Panasonic Avionics Discusses Cyber Protecting Connected Aircraft

In 2015, cybersecurity consultant Chris Roberts claimed to have hacked an airliner while riding it, drawing the immediate attention of federal authorities while underscoring the need for comprehensive cybersecurity for airliners that even now are becoming more rather than less connected.

Lost in the rush to update legacy aircraft with state-of-the-art avionics and electronic cabin amenities like wireless internet was a focus on securing those systems against intrusion by bad actors.

“Airplanes were never designed to be connected, whatsoever, to the internet,” said Panasonic Avionics Information Security Officer Michael Dierickx. “What we did was make a giant [internet of things] device.”

It is important for passengers to feel safe when they fly, and they are, but safety and security are not the same thing, Dierickx said. Passengers should know the difference and airlines should focus on both, he said.

“It comes to end user training,” Dierickx said. “What the passenger really needs to be aware of is while the airline is offering you a better user experience, there is no difference between that wireless onboard an aircraft and going to a Starbucks. Wireless technology is wireless technology. Passengers will always confuse security with safety. If somebody hacks another passenger on an aircraft, someone thinks that means they can take over a flight-control system — and that’s absolutely false.

Roberts is less confident in system segregation as a safety mechanism and believes flight-critical systems are still at risk of intrusion, interference or disruption. The U.S. Department of Homeland Security has recognized those vulnerabilities and is working to prevent future hacking, he said.

“My concern is still valid,” he said. “There is too much of an attitude that we have segmented it. We have the perception of an air gap, so we should be fine. Nobody has hacked us yet, so why would they now? A lot of industries are realizing it is not the way to go.”

Traditional technology companies deal with a very different regulatory landscape than the one imposed on airlines by the FAA, EASA and other civil aviation regulatory and standards bodies. Aviation companies are forced to merge fast-paced, constantly updating software with hardware that deals in decades-long lifecycles, all while keeping airplanes connected and secure.

If the friction between hardware and software is poorly managed, the consequences are drastic: a relatively minor incident of a hacker exploiting vulnerabilities can cost a company millions. When you’re dealing with planes carrying passengers, serious issues are life-and-death.

Neil Adams, director of national defense at nonprofit defense research-and-development lab Draper, said interception of transmitted data is the most visible cybersecurity threat and therefore receives the most attention.

Ensuring software and upgrades to existing systems are free of bugs or defects also is important. That task is made more difficult when companies employ commercial off-the-shelf (COTS) products and customize them for their use, a fast and easy way to keep up with technology advancements at low cost, Dierickx said.

If a company is using heavily modified COTS products, the latest firmware update might not be compatible, and there is a long lag time before that can be addressed. Multiply that by lots of products all potentially receiving frequent updates and add in regulatory delays, and the risk of vulnerabilities increases.

It is difficult to maintain information and software assurance without securing and monitoring supply chain, especially when dealing with suppliers in countries known for counterfeit products like China, he said.

Finally, anti-tampering measures should be taken to ensure components are resistant to reverse engineering, signal processing and algorithm abuse, Adams said.

While information assurance gets by far the most attention, anti-tampering can be a real concern for particularly older components that are fundamentally unsecure. But the two bigger areas of concern, according to Adams, are supply chain integrity and software assurance. They are the industry’s biggest weaknesses, but neither get the attention required, Adams said.

Information assurance gets so much attention because it is a relatable problem. The fact that the data is being generated and transmitted is one of the major reasons cybersecurity is such a pressing issue. However, simply trying to intercept and de-crypt pieces of secure data is not one of the more reliably effective methods of accessing that data. Valuable data will usually be secured, and a better payoff for hackers will come from abusing component vulnerabilities to gain access to systems, from which point they can continually harvest data or wreak havoc.

Data security doesn’t change dramatically between the terrestrial and airborne spheres. Some of the biggest problems the aviation industry encounters in the other stovepipes come about because the traditional cybersecurity practices that would be used in terrestrial instances no longer apply in the same way, according to Panasonic’s Dierickx.

