The threat of cyber-attacks on airlines, as Alex Cowan, CEO, RazorSecure explains, will now have to be countered in very specific ways according to an EU Directive

What I’m going to write about is the new EU Cyber Security Regulations which are important and are coming into force very soon. We’ll look at what the new regulations mean and how they might affect airlines and operators.

But, before even that, I wonder whether everybody reading this is aware of what the cyber security risks to their business are. The best way to explain is with an example, in this case not from aviation but from an adjacent industry, shipping. In May 2017, Maersk, the world’s leading shipping company, was hit by the Wannacry attack, the same one that hit the NHS and a lot of other systems. This attack took Maersk down for one day. The knock-on effects from the attack and a day down were that Maersk had to set aside between $200m and $300m on their balance sheet to deal with the attack itself and its aftermath: it disrupted so much in Maersk’s supply chain. And this is just one example.

There have been more recent cases and, in the cyber security world, we talk of ‘the CIA triad’; this is not about the American intelligence service but means… confidentiality, integrity and availability. In order to keep a system secure it is necessary to think about those three things. Confidentiality is what people most often associate with cyber security; encryption and keeping data safe. But it’s also important to consider how to be sure that data that has been received hasn’t been changed in any way, its integrity. And the third consideration is availability. In the Maersk case, they were hit with an integrity attack but also an availability attack because their system went down, i.e. was not available. There are other examples such as British Airways, hit earlier in 2017 with an IT failure that affected their availability, another sort of cyber incident.

In that climate, the EU’s cyber directives came into force on 9th May 2018, comprising two regulations; one with which readers might be familiar and one that might be less well known.

The first is NIS, the Network and Information Systems Directive for Critical Infrastructure, a new set of regulations and the first time that any governmental body has tried to legislate for what cyber security looks like. As the name suggests, it is focused on critical infrastructure systems including airports, airlines, roads, railways, water distribution, oil, gas… a huge number of different industries. The Directives mandate different controls in four key areas of organization, protection, monitoring and response & recovery.

There are different guidelines on who NIS applies to in the aviation industry and it would be advisable for readers to look at the regulations for themselves. The UK Government published their guidelines on this in mid-2017 and other EU countries will publish their own guidelines. It was up to EU member states to implement this into law by May 2018, when the enforcement really started. There are some slight variations between member states but most will follow the UK’s, France’s and Germany’s interpretation. One key matter to note; the regulations will also apply to operational systems. It isn’t only about the enterprise or the hosting center; this is also about the operational systems, the real critical infrastructure side of things.

There are four key areas addressed by the directives and regulations.

1. Organization

• Understanding the governance of the organization;
• Understanding the risks it faces or is open to;
• Understanding the business’s asset management;
• Understanding its supply chain.

These are fairly standard ISO-27001 style requirements so it is likely that a lot of readers are already doing this.

2. Protection

• Understanding the business’s service protection policies and processes, which should be documented;
• Clearly defined identity and access control with documented authentication for individuals, plus controls; with each individual having their own discreet account – no shared accounts;
• Data security, preventing unauthorized access to data and controlling data during maintenance and disposal of systems.

• System security is the more traditional kind of physical or logical wall such as firewalls, vulnerability management, hardening, software updates, no default passwords…
• … but it also encompasses resilient networks and systems by design – business’s must not only consider the operation of systems but also how they fail and failure management – all something that airlines are already good at;
• While staff awareness is the last part of this, staff are the first line of defense in terms of cyber security so they need to understand what a cyber incident might look like on the ground because one of the biggest weakness in this area is social engineering. We had a case where we walked onto a train where the crew happily let us on and into the driver’s cabin and where one person actually offered to let us drive the train. And that was not a failure of that individual but a failure of staff training. One of the key things in cyber security is to never blame the individual; it’s always the organization that’s at fault. An individual’s mistake means they haven’t been trained well enough.

3. Security monitoring

One big change is that the EU has gone much further than the traditional cyber security approach. Traditional thinking was for passive security, i.e. firewalls, network segregation, air gapping or encryption. However, the new rules state that businesses have to go much further than that and think about active security – what the business is doing in order to monitor the systems that should be protected. Active monitoring and anomaly detection is a requirement under the new regime, i.e. being able to identify something that is not normal in the operation of the system.

This is where companies like RazorSecure and our software comes in.

• Security monitoring must be able to detect actual or attempted breaches (this is directly from the regulations);
• It’s about more than just the collection of logs because it’s very hard to analyze logs and they miss a huge amount of information;
• Security monitoring must also be effective for the operational lifecycle of the system, not just for the first three years or for the warranty period; businesses need to plan for the whole life of an asset.

This is about detecting deviations from ‘normal’. In order to detect a deviation from normal, it is first necessary to establish and understand what is normal. This applies to both the network and the systems on the network. We find that, with a lot of cases people are very focused on protecting their network but it’s not the network that gets hacked, it’s the systems on the network which is all-too-often overlooked

4. Response and recovery

• The fourth area is around response and recovery.
• Response and recovery planning means having a plan for how the organization will respond to a breach and how it will deal with the follow-up and restore the business. There need to be well-defined systems in place and a tested incident management process with activities in place to limit the impact of a breach;
• There will also need to be a program of continual improvement to prevent it happening again, i.e. change the organization and procedures to prevent that breach happening in the future.

Government organizations around Europe understand that there’s a massive problem with legacy systems in critical infrastructure. At a 2017 conference, for instance, a representative from US Homeland security reported that they had managed to take over a Boeing 757 in two days, breaching the system’s security. If they can do that in two days, that means there are potentially hackers who can attack that same system and other systems. This is why government organizations are doing this now; this is why they are legislating for it, because we must be thinking about it.

