Mass Transport Systems and Cyber Resilience
Director Steve Southern discusses the dual importance of safety and security
I should make it clear that I'm not an engineer. That's not an apology, just a fact. I know some excellent, even brilliant engineers, mostly from my days in the military. However - and I'm now going to generalise - just as I am no engineer, the vast majority of engineers are not security specialists. In fact even the most brilliant engineers probably don't think much about security. Why should they?
Civil engineers design roads and railways. Electrical engineers design radio systems and networks. Mechanical engineers probably design industrial turbines and gearboxes for all I know. But here's the rub. Whereas perhaps 20 or 30 years ago security didn't really matter in any of the aforementioned, the same is certainly not true today. In fact all of these things might now form part of what is collectively described as our Critical National Infrastructure (CNI) - systems and services upon which modern society is so reliant that none of us can survive for long without them. Even some of our ubiquitous retail outlets such as Tesco and Sainsbury's might be part of the CNI - how many days could any of us last if they suddenly ceased to function? So let's consider some examples in a bit more detail.
Recent reports in the media concerning the vulnerability of modern airliners to hacking caught my eye. These reports appear to have emanated from an incident where a "security researcher" was prevented from boarding a United Airlines flight as he had "jokingly" tweeted several days earlier that he could cause the oxygen masks to deploy. The same researcher is also reported to have told CNN that he was able to connect to a box under his seat at least a dozen times to view data from the aircraft's engines, fuel and flight management systems. These reports were sufficient to prompt a response (https://goo.gl/1c0muF) from respected commentator Bruce Schneier in which he points out that "newer planes such as the Boeing 787 Dreamliner and Airbus A350 and A380 have a single network that is used both by pilots to fly the plane and passengers for their Wi-Fi connections."
This may come as a surprising revelation to many but as Bruce also observes "A terrorist hacks into a commercial airplane from the ground, takes over the controls from the pilots and flies the plane into the ground. It's certainly possible, but in the scheme of Internet risks I worry about, it's not very high," and "There are currently no known vulnerabilities that a hacker could exploit." Given the recent tragedy of the German Wings flight we should perhaps all be a little less concerned with this type of hacking scenario and more concerned about the psychological health and screening of the pilots.
To reiterate, I'm not an engineer, but I've been around aircraft - albeit of the military type - for decades, trying to quantify and adequately describe security threats and vulnerabilities so that appropriate countermeasures can be implemented.
I recall many discussions with engineers, project managers and others on major aircraft procurement programmes around security of on-board systems, not to mention ground support and mission planning systems upon which the aircraft rely for operations. A recurring issue concerned what is known as Health and Usage Monitoring System (HUMS) data, vital information collected by a range of on-board sensors about the health of critical components such as gearboxes.
This data is collected on every flight then downloaded by engineers allowing them to analyse the 'health' of these components and predict when failures are likely to occur. While the integrity of this data is important - were it altered in any way the consequences could be serious or even life threatening - data confidentiality is not, and it was typically assessed as unclassified. HUMS data is downloaded from the aircraft network, normally a 1553 data bus, to a laptop via a standard serial interface, or via a PCMCIA card. However, on the same network there will sometimes be mission data that can in certain scenarios, such as flights involving Special Forces, be highly confidential - perhaps even assessed as secret.
So the security issue is around having assurance that in downloading HUMS data, secret mission data cannot be accidentally or deliberately downloaded at the same time. Similar issues relating to storing and processing sensitive and non-sensitive data on the cockpit voice and flight data recorder were also addressed. The point is that these and many other security issues were identified and addressed to the satisfaction of the many stakeholders. Note I do not say the issues were 'solved' as this might imply something that is 100% effective; anyone who knows anything about security will never assert 100% effectiveness for any security countermeasure(s). But the point I'm making is twofold. First, the engineers that designed the aircraft systems either failed to predict that security would be an issue or if they did, they didn't seek to address it. Second, and in spite of this failure, the issues were successfully addressed, albeit very late in the day. I'd predict the same to be true insofar as our modern airliners are concerned, i.e. security was not addressed at the design stage, and only now is it likely to be retrofitted, potentially at significant cost.
I’ve also spent quite a bit of time working within and learning about Air Traffic Management (ATM), both at the pan-European level within the European headquarters of Eurocontrol, as well as at the national Air Navigation Service Provider (ANSP) level here in the UK and in Slovenia. Massive changes are underway in ATM, driven in Europe by the Single European Sky ATM Research (SESAR) project. It’s good to know that safety and security are an integral part of SESAR although I’m not certain that security in particular has been properly addressed for some of the key underlying technologies such as the Automatic Dependent Surveillance-Broadcast or ADS-B. Reports such as this one http://goo.gl/5PvUyI while anecdotal do not inspire confidence. The International Civil Aviation Organization (ICAO) presents a more rational assessment of ADS-B security issues in this guidance material http://goo.gl/0YG7gB.
Now let's briefly consider the railways, and coincidentally these have also featured in the media recently for remarkably similar reasons. See this report http://www.bbc.co.uk/news/technology-32402481 in which a professor at City University in London says that plans to replace ageing signal lights with new computers could leave the rail network exposed to cyber-attacks. In fact I would suggest that the same basic problems present themselves in all mass transport systems, air, rail, road, or sea, as they all depend upon complex and highly interconnected control systems that to a greater or lesser extent are vulnerable to attack.
A broader point is also worthy of note, namely that in many of these transport sectors, and for generations, the primary focus of design engineers has been on safety, not security. On the one hand this is very reassuring for the travelling public, but increasingly the line between safety and security - if indeed there is any line at all in the case of mass transport systems - is now somewhat blurred. Some - including Amethyst - have for many years been vociferous proponents of a more joined up approach between safety and security. The two disciplines have many common features and yet they continue to be addressed separately and in isolation from each other, duplicating effort and increasing costs.
We can at least be encouraged by the launch last year of PAS 754:2014 (http://www.uk-tsi.org/pas754) which for the first time specifies a way of addressing safety and security requirements via a single approach; it combines hazards from safety with threats from security, and uses the word 'adversity' to describe the sum. This specification may be relatively unknown to date, but I believe it has the potential to save £millions not only in the transport sector, but in any sector where safety and security are priorities e.g. nuclear energy, oil and gas production, and defence to name but a few. Other work that should be essential reading for anyone with responsibility for or an interest in security and/or safety in the transport sector is the white paper published at the conclusion of the SECURE-ED project, (see http://www.secur-ed.eu/ for background and a link to the white paper). The white paper presents a cyber security roadmap for public transport operators that “starts by clarifying the connection between safety, security and cybersecurity and identifying disruptive concepts/technologies…”
So what are we to conclude from all of this? One thing is certain, security researchers like the person denied boarding by United Airlines will always seek to push the boundaries. Are they a threat to security or do they provide a vital service? Well, that depends on their motivation.
Secondly, vulnerabilities affecting CNI and the cyber resilience of mass transport systems such as those we have highlighted will be ever present; consider the potential impact of the Internet of Things and the probability that within the next decade dozens of your household domestic appliances will be online, connected to the same infrastructure upon which our critical services depend. This may seem trivial but it isn’t because more appliances online means more vulnerabilities and more routes to attack via well-known techniques. Lastly, let us be optimistic and hope that in the foreseeable future the current separate disciplines of safety and security will finally come together; within Amethyst we have specialists in both disciplines and are therefore well placed to assist any of our clients who may wish to take a serious look at doing so.