Aer Lingus, Air Canada and Latam CEOs Discuss IFEC Strategies

At Airline Passenger Experience (APEX) Expo 2018 in Boston last month, many airline Chief Executive Officers (CEOs) spoke to the importance of the connected aircraft, and the impact it has on their overall strategy. While they did not necessarily talk about satellite technology, it is clear that connectivity will be at the heart of the passenger experience, and satellite-based connectivity will have an increasing importance. One of the most talked about speakers in Boston was Claudia Sender, the CEO of Latam, and one of the few female CEOs of a major airline. She said that Latam was using advanced analytics to improve the customer experience. The airline has launched 60 new routes over the last two years. Sender admitted that the cabin experience is the main driver for customer satisfaction and a crucial factor for airline choice, so the airline has embarked on an extensive customer experience revamp. It is investing $400 million in cabin retrofits over the next three years. “We are looking to invest in a better In-Flight Entertainment (IFE) look and feel including 18-inch screens. “IFE is one of the most important things. It is essential that our customers have great content available. The new user interface will have a refreshed and harmonized look and feel,” said Sender. “It is important for us to have Wi-Fi on board. We are revamping the entire applications we have on board. There will be super-personalization of the customer experience.” Aer Lingus, Ireland’s national airline, is also at an interesting time as it looks to bring more connectivity to its passengers. The airline has been serving customers since 1936. Aer Lingus CEO Stephen Kavanagh said that the airline is planning on offering a free Wi-Fi product for those in the economy cabin, as the airline plans to modernize its brand. Wi-Fi will be at the heart of its plans going forward. “We are focusing on what our guests are telling us, and how the industry is reacting,” he said. “We will turn on 20 megabits of Wi-Fi in 2019 — that is alongside the brand refresh we are doing. We see now as a very appropriate time to do this. While Aer Lingus is getting set for a busy 2019 as it plans to bring connectivity to passengers, others are slightly more advanced in their plans. Aeromexico has long been a pioneer in bringing connectivity services to passengers, and even has a partnership with Netflix. Its CEO Andres Conesa said the airline had seen penetration increase three times in e-commerce over the last four years. The airline will continue to work hard to boost its connectivity options to passengers. American Airlines CEO Doug Parker said the airline now has satellite Wi-Fi on its planes, and described it “as a much better product” and gives them much more flexibility than a seatback. “This is a much better product. This allows people to stream Netflix, for example. This is definitely the future. My children never even watch their TV. That is what will happen on the airplanes. We have it now on a third of our aircraft. It is a night and day difference. It will have a whole different feel,” he said. Another North American airline, Air Canada, also outlined some of its plans in this area. Air Canada CEO Calin Rovinescu admitted that the airline is looking to push suppliers on the connectivity side. “We are not fully satisfied with what we are seeing on the streaming side, but, we are continuing to work with suppliers. Connectivity needs to work really well,” he said.

Three Business Jet Connectivity Challenges You Can Overcome – Partner Content

Business jet passengers expect all facets of their journey to be first-class, and connectivity is no exception. Demands for a fast and seamless internet connection keep growing, and the current “one-size-fits-all” connectivity model does not take service provider needs into account. Learn about some of the key challenges that could be holding you back from delivering value and how to overcome them.

#GCAPODCAST Ep. 5: How IOACTIVE Hacked into an In-Flight Modem

Ruben Santamarta, principal security researcher for IOACTIVE.

Ruben Santamarta, a cybersecurity researcher with IOACTIVE used a “back-door” vulnerability to demonstrate his ability to hack into an in-flight commercial airplane’s satellite internet modem. We discuss the demonstration with Ruben and his IOACTIVE colleague Josep Pi Rodriguez. The cyber experts explain how the flaw that allowed the hack to occur was resolved by the industry.

#GCAPODCAST Ep. 4: Alaska Airlines Director of Information Security Part 2

Alaska Airlines Director of Information Security Architecture Jessica Ferguson.

This is the second part of our interview with Alaska Airlines Director of Information Security Architecture we discuss the aftermath of the hacking incident and her involvement with the Aviation Information Sharing & Analysis Center (Aviation ISAC) to prevent similar incidents from occurring again.

SPONSORED BY:

#GCAPODCAST Ep. 3: Alaska Airlines Director of Information Security Architecture Part 1

The first half of our two-part interview with Alaska Airlines Director of Information Security Architecture Jessica Ferguson discusses the cyber attack the airline experienced in 2017. In this episode, we discuss how the attack happened and what Alaska did to resolve it.

Look out for part two of our interview with Jessica when we discuss the aftermath of the hacking incident and her involvement with the Aviation Information Sharing & Analysis Center (Aviation ISAC) to prevent similar incidents from occurring again.

