As commercial aircraft increasingly become connected to the larger Internet of Things, the potential for safety risks also rise, the head of Thales’ business operations in the U.S. said on Wednesday.
There have already been hacks of aircraft and aviation-related systems, including inflight entertainment systems, data communications between pilots and ground-based controllers, and airline operations systems that in one case in Europe caused flight cancellations, Alan Pellegrini, president and CEO of Thales USA, said.
“I’m not trying to scare anybody but these things are happening,” Pellegrini said at the Aero Club of Washington, D.C., monthly luncheon. “As the aircraft become connected, there are real hacks.” Thales USA is part of France's Thales Group.
Historically, the changes to commercial aircraft have been incremental but the aviation industry is beginning to see “exponential” changes in the way aircraft and their systems are connected to ground-based systems, and eventually to satellites for navigation with the next-generation air traffic control system, Pellegrini said.
Pellegrini said that “as we reach this exponential part of the curve and as aircraft do become connected and their systems become connected and now millions of devices effectively now added to the internet that are all points of vulnerability in one form or another I think the safety risks do increase.”
Thales designs, develops and manufactures electronic systems used in satellites, aircraft cockpits and cabins, transportation systems, and weapons systems. The company also provides cyber security capabilities to its customers.
The aviation industry has a strong foundation and culture of safety, Pellegrini said. A culture of cyber security can be built on this foundation, he said.
Pellegrini also pointed out that there are firewalls among the systems that are used to control the flight of aircraft and other communications and inflight entertainment systems. The safety features around the flight control systems are “robust,” he said.
But there are shortcomings, Pellegrini said.
“I will submit to you there are many specifications that we get for systems to put on aircraft that don’t have well established security requirements and now we as a company, I know others do to, want to try and head that off and address them but I think as an industry we could collectively do more,” he said.
There is a growing awareness within the industry of cyber hacking and potential vulnerabilities and more information is being shared but it’s still not enough, Pellegrini said. Efforts to combat cyber threats and hacking remain “stovepiped,” he said, pointing to the need for industry and government to work together to mitigate potential threats.
The aviation industry can learn from the lessons learned and best practices applied by other private sector groups such as financial services and retail to combat cyber threats, Pellegrini said.
“Awareness is great, action is better,” he said. “And we have good models to work on.”
Last year, a team led by the Science and Technology Directorate at the Department of Homeland Security demonstrated that it could remotely hack a parked commercial aircraft. DHS acquired a used Boeing [BA] 757 that it parked at the airport in Atlantic City, N.J., and conducted a “non-cooperative penetration” of systems aboard the aircraft (Defense Daily, Nov. 8, 2017).
The work DHS is doing is classified and the information of the hack was provided by Robert Hickey, who at the time was the aviation program manager for S&T’s Cybersecurity Division. The disclosure of the hacking ultimately cost Hickey his job.
In a later statement, DHS said that “While certain details of the assessment remain classified,” Hickey’s comments “lack important context, including an artificial testing environment and risk reduction measures already in place. Along with our federal and industry partners, DHS takes aviation cybersecurity seriously and works with both researchers and vendors to identify and mitigate vulnerabilities in the aviation sector. The aviation industry, including manufacturers and airlines, has invested heavily in cybersecurity and built robust testing and maintenance procedures to manage risks.”
In a separate statement last year, Boeing said it observed the testing DHS did on the 757 aircraft “and we were briefed on the results. We firmly believe that the test did not identify any cyber vulnerabilities in the 757, or any other Boeing aircraft.”
Boeing also pointed out that there are multiple layers of protection on the planes it builds, saying that “software, hardware, network architecture features, and governance are designed to ensure the security of all critical flight systems from intrusion.”
Pellegrini, speaking at the Aero Club luncheon, said he agrees that “today” the cockpit and flight control systems are “very well walled off.” But, he cautioned, with the increasing data connectivity between aircraft and ground systems, “if the wrong data comms message is sent or hacked into and sent to a pilot, that could cause him or her to put the aircraft in the wrong place, and that could be equally as dangerous as a malfunction or something happening on the aircraft.”
He also said hacking of an inflight entertainment system, while not a threat to the aircraft, could cause panic among passengers or result in the theft of their credit card information. He also gave an example of sensors on an engine transmitting data to a maintenance center to help an airline with predictive maintenance, noting that the maintenance center needs to have confidence in the authenticity of the data it is receiving.
“I think work needs to be done on all of these systems to make sure that end-to-end they’re secure,” Pellegrini said.