There’s a scene in Die Hard 2 where the bad guys hack into the air traffic control system and change the altitude of ground level so that when the plane comes in for landing, it miscalculates where the ground is and smashes into the tarmac.
Could a cyber attacker really do that?
Aviation cyber security expert Pierre Truter laughs at the question.
“In theory, I think everything is possible,” he says. “I think the reality is a little bit more complicated and I don’t think you’d be able to do that easily.”
That’s a relief.
“Have you seen Die Hard 4?” Truter ping pongs back.
Ah, Die Hard 4. Where computer hackers bring down US transportation grids, the stock market, the power grid – pretty much any infrastructure that depends on computer systems to function.
“Die Hard 4 is a much more plausible scenario of what can happen,” says Truter.
“Aviation is now going through that rapid modernisation from an engineering-focused environment for many years, moving into an integrated digital environment driven by data, and not so much by engineering as we have done in the past.
“We're looking at aircraft becoming more e-enabled, and we're looking at automation in the cockpit so that pilots have less to worry about.
“Even in air traffic control towers, we're looking at moving away from the old traditional towers where people sit in the towers, to what they call a digital environment – an electronic, digital air traffic control environment where people sit back in a room and rely on navigation aids and digital cameras to manage aircraft.”
Welcome to the future.
Up, up and away
Truter has worked in IT for 35 years. Commencing with a role in the military building command control and missile systems, he moved into the aviation industry in 2003, with a 14-year career at Airservices Australia.
“Eight, nine years ago, I was representing Australia at a committee in Montreal which was planning this global automation of air traffic management to move into a digital environment,” he says.
Truter was the chair of that committee for four years.
“As we were planning the global integration and modernisation of all these systems to create a back-end information environment to automate the aviation system, cyber security became a much more prominent issue,” he says.
“I started focussing also on cyber security issues in the Air Traffic Management domain about eight years ago. At the same time, I was also the Chief Information Security Officer for Air Services when I was looking after all cyber security for the air traffic management of the country.
“The question became, ‘If we build this global network on how we can integrate all the back-end systems to enable the future digital Air Traffic Management system, how do you build cybersecurity in it from the beginning?’ Global strategies say that we will have ground to ground, ground to air, and air to air System Wide Information Management (SWIM) by 2028, fully automated.”
What does that mean?
“You won't have voice comms so much, but you will have data comms in future, integrating with the systems. If you have more data comms, you can build more automation into the system and enable aircraft to be more automated.”
“Yes, with all the data that it has on flight paths, and whether to fly around thunderstorms and danger areas. In aviation it is known as a 4-dimensional trajectory. That's part of what the upcoming global data framework is supposed to enable.”
The global framework Truter speaks of is the set of rules to integrate the communications and data networks of 191 countries in the world.
“How do you do that,” he asks, “when every country has got its own cyber security rules and regulations?”
Truter says the challenge is that cyber security is an issue that cuts across all components of aviation.
“At the moment, aviation is still in, let's call it, three silos. You have the air traffic control environment, which is mostly managed by the state. We have the airport's environment which is mostly privatised, and then you have the airlines which are totally separate privatised organisation.
“But this full aviation ecosystem is modernising at the moment, and we still have this fragmented approach.
“To me, the technology is not so much a challenge, but it's more the management aspect. How do you get the governance, the policies and the procedures to guide cyber security in this fragmented environment?
“How do you build cyber security by design, in the beginning, as we modernise the systems?
“To me, that is the biggest challenge for cybersecurity in aviation at the moment.”
Ready to board
If the thought of an airplane making its own decisions frightens you, you probably won’t like this next bit.
“If you look at the documents of the global air navigation plan from the International Civil Aviation Organisation (ICAO), it states that they would like to reduce pilots in the cockpit to one person in the future because the rest of the workload will be taken over by automation.