SPONSORED BY: 

Copa Airlines Evaluating In-Flight Internet as Future Fleet Upgrade

Copa Airlines is evaluating a future upgrade path to enabling in-flight internet across its fleet of more than 100 Boeing and Embraer aircraft. The Panama-based airline has lead Latin American carriers in on-time performance for five consecutive years, however none of those flights have occurred on connected airplanes asCopa currently only offers a variety of seatback and streaming in-flight entertainment. That could change in the future, said Dennis Cary, SVP of commercial and planning for Copa Airlines, during an interview with the Global Connected Aircraft Summit at the the 2018 Boyd International Aviation Forecast Summit. “Right now we don’t offer internet connectivity, but it’s certainly something that we’re evaluating,” said Cary. “Our goal is when we make that decision to get the technology and partner right, so that we have a sustainable product that we can offer.” Among the factors Copa is evaluating is finding a service provider that can establish a price point that Copa’s passengers find affordable. He also wants to find a solution that is flexible and will not require major aircraft modification to enable future service upgrades. Another challenge for Copa is finding a satellite service provider with seamless coverage through the areas of South America that it flies. The performance of aircraft antennas operating closer to the equator along routes in the Latin American region are challenged by skewing. The reception of the satellite signal for an aircraft operating closer to the equator is skewed because of its angle relative to satellites orbiting the earth. “We haven’t yet found a solution that we thought was a 10-year solution. Satellite coverage has not been as robust in South America as North America or Europe, but that is starting to change. It’s something we constantly look at, we want to deliver the right experience in a sustainable way for customers. We haven’t gotten there yet,” said Cary. Copa’s fleet currently sits at 101 total aircraft. The fleet includes 68 Boeing 737-800s, 14 Boeing 737-700s and 19 Embraer-190s, according to the airline’s second quarter earnings report. Cary said that on two of its most recently delivered next-generation aircraft, the airline took a step toward its future streaming strategy. “We did put a streaming IFE product on board because we thought that is the way of the world, and it gives us a chance to get some experience with it and make sure on a small scale it works and customers like it,” said Cary. In 2018, Copa has introduced the Copa Showpass, which allows passengers to access the airline’s library of movies, television shows, magazines and music on mobile devices. The content is accessed via Copa’s onboard Copa Intranet Wi-Fi network, which Copa stresses to passengers is not the same thing as the internet. Using Copa’s mobile application or website, once connected, passengers can stream content from an onboard server. Copa’s Intranet supports Google Chrome and Safari web browsers. The system is being added to all new aircraft being delivered to Copa in 2018 to include the 71 Boeing 737 MAX aircraft it currently has on order. Moving forward, Cary said the airline will continue to consider how it invests in upgrading to in-flight entertainment and eventually internet connectivity in the future. Right now, the airline sees mobile device IFE streaming as sufficient. “It gives passengers the breadth of the content they would get with the seatback IFE, without the extra cost and the maintenance, etc., of the physical hardware in the seat. We like that, and we need to make sure we’re meeting our passenger expectations,” said Cary. Cary also said the airline’s reviews of passenger requests and comments in recent years have not included demand for access to the internet. Continued passenger growth could eventually influence Copa to invest in in-flight internet as well. In the second quarter of 2018, Copa’s passenger servicing revenue increased by 14.1% to $26.1 million as compared to $22.9 million during the same period in 2017.

American Airlines Goes All in on Satellite Connectivity

American Airlines is turning on live television and using a satellite-focused in-flight connectivity model as the centerpiece of its new passenger experience strategy. By the end of 2019, the Texas-based operator of Airbus, Boeing and Embraer jets will have equipped the majority of its fleet with satellite-based connectivity, while featuring live-streaming television on nearly all of its in-service aircraft. American said it currently has 100 aircraft equipped with Gogo 2Ku and free live television across its Airbus A319s and A320s. Beginning in 2019, the airline will add free live television to its aircraft that are equipped with Viasat. All American aircraft feature in-flight internet from Gogo, ViaSat and Panasonic. Keeping multiple service providers and a focus on high-speed internet connectivity that can enable streaming is a major focus for American. Kurt Stache — the SVP for marketing and sales at American Airlines — told reporters at the 2018 International Aviation Forecast Summit how American is taking a flexible approach to hosting multiple service providers on board its aircraft. “By April of next year, every mainline fleet will have satellite-based Wi-Fi,” he said. “Everything but the regional jets will be satellite-based. Our widebodies are mostly Panasonic, and we split the narrow body between Gogo and ViaSat.” The airline is equipping its entire Boeing 737 MAX fleet, a model type for which it has 100 aircraft on order. One fleet of aircraft the carrier has not made a decision on yet is the Boeing 787s it will start receiving next year. Stache sees value in keeping a multi-provider strategy for the fleet, which comprises 950 aircraft and growing, according to its latest financial report. “Between ViaSat and 2Ku, they’re both producing really good results. We don’t see any differences,” said Stache. “Given the size of our fleet, it’s probably not a bad thing to have multiple providers,” he added. “We landed in a really good spot with both ViaSat and Gogo. Panasonic has been [on board] longer, but now with the narrow bodies, we think having two providers is a good thing. ViaSat is larger percentage of narrow body than Gogo.”

