The world of Air Traffic Control and the ATSEP have not always been focused on the latest techniques and trends used for cyber attacks and defense. In the past, this competence was not part of the ATSEP's required core qualifications. Recent developments and attacks on public infrastructures however raised awareness significantly.
When mentioning cyberattacks in the aviation context, one imagines generally attacks against Cyber-Physical Systems (CPS) such as connected platforms in airplanes, avionics, remote control of planes, inspection drones or IoTs in general.
Such attacks are considerably difficult and only a very small amount of organizations can - theoretically - do them.
In fact there are much more simple attacks which can be performed against Air Traffic Control (ATC) infrastructures. Air Traffic Control are vital in aviation. The controllers (ATCO) are the coordinators which direct and guide airplanes from taking-off to landing.
In big airports such as the Heathrow airport where planes take off or land every 45 seconds in average, disruption of ATC operations could have serious or even dramatic effects on the safety of the passengers of the nearby airplanes. Moreover, in such airports, ATC personnel losing control on planes has all chances to lead to a disaster.
Indeed planes cannot stay forever in the sky. They need to be allocated a runway for landing. One may imagine what could happen if ATC data were missing, incomplete or even faked by a malevolent cyber attacker.
Cyber attacks are almost always based on flaws, defects existing in the logic of programs or protocols. Digital technology is very powerful but totalizes a very big amount of different layers and components, all interacting with each other.
While an analog signal can be relatively simple to code or decode, a network protocol can be incredibly complex and involves dozens of layers. Each of these layers can be potentially attacked.
With computers and programs it’s even worse. There are many stacks in a machine. Often these stacks are unprotected or have open flanks for intrusion.
Some years ago, the idea of ‘secure programming’ was perfectly inexistent. It’s only with the time that the notion of software vulnerability emerged. Programs coded in C or C++ could be vulnerable to so-called buffer-overflows for example (and they still are, more than ever).
The famous OpenSSL library was relatively recently impacted by a bug, named HeartBleed, and this simply because one of the contributors forgot to check the length of an incoming buffer.
That simple error affected millions of servers and patches had to be issued very urgently.
Fortunately programmers are usually “good guys” and they generally care about such things. The programming ecosystem works with permanent vulnerability analysis, often driven by enthusiasts, and patching. A database- named the CVE - groups such vulnerabilities and displays them publicly.
Many other such databases exist. Private or Public. Big software editors such as Microsoft have their own database.
Scanning, testing, patching … scanning, testing, patching … etc. … to always have a head margin over attackers, is the rule in the cybersecurity world. What used to be a shame for software editors (revealing defects) is now a normal process.
Without such policy, software - in general - would be deeply flawed. After all, airplanes also go through all their life to the garage to get inspected, repaired with spare parts changed.
Despite all this, Cyberattacks do occur and are believed to increase strongly in the next few years.
Attacking airports by cyber-attacks has remained fortunately a global taboo. Risking a catastrophe by disrupting ATC operations means cyberterrorism of the worst type. But the probability is high that ATC will evolve into a prestigious target for cyber-attack, given the keystone position that aviation holds in international trade and traffic and the consequential magnitude of achievable ransom.
This section categorizes cyber-attacks and gives a first introduction into defense mechanisms.
Malware is - in general - a malevolent program with the goal to operate ‘inadequately’ and against the user of the machine. The techniques used in such a program can be extremely varied.
If the malevolent program seeks to replicate itself to other machines connected through hard drives and USB drives, it is also named a computer virus. Computer viruses are considered as the most dangerous malwares. If the malevolent program looks and pretends to be a legitimate program, ‘mimicking’ a normal behavior, it is named a Trojan.
Sometimes, malevolent programs spread fully automatically across a local network or the internet. Such programs are usually called ‘Network Worms’. They are more infectious than computer viruses. Network worms hit periodically millions of computers across the world, causing “computer pandemic'' ( example of such worms are : Code Red, Nimda, SQL SLammer, CryptoLocker etc)
The most usual way to fight against malware is to use an antivirus program and to prevent users from having administrative rights by applying a strict security policy on the machines. Sadly corporate IT security policy has often scope for improvement. Also, on average, an antivirus prevents only around 30 % of possible threats.
Such malware is usually downloaded from the internet and installed by careless computer users. It could also come from an infected flash drive. In case of a virus, one infected machine may transmit the malware to all the other connected machines or to other users found in address books and so on…
Therefore the education of computer users is a good way to prevent malware from being installed.
Phishing is a cyberattack mostly based on social engineering. A typical phishing attack will imitate legitimate messages from an organization and request to install a program, click on some links, do some manipulations on the user’s computer. Phishing can be done via email, SMS or even by phone or video conferencing. The “DeepFake” phishing attacks are a very acute form of phishing.
Since the beginning of COVID and the increased level of remote working, the "quality" of phishing attacks has drastically improved, through personalized and well conceived attacks, which often faint even vigilant users.
This is a class of cyberattacks which are probably one of the - if not the - most dangerous attack(s).
