Airport and private sector cybersecurity officials warned House members on Thursday of persistent cyber threats to the aviation sector, with two witnesses saying they regard such threats as the most dangerous that the industry faces currently.
That testimony came during a joint hearing of two House Homeland Security Committee subcommittees – the Cybersecurity and Infrastructure Protection and Transportation and Protective Security subcommittees – held to examine the cybersecurity threats facing the aviation sector, as well as to explore how the aviation sector is looking at its cybersecurity posture. The hearing aimed to find ways that the Department of Homeland Security (DHS) can better assist stakeholders to bolster cybersecurity in the aviation ecosystem.
“When we think of threats broadly to the industry, traditional avenues of attack are what first come to mind,” Rep. John Ratcliffe, R-Texas, chairman of the Cybersecurity and Infrastructure Protection Subcommittee, said during the hearing.
“These threats, such as hijackings and bombings, will continue to pose a major security concern moving forward. However, as devices, aircraft, and systems become more interconnected, cybersecurity will increasingly play a larger role in aviation security. Because nation-states, cyber criminals, and ‘hacktivists,’ all possess an incentive to manipulate systems within the sector. Whether it be looking to gain a competitive advantage, a financially motivated action, or simply a political statement, the space will always be crowded by malicious actors seeking to do harm.”
Jeffrey L. Troy, executive director for the Aviation Information Sharing and Analysis Center, explained that in aviation “safety comes first.”
“Digital enhancements to processes are adopted at a deliberate pace to ensure no impact to safety. Security around the digital processes begins in the design stages and runs through the build, deploy, operate and continuously monitor phases,” he said. “Airframers and their suppliers extensively test new technologies and design layered safety and security controls, both digital and physical, to ensure the highest level of assurance in-flight safety.”
With safety at the forefront of their minds, witnesses at the hearing agreed that cyberthreats to the aviation industry are serious and a strong cybersecurity posture is essential.
“Given the rapidly growing reliance on technology as well as the implementation of future technologies such as Next Generation Air Transportation System (NextGen) and remote airtraffic control towers, it is my opinion that cybersecurity risks without question represent the preeminent and persistent threat to the continuous, safe, secure and efficient operations of US airports and the global aviation system,” said Michael Stephens, executive VP of IT and general counsel of Tampa International Airport.
In his testimony, Stephens highlighted three areas that are the best opportunities for airports, along with stakeholders, to “achieve greater preparedness, responsiveness, and resilience.” He said that while current Federal cybersecurity frameworks are voluntary in nature, there should be mandatory minimum standards for the aviation sector.
“I believe that we are at a point in the growing threat environment where voluntary compliance is no longer adequate,” he said, and urged that Congress and Federal agencies including the Federal Aviation Administration and the Transportation Security Administration give strong consideration to mandate the development, adoption, and implementation of uniform minimum cybersecurity standards and frameworks.
He also called for improved cybersecurity information sharing and communication, explaining that much of the aviation sector’s information sharing is reactive instead of proactive. He urged mandates to report cyber incidents, and better information security awareness and workforce training.
Christopher Porter, chief intelligence strategist for FireEye, echoed the gist of those sentiments by saying cyber espionage is the greatest threat facing the aviation industry.
“Foreign governments routinely seek to steal industrial secrets from manufacturers, researchers, designers, and operators of both military aircraft and cutting-edge civilian planes,” Porter said. “China, Russia, and more recently Iran have all targeted the U.S. or its close allies for theft of aviation secrets via computer network operations.”
Porter also said those three countries are routinely targeting ticketing and traveler data, shipping schedules and manifests, and related industries such as railways and hotels, to gather counterintelligence data on suspicious travelers and intelligence on persons they wish to track.
Porter further emphasized two aspects of cyberespionage against the aviation sector. First, “because of its pervasive nature, the best defense against cyberespionage is rapid, detailed information sharing with context,” Porter explained. He said companies must push alerts to customers in real time, industry groups need to share information between peers, and the government needs to improve its information sharing policies because “a threat to one is often a threat to all.”
But Porter also explained that because cyberespionage is routine, it shouldn’t necessarily be viewed as destabilizing.
“When cyberespionage operators get a foothold on a system, they can often use that access for stealing information or to launch a disabling or destructive attack using the same technology,” he said. “But they rarely choose to do so, and in the U.S. there are significant redundancies in place to ensure safety. A crashed IT system does not mean a crashed plane, and it’s important for the public to keep that in mind.”