Inadequate Physical Security Leads to Potential Cyber Threat By Eric Puype, Esq., CPP, PCI
What comes to mind when you think of a malicious actor conducting a cyberattack? Do you think of a person behind a laptop in a dark room located in some distant city trying to penetrate a network through known vulnerabilities created by weak security protocols? I bet you don’t think of someone trying to gain access to an airport, its hangers, or aircraft, for the purpose of conducting a cyberattack on an airplane's avionics. Well, you should, as any cybersecurity expert will tell you a good cybersecurity program must incorporate physical security practices. This fact is exemplified by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security (CISA) alert issued last month that identified the vulnerability of CAN bus networks affecting avionic systems. A Cyberattack Through Physical Access According to CISA, there is a potential threat of a malicious actor conducting a cyberattack against those avionic systems that use CAN bus networks. However, unlike your typical cyberattack that seeks to gain access through cyberspace, this one would be conducted by gaining physical access to the aircraft’s avionics through the CAN bus. Specifically, a malicious actor who gains physical security to an aircraft avionics system that uses a CAN bus network can attach a device and inject it with false data that could create incorrect telemetry, attitude, altitude, airspeeds, and angle of attack readings. These incorrect readings could potentially lead pilots to lose control of the aircraft. Easy Solutions with Challenging Implementation As part of its report, CISA recommends that “aircraft owners restrict access to planes to the best of their abilities.”Restriction sounds like a simple solution, but it is not. If you are familiar with most general aviation airports, you will know that these facilities vary greatly in size, location, operational activities, and the level of physical security. Moreover, the security at these airports is not regulated by federal agencies like DHS's Transportation Security Agency (TSA) but rather are provided guidelines and best practices for securing general aviation airports and the aircraft that are located at these facilities. These security guidelines and best practices were developed by the Aviation Security Advisory Committee’s (ASAC) working group consisting of general aviation organizations such as the Aircraft Owners & Pilots, the National Business Aviation Association, and the American Association of Airport Executives. The resulting security guidelines and best practices provided by the ASAC is a good starting point but a fundamental approach to physical security for general aviation airports and the aircraft located at these facilities. However, these security guidelines and best practices are purposely lacking in scale, depth, integration, and implementation because of the unique nature and varying range of general aviation airports and their operations. So, what should airport, hanger, and aircraft owners do beyond these guidelines and best practices so ensure that they have an appropriate level of physical security? First, a good security program, whether it's physical or cyber, incorporates a "security-in-depth" approach. This means that aircraft owners seeking to protect themselves from a cyberattack against their avionic system via CAN bus network must demand the airport implement strong physical security measures. Specifically, general aviation airport owners and operators must have a strong security program that starts with an independent security assessment that will identify prominent threats, detect vulnerabilities, and provide recommendations to mitigate consequences. An assessment should provide the airport owners and operators with prioritized recommendations that include perimeter, electronic, access control, infrastructure, and security management. Additionally, these recommendations should consist of a cost-benefit analysis that identifies no-cost, low-cost, and capital security improvements. A follow-up assessment also is recommended after significant physical security enhancements are implemented, or there is a change in the threat profile of the airport. Second, following the security-in-depth approach, aircraft owners should seek to store their aircraft in hangers. More specifically, aircraft owners should store their aircraft in a hanger that has excellent physical security. Whether hangers are owned by the airport or by a private company, an assessment conducted by the airport must include these facilities and must assess the access control, lighting, and electronic security systems. Separate but similar to the airport, hanger owners must provide prioritized recommendations and a cost-benefit analysis. Lastly, the aircraft owner must protect against unauthorized access. If owners have the ability to store their aircraft in a secure hanger, they should. If they don't, owners should use heat shields and covers to block windows to prevent someone from seeing what type of avionic system is used. Most importantly, an aircraft owner should implement robust access control. Robust means the aircraft should have strong door lock with a tamper-proof key and a separate key system for the aircraft ignition. Key control is important, and an aircraft owner should implement an effective key control system that incorporates key transfers for such things as maintenance procedures. Other recommendations exist and should be provided to the aircraft owner after a more detailed assessment is completed. What Does This Mean? The CISA report highlights that a cyberattack on an aircraft’s avionics using a CAN bus network can be carried out by gaining physical access to the aircraft. This threat is important because many general aviation aircraft use this technology, and general aviation airports are not regulated for security and have varying degrees of physical security protections. While the TSA has published security guidelines and best practices created by the ASAC, these are basic security principles and should not replace an independent security assessment that will provide detailed security recommendations tailored to the unique characteristic of the airport, its hangers, and the aircraft it houses. Moreover, these security recommendations should integrate into airport operations, be prioritized, and provide a cost-benefit analysis. So, the next time you think of a possible cyberattack on an aircraft’s avionics, take a look at the physical security of the aircraft, the hanger, and the airport. Can someone gain access to the plane due to poor physical security? Is there security in-depth implemented to provide optimum protection? Has there been an independent security assessment conducted that the owners of airports, hangers, and aircraft can easily implement to enhance security and prevent a cyberattack on an aircraft’s avionics? If the answer to any of these questions is "no," I recommend you take an active role in securing your aircraft, asking hanger and airport owners and operators about their physical security program and demand security enhancements if vulnerabilities exist. Cybersecurity and Infrastructure Security Agency (2019), “ICS Alert (ICS-ALERT-19-211-01).” https://www.us-cert.gov/ics/alerts/ics-alert-19-211-01. Accessed on August 14, 2019. Ibid. Ibid. Transportation Security Agency (2017), “Security Guidelines for General Aviation Airport Operations and Users.” Information Publication A-001, Version 2, July 2017. Ibid.