Ransomware. In the air?

Introduction

As an exercise, we were asked to look at the potential vectors for ransomware to affect flight despatch and operations. In most cases, flight systems simply weren’t significantly exposed, but ground systems affected by ransomware may make flight ops either impossible or significantly increase workload and consequential delays.

It’s clear to us that the size of the attack surface and attack vectors potentially available make it almost impossible to entirely prevent ransomware in the aviation industry.  Prioritising critical system defences will reduce the risk and any potential damage, in particular for systems where a backup is difficult to source or unavailable.

In theory, ransomware which affects just one device or application could entirely ground an airline.  Traditional ransomware which encrypts files on a device may be clearly visible, however, more subtle effects could include modification of application data.  For example the manipulation of waypoint coordinates on one FMC or EFB may be difficult for an airline to pinpoint which device/s or aircraft are affected.

If the objective is to extort monies from an airline or airport, even the potential of tampering with certain systems could be enough to ground flights.

Potential Attack Areas

Aircraft control systems

We consider this to be least likely, primarily because systems on the aircraft control domain (ACD) are rarely Windows based.  Non Windows systems are at much lesser likelihood of infection from ransomware.  Few strains of ransomware are known for Linux and custom operating systems / custom protocols are even lower risk.  It’s more possible that impacts could be seen from outages on other systems the ACD interfaces with or consumes data from.

Navigation database

Nav dbs have to be updated every 30 days to be legal to fly. This is often done using Gatelink, a platform that allows wireless or mobile data based  updates when the aircraft is on the ground. Whilst the interfaces to the plane are well secured using PKI or similar, the ground platform is perhaps more exposed to a ransomware or related outage. Without Gatelink or similar for a period of time, a visit to the plane with a portable data loader may be required. This may introduce overhead that results in delays.

Tampered nav databases are perhaps more insidious. A modified SID/STAR that you’re expecting isn’t necessarily what you’ll fly, but one can’t check every departure/arrival.  Waypoint coordinates can be cross checked but not every waypoint in the entire FMC.

What if you divert, have an emergency etc.  Every airfield is important.

Radar vectors from a ground controller aren’t a good workaround as one can’t expect them for an entire route. Longhaul flights often operate in areas with no radar.

Ground system outages affecting despatch

Booking systems

Possibly the most likely ransomware related outage is from a booking system. There have been several outages and breaches over recent years of high profile booking systems.

If passenger data cannot be obtained, secure boarding may be impossible.  Even if boarding is possible through backup or paper systems, increased reliance on electronic passenger lists may result in huge inefficiency. Without booking data, it may be impossible to compute to compute weight and balance, which will also prevent departure.

Maintenance

Without a proper maintenance log, the aircraft cannot fly. A related example of this is the RavnAir cyber-attack in December 2019 which grounded 6 aircraft from their Dash 8 fleet.  The attack forced RavnAir to disconnect the Dash 8 maintenance system and backup.

E-tech logs are becoming more common.  One cannot despatch without the captain signing the tech log to confirm he has reviewed the log and any ADD’s are acceptable.  Outage of this would result in grounded aircraft.

Portable Maintenance Access Terminals (PMAT) are often Windows based.  These provide configuration control for software parts in an airlines fleet.  Can collect and return data from the aircraft to the operator, load software parts into the avionics systems, EFBs, nav databases, safety systems, and also provide access to onboard maintenance systems.

Airfield weather

Almost all airfields of any scale publish METAR and TAFs. Without these, the plane can’t fly. Only approved sources can be used, which are typically auto weather stations.  You can’t just google “weather in Boston”! A TAF being unavailable would affect fuel planning and despatch legality.

For METAR data many items could be resolved separately, though RVR and wind data would be more difficult.  The tower controller’s feed comes from the airfield weather station

Satcom

Ground systems for a satcom connectivity provider could be affected by ransomware.  Consider the Colonial Pipeline ransomware attack – the system delivering the service isn’t necessarily the risk.  Inability to track billing could also be a driver for taking down a service.