The second regulation of which readers might have heard is GDPR, the General Data Protection Regulation, which is all about how personal data is handled. There are some really important areas there including some that might flow over to the operational side. GDPR focuses on data privacy and data handling and has broad extra-territorial scope. The big thing about this is that the UK Government and the EU have given these regulations real teeth in the form of fines. For a major breach, a company could be fined up to 4% of its global revenue which, for a smaller airline and/or one with a small profit margin, could be significant. There are strict reporting requirements that require any breach to be reported within 72 hours to the local data controller, plus there are rules around how to manage that. But the real key is that this has been law since the start of May 2018 so airlines should have been thinking about them for some time by now.

The big change in tone with GDPR is that it defines data privacy as a right for EU citizens but it applies beyond the EU which is one of the key things that readers’ companies will have to understand. If an EU citizen is travelling through the USA on a US airline, that airline still has to look after the EU citizen’s data in the same way as if they were in the EU. That represents quite a change.

In the USA there is a very well-defined set of information that’s considered personally identifiable – full name, home address, email address, social security number, credit card numbers, date-of-birth, telephone number and log-in details. That list is currently being expanded to include such as a customer number held in a cookie, IP address, processor or device serial number and a unique device identifier.

The EU definition is much more broad – ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’) including such as their image if, say, captured on CCTV; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.

Core principles of GDPR part 1

These first principles are around ensuring that individuals know who has their data, why they have it and are they keeping it safe.

• In order to collect someone’s data, they must give their consent and there must be a specific and not hidden request along the lines of ‘can we collect this information about you?’ The data collector has to be open and inform the individual what the data will be used for in a clear and up-front manner, i.e. no ‘legalese’.
• If that data has been breached, the organization holding the data must notify the appropriate data controller within 72 hours and must notify customers without undue delay. This is much stricter than what went before.

Core principles of GDPR part 2

The second set of principles is around the availability of data for the individual to see it and for the individual to decide whether it should be deleted.

• Individuals have the right to access their data on request and the organization must provide that data free of charge.
• Individuals also have the right to be forgotten and to instruct an organization holding their data to throw it away, another key change. Under the old Data Protection Act in the UK, an organization could retain data on an individual for a period of time as long as they ‘deemed it to be important’. Now, organizations can only keep data relating to an individual for as long as the individual says they can keep it. This also means that third parties must stop using the data but this can be weighed against ‘the public interest’ in the case of, say, the security services.

Core principles of GDPR part 3

The third set of key principles is around data portability.

• If an individual asks for their data to be moved somewhere else, it has to be provided in a machine readable format, perhaps more relevant to the likes of Facebook than to airlines but it still needs to be understood in the context of your organization.
• There needs to be privacy by design. This means minimizing the amount of data an organization stores and, in that context, over-collection of data is as bad as keeping data that should not be kept. The EU definition of privacy by design is that an organization should take, “Appropriate technical and organizational measures” taking into account “the state of the art and cost of implementation” The organization has to ensure confidentiality, integrity and availability of systems; be able to restore systems in a timely manner after an incident and have regular assessment and testing of security controls, i.e. really understand how the organization is managing the data it holds from individuals.

Some of this might also apply to operational systems with, for instance, the communication of passenger information over ACARS or the communication of passenger names but not encrypted. That means that the information is open to everyone and can potentially be sniffed which would be a breach of GDPR.

These new regulations, NIS and GDPR, are now in force from May 2018 and active monitoring is now a requirement and even one day can have a major impact.

RazorSecure provides software solutions to help with cyber security in the transportation industry, including aviation. It is a cyber security specialist business that supplies a set of two products providing for the active monitoring of systems and anomaly detection. .

RazorSecure Delta

The main product is called RazorSecure Delta, an active intrusion and anomaly detection system. Once you understand what is normal for a system, everything else is outside of that. RazorSecure Delta learns automatically what is normal for a system and importantly it can do this even in a disconnected environment which is why it’s key for transportation.

Say there is a fleet of 20 aircraft, RazorSecure Delta can compare across those planes using ‘the power of grouping’ to identify one that’s different from the rest. There is also independent, on-device decision making so that, if for any reason, connectivity is lost, the system can still support a decision to ensure that the system stays secure.

RazorSecure Delta is being rolled out with VT Miltope on their next generation wireless access points, the MAP3, that comes with Cognitive Hotspot Technology (CHT), which will be on those wireless access points, allowing users to reduce the amount of interference on the Wi-Fi going down the aircraft.

RazorSecure Edge

The second product is RazorSecure Edge designed to help with continuous remote auditing; understanding how systems change over time, what is happening on the network and what is happening across the system. It can be used for things like W-Fi monitoring to understand whether the Wi-Fi provider is delivering a good experience and, at the same time, are they creating vulnerabilities in the system: is there something that you don’t know about?

RazorSecure is also working with Icomera in the rail industry supplying a leading UK train operator and is open to discuss collaborative opportunities with other potential partners.

Alex Cowan founded RazorSecure in 2014 after a decade of working to develop secure systems and prevent intrusions in the gaming industry. Alex is a regular speaker at conferences related to transportation and cyber security, working to raise awareness of cyber security issues in industries that are struggling to meet the challenges of connected transport. RazorSecure is focused on providing next-generation cyber security products to protect transportation including inflight entertainment on planes, rail systems and self-driving and connected vehicles.

When a threat breaches the traditional security ‘walls’, RazorSecure Delta software will actively detect, report and protect the system from the attack in real time, whether the aircraft is connected or not. RazorSecure is working in partnership with manufacturers and system suppliers to provide a fully approved software solution that can be easily deployed on the existing hardware.