Protecting ‘Flying Computers’
Last summer, more than 1,400 LOT Polish Airlines passengers were stranded at Warsaw Chopin Airport, the country’s largest airport. Ten flights were cancelled and a dozen more grounded after a probable cyber attack crashed flight-planning computers.
Airline travel is considered one of the safest ways to get around, but attacks on the networks that keep travelers flying can have reverberating effects across the industry.
To prevent this, risk and insurance experts are planning ways to build in protections in case hackers access data networks, onboard computers or navigation systems to cause business disruptions or damage to life and property.
“Aircraft really are flying computers,” said Brad Meinhardt, managing director, aviation practice at Arthur J. Gallagher & Co. “The importance and integrity of cyber is absolutely tantamount because airplanes will be flying closer and closer to each other with the same degree of safety.”
Automation helped airlines fly 3.5 billion customers on 34 million flights last year, according to the International Civil Aviation Organization (ICAO). And yet, all these linked networks and technology advances also create new opportunities for criminals.
“We make mistakes in underestimating how clever our opponents are,” said Jon Haass, associate professor, cyber security and intelligence at Embry-Riddle Aeronautical University College of Security and Intelligence.
Is a Cyber Attack Possible?
While aviation experts believe today’s systems are secure from simple hacking, Eric Donofrio, XL Catlin’s chief underwriting officer, aerospace, in the Americas region, foresees more sophisticated attempts down the road.
“I would imagine people are going to try,” Donofrio said.
ICAO formed a cyber security task force four years ago to develop a set of international standards and industry best practices that account for all of the technology changes in the aviation industry. The United Nations agency will present its findings this September in Montreal.
When considering some of the most vital technology advances in aviation, experts see a few vulnerabilities. First, air navigation is facing the most significant changes because of the increased reliance on GPS for data.
The radio navigation system pilots mostly use today is run from very high frequency omnidirectional radio range receivers (VORs), a ground-based electronic system that reaches up to 200 miles. The stations send out radio signals and essentially create highways in the sky. These operate individually, so trying to take out all VORs today would be very difficult, Donofrio said.
A new GPS-based system with wider reach is replacing VORs. The Federal Aviation Administration plans to decommission about half of the 967 VORs in the United States by 2020, and keep the other half as a backup navigation system in the event of a GPS outage.
As aviation operators phase out VORs and move over to new GPS-based technology, that GPS system may become a significant cyber vulnerability, Donofrio said.
When Malaysia Airlines Flight 370 disappeared over the Indian Ocean in 2014, some in the public were surprised to learn that air traffic controllers often don’t know where a plane is because radar can’t reach it along several stretches of the route.
That will soon change when the aviation industry begins using a much more precise surveillance technology called Automatic Dependent Surveillance – Broadcast (ADS-B), which will allow air traffic controllers to know exactly where every plane is, even over vast oceans.
“There are many places on the globe where terrestrial coverage is spotty and that’s why we are trying to have the system run off satellite,” Haass said. “But the ‘attack surface’ increases with a more complex system.”
ADS-B uses GPS technology to determine an aircraft’s location, airspeed and other data, and broadcasts that information to a network of ground stations, which relay the data to air traffic control displays and nearby aircraft.
“ADS-B is a technological improvement over the limitation of radar, but if a hacker could hack in, conceivably the GPS system, in the extreme, could be shut down – there’s almost a single point of data,” Donofrio said. “In the future, we might have a bigger problem, but right now that scenario is a bit dramatic.”
“We would like to see cyber security included right there at the design stage when they develop new systems.” — Jon Haass, associate professor, cyber security and intelligence, Embry-Riddle Aeronautical University College of Security and Intelligence
Oftentimes, the areas that are most vulnerable to hackers are not so dramatic – such as employees with weak computer passwords or malware in an email. Third parties that have access to aviation systems or cloud providers may also present vulnerabilities.
And, while ADS-B is meant to make aviation systems more efficient and safer, it lacks a good authentication system to verify that the person working on either end is who they claim to be, said Haass.
Another emerging risk is the abundant use of electronic flight bags. These devices — which contain software and store sensitive flight information — are carried around the world and can be hacked at any point along the way, such as a pilot’s hotel room.
Portable devices are also used extensively around airports to remotely prepare baggage handling, weigh baggage and board contents onto the planes, among other things. Even if those devices work off a private network and require a security password, they may still become a target for hackers, Haass said.
“We would like to see cyber security included right there at the design stage when they develop new systems,” Haass said. “It’s easier to fix it at the beginning, although it adds expense and time.”
Cyber Market Continues to Evolve
The aviation industry includes about 1,400 commercial airlines, 4,130 airports and 173 air navigation services providers. And they all carry risk.
“Aviation insurance is one of the most comprehensive insurance coverages in the world,” said Meinhardt.
Yet, cyber coverage remains a complication.
Cyber risks may be excluded or limited in aviation insurance policies. For example, certain network business interruption exposure may not be covered under existing policies.
“Cyber liability is something our clients should consider,” Meinhardt said.
Another reason to consider cyber liability insurance is because vendors that do business with aviation businesses often demand it, he said
Some aviation industry insurers have shied away from cyber products because the data and modeling tools that are commonplace for understanding catastrophic property exposures often do not exist for cyber risk in a specific industry, such as aerospace and aviation.
The burgeoning market offers only a handful of stand-alone products. That market will continue to evolve but development will bring challenges, with many concepts and wordings yet to be tested.