A New Business Model?

Another major change that American is making within its in-flight internet strategy is the business model it is using with its internet service provider Gogo. The majority of commercial airlines globally use among three different business models for providing passenger access to internet. An example is wholesale model where the airline pays the internet service provider (ISP) to provide access to internet services for passengers with a custom user interface. This wholesale model is either charged with tiered access to certain internet services and speed levels. American is transitioning to a new model that Stache describes as the airline-pricing model. “The model is changing. Until now, it’s been a commissioned-based model, so Gogo provides the service and we generate the revenue,” said Stache. “Now we’re going to what we call an airline pricing model, so we will pay the cost. We pay Gogo for every connection and then we set the pricing.” American has been seeing a steady increase of the use of its in-flight internet by passengers, according to Stache. One of the primary reasons the airline is focused on using satellite versus air-to-ground connectivity is the increased availability of bandwidth from satellite networks. “We’re seeing more and more take rates. Overall, the pricing will come down. A lot of the pricing in the past was because the pipe was so narrow, it could quickly overload,” said Stache. “The beauty about satellite-based is you don’t have that issue, you have bandwidth for everyone on the airplane so we expect take rates to improve.”

WestJet Exec Highlights Changing Cyber Landscape

The cyber threat to airlines is growing as hackers use more and more sophisticated techniques to gain access to valuable customer data. Devon Smibert, director of cybersecurity at Canadian airline WestJet, spoke at the Aviation Festival in London about the cyber challenges facing an airline such as WestJet. It is very relevant to customers in the satellite sector. Smibert spoke about a baptism of fire he had after joining WestJet in January this year. Smibert joined WestJet Jan. 15 of this year, and on Jan. 21, he already received a call from WestJet’s web operations manager about a denial of service attack targeting WestJet’s rewards platform. “We were getting hundreds of thousands of attacks against our system,” he explained. “We have about 80,000 passengers a day. The attacks were coming from countries we don’t operate in. We had attacks from India and other countries (Russia, Pakistan). We can just block all of the traffic from those countries. But, what happened after that is that the traffic shifted to Mexico, Canada and the U.S. So, we can’t block those. It created a new set of problems for us to solve.” These attacks known as “credential stuffing” attacks show the sophisticated threats that airlines such as WestJet are up against as they look to connect their fleets. Hackers are able to harvest details from previous hacks, get real username and password combinations, and then deploy a really sophisticated credential stuffing attack. For airlines working more with the satellite industry, this is an example of the cyber threat they are likely to encounter. Smibert spoke of the growing sophistication of the hacking threat facing companies in the aerospace sector. He said recent research from a company called Cybersecurity Ventures estimated that revenues from cyber crime have reached $1.5 trillion. Smibert also gave a recent example of a cryptocurrency investor who had $24 million in a single theft drained out of their account. With annual global revenues for the airline industry at $754 billion, Smibert said, the cyber crime industry is double of the airline industry. “Hackers are extremely well-funded, and largely act with impunity,” Smibert said. “A lot of these hackers operate in countries where there is tacit compliance. In North Korea, you have a state that has severe economic sanctions against them and using cyber to generate revenues. It is $1.5 trillion business with very low risk. They are investing heavily in research and development. They act more like tech start-ups rather than an organized crime group. They are able to do very sophisticated things on their own. When we dissected the attack in January, they were using advanced automated orchestration against us. They were leveraging pretty intelligent software to leverage their attacks.” And this is a market that is growing in sophistication and capabilities at a rapid rate. Smibert said there are forecasts that damages from cyber crime could reach $6 trillion by 2021. Smibert cautioned companies in the aerospace sector believe they are unlikely to be targeted by hackers. “A lot of organizations make the mistake that they don’t have anything of value for hackers,” he said. “People say no one would ever target us. …. They will comb the internet for anything of value.” Smibert said having real-time access to data and having collaboration with partners will be absolutely vital. He said this will realize cost savings, leveraging connectivity into IoT devices. But, he said, companies need to understand where the data is going and who has access to it. “You need to make sure you are not opening up access to confidential data,” he added. Buying technology is also getting more complicated and Smibert cautioned airlines when making buying decisions on technology. “The first thing you need to do is engage with your cybersecurity team early on,” he said. “Even with WestJet, someone buys technology and then goes to IT and asks to hook this up and make this work. That is not the right approach. For example, we have actually hit a point terminate a project after six months of effort because the product that this vendor built, if we were to go to market with it, we would be violating GDPR regulations.” Houman Goudarzi, innovation manager at IATA, also spoke at the festival and cautioned airlines regarding how they view AI technology. He said airlines need to have a digital resilience strategy. “Running behind technology is a non-stop battle,” he said. “Being able to adapt to change, rather than running behind the next big thing is the way to go. Airlines need to adopt AI capabilities faster than others. We are seeing from hackathons how easy it is to get access to customer information from airlines.”