A man-in-the-middle attack can break and destroy even the most savant and sophisticated security systems and there are very few remedies against it.
In such cyberattack an attacker is able to pretend to have a certain identity : for example, a server. That attacker will forward every information to and from the real legitimate server but will be able to spy the data and even to tamper them. The target believes it is “talking” to the real server since it sees all the relevant data but it ignores that, in fact, it has been intercepted and tampered.
Man in the middle attacks can have many shapes: DNS poisoning (there exists secure DNS to counter this…) , SSL interception etc.
Man in the middle attacks are badly prevented. A PKI infrastructure is generally needed to avoid such risks but even a PKI infrastructure can itself be tampered with. For example using certificate poisoning.
Multi factor authentication is certainly the best method to counter these attacks but comes at a cost and in some environments may not be suitable at all (imagine receiving a SMS with a code or scanning your fingerprints each time your computer wishes to connect to a DNS…)
In such a scenario, the cyber attacker will “float” the system and make it non-operational by ‘bombarding” it with requests.
This is typically used in network attacks. An attacker will make a website (a server in general) non-operational by starting a lot of tcp/ip requests. The server will end by saturating and will crash or be unable to functionate properly.
Such attacks are well-known and countered by special computer programs such as Snort which automatically detects them.
A specific subtype of DoS attack is distributed DoS (DDoS). In such an attack a network of attack computers (Usually a botnet) will synchronize DoS attacks . The amount of data could be colossal and involve terabytes of data exchanged over the network. Even the tech giants such as Google, Microsoft or Amazon are unable to truly protect themselves against DDoS.
Such an attack wishes to guess the password needed to enter a private area by trying all possible combinations. They can use rainbow tables or dictionaries.
Some hackers (especially the ”state-backed” ones) have significant resources - hundreds of servers, mainframes, which are capable of trying millions of passwords per second. Actually, a safe password should have significant entropy. It is rarely the case.
These attacks are very easily countered by special tweaks. Imposing a waiting time after a few incorrect passwords or displaying a Turing test will help. After all, a normal user wouldn’t try a password hundreds of times over a few seconds.
That attack is in the air. All that is needed is a modified USB device. Because of the security flaws in USB protocol, a USB device can look like a flash drive but acts as a keyboard for example and inject any code in a computer….
Countermeasures: prevent access to USB.
That type of attack will use unprotected buffers in online systems and will try to force a fault and have some code reaching the computer stack, where all instructions are executed, by deliberately mal-forming data or injecting illegal instructions or commands, often sending bigger data than the online system may tolerate. This is still a very common attack. Such techniques, using flaws in programs or protocols, are named, in general, computer ‘exploits’. An exploit which has never been used or detected before is named a “Zero-day exploit”. Such exploits are very rare and can be sold huge amounts of money over the darknet.
There are no countermeasures, by definition, against Zero-day exploits, because they have been unnoticed by the community of programmers and security researchers. That's why they are so lethal, efficient and rare.
As we mentioned before the countermeasure against such attacks is to patch the systems permanently each time a new exploit or vulnerability is detected.
In this article we only looked at the tip of the iceberg. There are more types of cyberattacks and new evil cyber-ideas are born every minute as you read that article. There is an ongoing permanent war between cyber-attackers and cyber-defenders. The solution may be that everybody would be nice like in the good old days of the internet (I mean before the 90’s…), but that doesn’t seem to be the actual trend. So while waiting for better digital times, the cyberwar is raging.
We hope we gave you an instructive overview of the domain. In the subsequent articles, we dive deep into the specificities of cyberattacks and the suitable customized cyber-defense in ATC.
SkyRadar focusses on ATSEP and ATCO training. For many years we worked on, researched and develop training solutions, for radar and cybersecurity technologies. SkyRadar's Breach, Attack & ATSEP Qualification has been developed for ATSEP training in the context of Aviation Academies and Universities. We deliver these solutions and deploy them in the academies. And we provide train-the-trainer seminars for ATSEP-trainers in your academies. Such trainings could be basic and advanced. With 20+ years of experience in cyber-defense, we will bring real-life experience, and a head margin against those attackers who are already already waiting in the wings ...
Stay tuned! with the forthcoming articles on cyber-defense in ATC, or sign up for a free two-week testing of our Breach, Attack & Defense Simulator:
Martin Rupp is a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Currently he is researching attack scenarios and the role of AI in ATC cyber-security.
Peter Smirnoff has a long experience in Cryptography, both in industry and research. Peter has worked on the Windows Crypto API, OpenSSL, digital signatures, X 509 Certificates etc. He has profound implementation experience with PKCS-11 smart-cards as well on Linux and Windows platforms.
Ulrich Scholten is a founder of SkyRadar. As a research associate at the Karlsruhe Service Research Institute, he researched network effects, emergence and control mechanisms in platforms and distributed cloud scenarios. He holds several patents in radar technology and the Internet of Things and a PhD in Cloud computing.