“At the last aviation show in Singapore about two months ago, they had the first discussion of what a cockpit would look like for an aircraft with only one pilot in the cockpit, and a lot of automation in the whole ecosystem. This will first be introduced in cargo aircraft.
“At the moment, it is possible to fly aircraft without the pilot. We've seen the military do that many, many times. Technically, it's possible, but to move into that environment for commercial aviation – that I think is their biggest challenge.”
You read that correctly. Commercial airliners will probably one day fly themselves.
While we’re still getting our heads around driverless cars, buses and trucks, the thought of an airliner flying itself with 200+ people on board is terrifying.
“I personally think it will be many, many years before the public will be happy to accept something like that,” Truter says.
“I would really like to fly with a pilot in the cockpit,” says Truter.
“I would not like to leave everything to artificial intelligence and automated systems because there's always that one in a million chance when you need to land the aircraft in the Hudson, when you still need a pilot that can make some decisions.”
Truter says that in a much more integrated aviation environment, it’s possible to see an air traffic control system hacked and shut down.
The result? Chaos.
“You can just imagine if you take a big airport like Sydney and you shut it down – nothing can move. Sydney being a big hub, just imagine if nothing can get in and out of Sydney for a few hours. You disrupt your whole aviation network in the country. The economy of the country takes a huge knock.”
There are three possible reasons for a cyber attack, says Truter.
“You've got firstly the people that try to hack in to get a feather in the hat, and say, ‘You know, I hacked an air traffic control system. Now, I can become part of the web group Anonymous’. That's one scenario.
“We've seen some of the other scenarios where state organisations will just hack into your organisation and not disrupt anything, but just sit on your network, waiting for that one day that they need to shut down your air traffic control system or disrupt your air traffic control system. That’s the second scenario.
“In the third scenario, we've seen that systems can be shut down, like we've seen like in any other industry and they say, ‘Pay me five Bitcoins so you can have access to your systems again’, so the same scenario that you have in banks and everything else can happen in air traffic control environments, exactly the same.”
“The problem is just that the air traffic controller environment or aviation has such a big impact on the economy of the country, and I think that's the biggest risk that we have in the aviation industry.”
“It's becoming much more difficult to stay ahead of hackers because the attack vector is becoming so much bigger as we move to fully automated systems in future.”
Truter says that what really scares him is not the fact that somebody will hack in and shut down systems or delete data “because we prepare for something like that, in all eventuality.”
“If data goes offline, aircraft will not fall out of the sky,” he says.
“What scares most of us is when people hack into your system and start changing the data slowly but surely, and you cannot see the changes in the system. That's much more risky.
"As an example, when somebody comes in and constantly changes the arrival and departure dates of aircraft, that would disrupt your whole network.
“It's more just corrupting the data than destroying the data. Changing the data in the system is much more a risky proposition from an aviation perspective.
“That's one of the biggest risks that I see in the next few years.”
Staying the course
Today, Truter works for a private aviation supplier.
“I'm now more involved from the industry side to look at the cybersecurity standards and frameworks for the people that are building the global aviation industry.
“I'm more from the supplier side now, and asking, how do we build this in future. How do you set the global governance standards, local security standards, to build the global aviation system?
“My focus is on how do you create a standard, a framework, templates, and policies and strategies for the aviation ecosystem, which includes air traffic management, airport, and airlines, that full ecosystem. What is the framework to determine all the risks as you modernise the system? That's where my focus is."
As systems are modernised in the future, the challenge lies in bringing the government systems and private industry together to come up with one framework to secure commercial aviation, Truter explains.
“Because you've got one part that lies in government that follows the government rules and standards, but a lot of it is private organisations, like airlines and airports. They follow their own security standards.
“For the Federal Government, cyber security for critical infrastructure is also a sovereign issue.
“How do you set up one framework for the ecosystem that combines commercial interest and government interest under one banner and build a secure system?
“That's the biggest challenge, and that's really what keeps me up at night.”
Pierre Truter is an ACS Certified Professional (Cyber Security).
In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.