EasyJet, JetBlue CEOs Look to AI, IFC

The Aviation Festival kicked off day two in London with three CEOs from major airlines talking about the future of the industry. Although the CEOs did not directly address in-flight connectivity (IFC), airlines admitted that connectivity is key as they look to improve operational efficiency and the passenger experience. EasyJet is one of the world’s leading low-cost airlines, and CEO Johan Lundgren mentioned that the airline aims to be the leading data-driven airline in the world. He also pointed to the fact that airlines could use Amazon as a great example of how to use data effectively. While easyJet is still deciding whether to use satellite or other technologies for IFC, it is clear that airlines will increasingly use connectivity services. “We believe data science will be at the core of our airline,” Lundgrun said. “We need to find out what the new technology is. Artificial intelligence (AI) is about the automated experience. It will be key.” For airlines, generating ancillary revenues is vital. However, Lundgren pointed to the fact that airlines often go about this the wrong way. “The goal of offering a hotel to someone who has flown to the same location 20 times and never booked a hotel with us is probably not a good idea,” he said. EasyJet is also evaluating the possibility of loyalty programs and looking for ways it can reward customers. “Every company needs something where you reward your customers,” Lundgren said. “For us, it is to find ways that are the easyJet way. We need to bring something that has clear benefits for customers. We can certainly do much more before we look at crypto currencies (in this way).” One of the other speakers was Robin Hayes, CEO of JetBlue, a company that has been known for its IFC strategy and has worked with the likes of Viasat to bring a premium IFC service to customers. While JetBlue is known for flying routes across the East Coast of the U.S., the possibility of it becoming a transatlantic long-haul airline seems to be an intriguing possibility. “When we look at Europe, the business class fares are obscene. We can do it for a lot cheaper,” Hayes said. “We have 85 NEOs on order. We have the ability to upgrade those to long-range versions if we want. There is a notice period if we want to upgrade. We haven’t taken a final decision on whether we will [expand internationally].” Hayes said it is key for airlines like JetBlue to try and transform the buying experience for customers, as it does with its Digital 2020 project. The company also invests significantly in technology, as it has in setting up a subsidiary called Tech Ventures. “A lot of people are hiring data scientists. Does blockchain have a role to play in loyalty programs, for example? We have so much data,” Hayes said. “How do we take that and use it in an appropriate way? What is a data lake? We are at the beginning of that. We have built up our data science teams. It is still very early on.” Wow Air CEO Skuli Mogensen said airlines can learn from the gaming industry, in terms of how they deal with simultaneous users, for example. He also talked about how to use connectivity going forward. “We have $57 from customers from ancillary revenue,” he added. “We would like to get that up to $100. We want to empower our passengers to become our brand ambassadors.” While airlines look to modernize, IFC will be at the heart of this engagement. JetBlue is already one of the leaders in IFC, and easyJet has been conducting a trial this year. It remains to be seen how quickly airlines will transform themselves and what role satellite powered IFC will have in this transformation. It will be a key question for many going forward.