Aviation Info Sec

Written by

 By Sam Raynor

For many years, the view of cybersecurity has lain squarely in the domains of the military; of state-sponsored espionage; or of the bedroom hacker who has nothing better to do than deface the page you are looking at.

While these stereotypes do, undoubtedly, exist within the real world, the reality is significantly more startling. The threat of ‘cyber attack’ is a real threat to virtually all areas of commerce, from common theft of credit card details and intellectual property, to the subversion of benign systems and take-down of national infrastructure.
More recently, presentations at Black Hat in the US, and interventions by Volkswagen in the UK on talks relating to connected devices and car security, have highlighted significant flaws where there are means for users to interact with computer systems. Segregation of internal systems is not at the forefront of design.
Within the aviation industry, this risk is significantly greater. With the growing use of media hubs, particularly on longer haul flights, the attack profile of the airlines has vastly increased, as USB input is integrated seamlessly into the customer experience.
It is clear some airlines and developers are taking this as a serious risk, with a multitude of programs underway to assess impact levels of their actions. However, as issues on the ground have illustrated, there is always a an ongoing battle, and risk is an integral part of the conflict.
Away from the aircraft themselves, the role of airports, guidance systems, air traffic, and the integration of multiple systems all provide potential weakness within a connected world. Something as simple as a poorly configured wi-fi service within the customer lounge can provide an intent intruder the opportunity to propagate deep inside the network, causing severe widespread disruption. Indeed, this can be exemplified in the ability to redirect customer baggage between flights, whereby a significant amount of inconvenience and brand damage can be caused with minimal apparent impact.
However, by far the greatest risk faced by many is the role played by the individual. Within any chain of operation, the human element plays a significant role, and, by our very nature, humans are lazy. It is far easier to use a single password for a few devices than it is to be completely arbitrary. It is much easier to re-use the same piece of code in system programming a few times than it is to re-write it completely every time. It is far easier to see what appears to be the correct information, and trust the fineries, than it is to thoroughly inspect every element. As a result, steps have to be taken to mitigate against such inherent risks. The application of defense in depth across the environment, from root to tip, places a significant degree of control over the situation. The use of components from different sources and strategic checks and counter checks to ensure there is no single point of failure can make a significant contribution to the overall security posture.
Furthermore, to complement this, education is key to providing the greatest levels of awareness. Through the education of the importance and risk of every step, from the boardroom down through the ranks, combined with feedback and development from the ground, the monolith that is security can be broken down into manageable digests. Where this is integrated with an understanding of the risks from the initial specification, development of secure and safe solutions can be achieved from the outlay, with minimal addition to labor or development timescales. Where this is viewed as an afterthought, the costs can spiral dramatically, and introduce additional weaknesses, as the solution is twisted and compromised in order to patch the potential holes that will undoubtedly exist. These overspends can stretch to greater costs than the original outlay, as such a process can require vast sections of components to be re-engineered, and potentially cause compatibility issues with other components, leading to critical system outages and disgruntled, defensive developers.
While the outlook appears as a world of fear, uncertainty, and doubt, the reality is that, through the integration and awareness of the long-term impact of such development from the C-level staff, design engineers and architects, significant steps can be taken that greatly improve the prospects of development and have the opportunity to provide a secure solution, and therefore save significant outlay of both time and investment.
Sam Raynor is a security consultant at Information Risk Management Plc (IRM). He specializes in technical security consulting, including penetration testing across multiple platforms and technologies, with a focus on infrastructure components and web applications. Raynor has extensive experience in providing technical security assurance to IRM’s client base in the UK Government and transport (including aviation), gaming, retail and financial services industries. He is a certified CHECK consultant under the CESG (the UK Government's National Technical Authority for Information Assurance) CHECK scheme.


What’s hot on Infosecurity Magazine?