A lack of satcoms is unlikely to prevent flights dispatching, but will increase load on ground based radio operators.  It’s particularly likely to cause complications or delays for oceanic flights, as the backup would be radio, which would create a bottleneck on HF frequencies.

This would cause issues for oceanic traffic (likely grounded for at least a period).  Flights transiting the North Atlantic come under the Datalink Mandate (NAT DLM).  This means all aircraft transiting the area between FL290 and FL410 require FANS 1/A CPDLC and ADS-C, which require CPDLC when not in VHF coverage.

A lack of satcoms would cause ACARS outages in some areas where VHF coverage is poor, both on ground and when airborne e.g. oceanic sectors

ACARS

An outage of ACARS would cause complexities for operators but could generally be worked around.  Issues would result from bottleneck on VHF frequencies for engineering/ground ops to communicate with pilots

Performance, if not computed on an EFB, is generally produced and sent via ACARS.  Backups are generally not available, although some airlines have been known to send performance calculations via e-mail to pilots when ACARS has failed.

An outage would result in airlines with final loadsheets which are provided during taxi (instead of pre-despatch) experiencing delays as these would be required prior to the doors closing.

Radio communications

Integration of radio operation with PCs may create challenges in the future.  ‘Soft’ radios are increasingly being used, both by ANSPs and in operator ground ops.  If the system hosting the soft radios are unavailable, is a backup available?

Inflight Entertainment (IFE)

Systems often pull content from ground based servers.  Large files such as movies are loaded when there is weight on wheels, using Gatelink over Wi-Fii to reduce data costs.

Outage of the on board IFE itself through ransomware seems fairly unlikely, though is a possibility. It’s more likely that there would be an inability to load content through outage of ground systems.  On longhaul flights this may cause revenue loss through compensating customers.

Some IFE content such as news updates is delivered in-flight.  Losing availability of inflight up-dates is less likely to be of concern. In-flight connectivity is increasingly being relied on by some travellers.  Outage of the ground systems the IFEC interfaces with may cause irritation for passengers.

Electronic Flight Bags

There are potentially multiple attack vectors, though ransomware for iOS is extremely rare, if non-existent. Whilst iPads are popular, Windows OS EFB’s do exist – the A350 EFB is based on a Lenovo laptop running Windows.  Installed EFBs are more difficult to manipulate directly as they are physically protected on board. Compromise of a portable EFBs is more likely, given they are taken to public areas or left in hotel rooms by pilots.  It’s not uncommon for pilots to download EFB application updates and data whilst downroute in hotels or on public Wi-Fi.

Aircraft manuals are required on-board.  QRH, FCOM, FCTM, Performance Manuals are all essential.  Various different developers make aircraft manual applications.  An outage of the EFB without paper manual backups would result in grounded aircraft.

It is vital that charting application data is accurate and available.  Charts are the primary source of navigational information, in the event of a discrepancy between the Nav Database (FMS) and the chart, the chart holds precedence.

Paper backups “may” be available, but likelihood is that it will only be a few backups.  Large airlines have several hundred aircraft – it would be almost impossible to print paper charts again for all fleets.  See the American Airlines EFB incident in 2015 – a duplicate chart in the database made some EFBs unresponsive – no paper backups available.

Weight & Balance / Loadsheet applications are more likely to be found on despatcher devices, although in some airlines pilots do their own weight and balance calculations.

This is critical for the accurate loading of freight and passenger seating.  Not just weight limitations, but trim settings (MAC ZFW / MAC TOW).

Can be done with pen and paper,  but is prone to errors and requires significantly more time to calculate.

Performance applications can be worked around using paper manuals but these are less accurate and less efficient concerning fuel/engine wear.  Small airlines would cope better by using separate systems which can calculate take-off performance separately and communicate results to the aircraft electronically (e.g. via ACARS). If ground systems were unavailable, this would cause further issues and delays. Landing performance can generally be calculated via the paper QRH, so isn’t as much of an issue.