionics, aircraft, and spacecraft data handling. MIL-STD-1553 was developed in the 1970s well before cybersecurity was a mainstream concept; therefore, the protocol has few security considerations. This is one example of how space systems typically lag behind technology advancement. The consistent lag behind technology means that the cyber threat is often outpacing the protections available to space systems, which has resulted in a wake-up call for space system designers to begin deploying more secure spacecrafts.
Cybersecurity for ground systems has managed to somewhat keep pace with technology advancement, but the spacecraft are now in the crosshairs of adversarial forces, which is requiring a move away from traditional thinking in which spacecraft were considered immune to cyberattacks. This new era of securing the spacecraft is backed by the recent release of Space Policy Directive–5 from the White House in September 2020. SPD-5 states ‘space systems and their supporting infrastructure, including software, should be developed and operated using risk-based, cybersecurity-informed engineering,’ and there is a need to ‘implement cybersecurity plans for their space systems that incorporate capabilities to ensure operators or automated control center systems can retain or recover positive control of space vehicles.’
As the industry moves forward in an era in which both commercial and government entities have equal access to space and technology, we must secure both ground and space-based systems during all phases of development and ensure risk-based, full life-cycle cybersecurity that considers the size, weight, and power (SWaP) of a system, along with mission context to deploy most secure.”
Question 5: What is the most successful instance of the DoD implementing an industry practice in aerospace cybersecurity?
Steve Luczynski, chief of staff and board of directors, Aerospace Village: “Understanding the full scope and scale of the policy issues applicable to aerospace cybersecurity is a daunting task. In late 2015, the DoD sponsored a study that identified, collected, analyzed, and mapped nearly a thousand laws, policies, and regulations from across the federal government (the DoD, Federal Aviation Administration (FAA), Federal Communications Commission (FCC), Transportation Security Administration (TSA), etc.) that affect aerospace cybersecurity.
From this work, the DoD quickly recognized numerous supporting policies across a wide variety of agencies, even if they were often redundant. It is probably not surprising to learn this study also found gaps and conflicts between the guidance and requirements set forth by different agencies. In parallel, the DoD, FAA, and Department of Homeland Security formally chartered the Aviation Cyber Initiative (ACI) to increase cooperation within the federal government when addressing cybersecurity issues such as those found in this study. As an enduring effort, the ACI also enables ongoing engagement with industry to address the numerous cybersecurity issues that arise from the complexity and interconnected nature of the aerospace ecosystem. While this may not be a best practice specifically from industry, it is certainly an example of success in the DoD’s aerospace cybersecurity efforts.”
Question 6: What is the most challenging aspect of aerospace cybersecurity that differentiates it from cybersecurity in other industries?
Nathalie Feyt, chief product security officer, Thales: “In aerospace, there are three main differentiators that influence cybersecurity practices. The first is safety, as many stringent regulatory and certification requirements must be met and most are governed at the international level by the International Civil Aviation Organization (ICAO). When cyber requirements are set by ICAO, then efficiencies can be gained through standardized cybersecurity approaches. The importance of supporting the ICAO Secretariat Study Group on Cybersecurity cannot be understated and this body can benefit from the previous work of other regulatory authorities—including the existing European Union Aviation Safety Agency (EASA) 2020 regulation on ‘Information System Security Protection’ (AMC 20-42), and future Part AIS.
Second, as in most other industries, our industry leaders understand cybersecurity for their information systems, but the challenge comes when applying this vertical information technology mindset to a horizontal systems integration problem for aviation-dedicated solutions, processes, and people. Multilayered cybersecurity strategies, with defense-in-depth and cyber-monitoring capacities on operational technologies must be supported by all stakeholders if this challenge is going to be solved.
Last but not least, innovation in cybersecurity for products and solutions in aerospace is a must, since standard cyber technologies need to be adapted for airborne and safety-related systems. Autonomous, self-healing cyber-secured systems need to be built. This is the approach being taken at Thales and implemented for the company’s most recent product releases such as the FlytX new-generation cockpit avionics suite.”
Question 7: What’s the most important aerospace cybersecurity effort we’ve never heard of?
Olivia Stella, cybersecurity engineer, Los Alamos National Laboratory: “Joint education efforts between competitors, such as Aviation ISAC working groups and tabletop exercises. A cybersecurity attack on one organization is an attack on all. Not only is intel shared [in these working groups and exercises], but aerospace cybersecurity education resources are constantly being developed to meet the changing threat landscape and organizational needs. An interesting facet is the need to provide educational materials to outside parties like cybersecurity researchers. Though the industry is not moving as fast as researchers and I would like, the importance has been elevated, and that’s a start.”
Simon Handler is the assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.
Further reading
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.