Airlines and airports are investing to deliver secure and easy travel for passengers, with biometric technology a key priority.
This is according to research released by global IT provider SITA. The SITA 2018 Air Transport IT Insights show how biometrics are being incorporated into the evolution of self-service at the world’s airports.
Over the next three years, 77% of airports and 71% airlines are planning major programs or research and design in biometric ID management.
Barbara Dalibard, CEO, SITA, said: “Secure and seamless travel is a must for the air transport industry. It is encouraging to see that both airlines and airports are investing in biometric technology to deliver a secure, paperless way to identify passengers across multiple steps of the journey. We have already seen great success where we have implemented it at airports across the world.
“As the research shows, integration causes challenges and the variety of legislative demands can be daunting for airlines and airports. To deliver a seamless passenger experience, we must all collaborate – airlines, airports, governments and industry suppliers – and use technology to automate, and even eliminate, tedious processes. We achieve the best results when we work together, this has been most apparent when we incorporate secure biometrics into the passenger journey.”
SITA already delivers identity management solutions, including biometric systems, that eliminate the need for manual checks. These improve the passenger experience while helping airlines and airports across the world meet the variety of regulations from Governments and border agencies.
The most common of these is identity verification at self-service check-in kiosks. This is already in use at 41% of airports and 74% have plans to deploy the technology by the end of 2021. Self-boarding gates using biometrics with ID documentation, such as a passport, are also set to become commonplace over the next three years, with 59% of airports and 63% of airlines expecting to use them.
Aviation security challenges that could cause more than just a bumpy ride if overlooked
Nitha Rachel Suresh, Cyber Security Consultant at Synopsys, explores some of the key aviation security challenges and how to address them to move proactively toward a more secure future.
The aviation industry isn’t any more immune to critical cybersecurity risks than any other industry. That’s rather unsettling when you consider what the implications of a malicious attack on an aeroplane full of people could mean.
Sure, it may sound far-fetched to imagine an aeroplane’s highly complex systems being hacked all at once to bring such an event to life. However, an attacker with deep knowledge of aviation systems could intentionally cause serious issues with the aeroplane’s intended operations.
Due to the complexity of aircraft systems, through the years, the size of the software supporting those systems has grown exponentially. There are millions of lines of code involved in avionics systems. If not regularly tested for vulnerabilities, severe security threats can arise. That’s easier said than done when considering that the complexity of these systems can lower the testability of software; thus, leaving behind many vulnerabilities that could potentially be exploited.
Over the lifecycle of an aircraft, it will go through multiple phases of overhaul and updates. The associated software must also undergo appropriate changes. Unless this job is carried out with extreme caution, there is a great deal of potential for security bugs to creep into the software.
Let’s take a few minutes to consider the attack surface. Modern avionics software development often uses commercial off-the-shelf (COTS) components to some extent. An attacker could, in theory, tunnel through such components to enter the heart of the system. This is a key consideration in the realm of security. The utilisation of COTS technologies has also brought about more software exposure within the public domain. The aviation industry is an excellent example of how the concept of security through obscurity is becoming increasingly outdated.
Avionics software has traditionally relied heavily on the secrecy of its development process. COTS has ensured that this is no longer the case. As such, software vendors must plug loopholes as they would with any other open architecture.
We must also consider the array of hardware and software components implemented from various sources. Conducting the appropriate level of vetting of each for security threats is a massive undertaking. Currently, third-party vulnerability assessments are not a common practice with regards to aviation security. To ensure secure development, this gap must be filled.
Additionally, major development standards don’t have detailed cybersecurity policies – as of now, at least. The ASISP 2015 initiative by the FAA, however, is a move in the right direction.
The immediate need for change
In the 2008 crash of Spanair flight 5022, it was discovered that a central computer system used to monitor technical problems in the aircraft was infected with malware.
An internal report issued by the airline revealed the infected computer failed to detect three technical problems with the aircraft, which if detected, may have prevented the plane from taking off.
The malware was found to be trojan horse. In 2010, the FAA published a notice indicating that some computer systems on the Boeing 747-8 and 747-8F may be vulnerable to outside attacks due to the nature of their connectivity. In 2016, Reuben Santamarta demonstrated that attacks such as bypassing the credit card check and SQL injection can be conducted on an in-flight entertainment system.
These are only three examples illustrating what could happen when software vulnerabilities go unresolved. So how do we fix the problem?
The way forward
To overcome the widespread challenges, the industry must understand and proactively work to defend the attack surface. There should be a common repository of threats to both hardware and software detected by the developers and/or assessors. This needs to be maintained by regulatory agencies like the FAA and should also be available across different development platforms.
Development teams should be able to compile all known threats to build a threat model. Within this threat model, there should be information about threats that exclusively affect the product or piece of software at hand. A security risk assessment model should be built to effectively prevent, identify, detect, respond and recover from the security challenges that the aviation industry is facing.
Each failure is a lesson to be learned. It is of great importance not to waste those lessons by forgetting them. Threats and attacks should be logged and made available to all avionics security personnel. A-ISAC is one such organisation which can provide intelligence on aviation security threats.
In the best-case scenario, security considerations should be built into the earliest phases of design, even before requirements analysis. Software architecture teams should consider the potential threats faced during the software life cycle. This will help in providing reliable and robust software.
It is becoming ever-more critical to have a well-established cybersecurity policy accepted by all leading manufacturers in place along with the accepted avionics standards. The observance of such policy should be mandatory for all civil aircrafts.