Disclaimer: The content material offered on this article relies solely on publicly obtainable, unclassified data and open-source analysis. It doesn’t draw upon any labeled or proprietary knowledge. The evaluation is meant solely as a technical thought train to discover potential cybersecurity issues within the context of legacy plane techniques and industrial management system analogies. This text additionally doesn’t characterize official coverage, steerage or suggestions of any authorities or company, neither is it supposed to tell acquisition, security coverage or nationwide protection decision-making. All opinions expressed are these of the writer in a private capability.
I not too long ago attended an Industrial Management System (ICS) Cybersecurity convention, the place we realized find out how to use data know-how (IT) cybersecurity methods and instruments to deal with operational know-how (OT) security. It dawned on me that the fundamental design of plane management techniques is much like the OT techniques we simply realized about.
Cybersecurity professionals are more and more requested to safe techniques by no means designed for contemporary threats. Impressed by information of the US authorities evaluating a foreign-donated Boeing 747-8 to be used as Air Power One (AF1), I felt the retrofit of a legacy plane for nationwide security use presents a singular lens into the IT/OT convergence drawback, and why bodily entry and legacy protocols should now be handled as front-line dangers.
Daniel Hoffman
Legacy plane, trendy danger
Whereas the 747-8 is a technological leap past its predecessor, the 747-400, it nonetheless retains legacy protocols and architectures that introduce danger, particularly when repurposed for top-tier nationwide security missions. Many of those plane techniques resemble industrial management techniques (ICS), akin to these utilized in crucial infrastructure. Like legacy supervisory management and knowledge acquisition (SCADA) techniques, plane avionics typically assume trusted inner communication, a belief mannequin not enough in in the present day’s menace panorama.
In manufacturing unit settings, these techniques have been typically “air-gapped” — they have been remoted from different networks as a line of protection and solely workers have been allowed bodily entry. The plane developed equally. One of many essential strains of protection was burying the cabling and parts within the fuselage the place unauthorized personnel couldn’t entry them.
For the reason that aircraft we’re accessing was retrofitted abroad, we should assume that there’s potential for implanted, dormant units or tampering with frequent units.
Key vulnerabilities uncovered
| Menace sort | Impression | Activation technique | Detection technique |
| {Hardware} implants | Engine/management sabotage | RF set off, preset logic | X-ray, teardown |
| Firmware backdoors | Navigation/system override | GPS/time-triggered code | Reverse engineering |
| Chilly-state trackers | Location exfiltration | Altitude or temp-based | Environmental simulation |
| Radar-based exfiltration | Covert knowledge leaks | Waveform modulation | Anomaly/radar sign evaluation |
| SATCOM hijack | Comms interception | RF sign hijacking | Spectrum monitoring, validation |
| Toolchain exploits | Persistent entry | Malicious diagnostic instruments | Supply and firmware audits |
| MitM on avionics buses | Command injection, replay assaults | Cable tapping/spoofing | Sign integrity/timing evaluation |
| Mobile subsystems | Audio or GPS leakage | Dormant baseband payloads | Spectrum forensics, teardown |
Legacy protocols create new assault surfaces
One of many banes of the OT world is the reliance on legacy know-how that can’t simply be patched or upgraded with out inflicting main disruptions. Equally, the Boeing 747-8 employs a hybrid bus structure. Whereas it integrates trendy flight administration applied sciences just like the Thales TopFlight Flight Administration System (FMS), many subsystems nonetheless depend on ARINC 429 and MIL-STD-1553, protocols that lack authentication or encryption.
As talked about in arXiv:1707.05032, this will go away vulnerabilities akin to code injection and manipulation, knowledge injection, knowledge leakage and DoS. Even the newer Ethernet-based techniques utilizing AFDX (ARINC 664) lack cryptographic safeguards. As we simply talked about, historically, the 747 depends on bodily controls akin to restricted bodily accessibility. On this case, that management has already been compromised.
These channels expose the plane to MitM, spoofing and replay assaults, significantly throughout retrofitting or upkeep cycles. Ukwandu et al. (2022) spotlight the avionics trade’s gradual adoption of safe protocols. In industrial management environments, encryption overlays can mitigate related threats, however latency issues make this strategy troublesome to use to real-time flight techniques, the place latency might trigger critical penalties because of delayed flight management response.
Daniel Hoffman
Implants hidden throughout retrofit
Bodily entry throughout retrofitting introduces different alternatives for adversaries: Embedding covert implants, typically designed to activate underneath particular environmental triggers. Munro (2020) outlines situations the place miniature computer systems (e.g., Raspberry Pi-class) are hid inside avionics bays or energy rails, undetectable with out teardown, sign evaluation or x-ray. These units can be utilized for a wide range of functions.
Implants and embedded surveillance
Surveillance implants could be launched throughout retrofit, as talked about above. Gadgets akin to passive RF microphones, compromised baseband transceivers or altered inflight leisure techniques might seize delicate audio or telemetry. Habler, Bitton and Shabtai (2022) present how these techniques resist standard detection strategies, making post-deployment audits extraordinarily troublesome. These implants evade customary EM sweeps and require teardown or x-ray inspection for detection.
Surveillance menace vectors
- Passive RF microphones. These units can harvest ambient audio and transmit it utilizing harvested electromagnetic power making them extraordinarily onerous to detect utilizing conventional EM sweeps.
- Compromised baseband transceivers. These are present in satellite tv for pc telephones, LTE modems or embedded SIMs and might silently leak GPS coordinates, conversations or system knowledge.
- Tampered inflight leisure techniques (IFE). IFEs might seem benign however typically sit on segmented but accessible community backplanes. If compromised, they will bridge passenger interfaces with avionics.
Non-traditional knowledge exfiltration channels
In terms of knowledge exfiltration in a conventional IT/OT surroundings, we regularly depend on catching them on the best way out by monitoring the transmission strategies. That turns into rather more advanced on our 747. Radar emission modulation has been recognized as a viable vector for stealth exfiltration. As outlined in NSA TEMPEST steerage (2023), such strategies mimic regular conduct and evade detection. Extra pathways embody SATCOM hijacking, Bluetooth beacons or optical LED flicker, all under-monitored in legacy plane. Hardening this aircraft to be used as AF1, we might want to take into account these routes.
The provision chain as a mushy goal
The aviation provide chain continues to current a major cybersecurity danger. Vital parts akin to firmware, diagnostic utilities and upkeep procedures could also be altered or compromised throughout manufacturing or integration, particularly when involving international distributors. The chance of malicious implants or latent, persistent vulnerabilities being launched upstream is amplified by restricted provider visibility and inadequate cybersecurity controls throughout tiers (Aerospace Industries Affiliation, 2023).
A broadly cited instance is the 2020 SolarWinds breach, during which attackers compromised the Orion software program replace system to distribute malware to greater than 18,000 organizations, together with US federal companies and Fortune 500 corporations. The incident revealed how deeply embedded vulnerabilities in trusted vendor pipelines can bypass perimeter defenses and persist for months
Inside compromise
Cabin interiors current vital dangers, significantly in labeled missions. Seats, partitions and energy retailers might cover passive surveillance units or logic circuits.
To align with SCIF and TEMPEST requirements, finest practices demand:
- Full teardown and rebuild of inside parts
- X-ray and RF scanning of structural cavities
- Chain-of-custody validation for all replacements
- RF shielding and acoustic integrity testing
Requirements like RTCA DO-355, DO-356A and CNSSAM TEMPEST/1-13 are important to assembly govt transport and Continuity-of-Authorities mandates, Baker, Arlen & Parkinson, Paul. (2018).
Hardening retrofitted plane: actionable steps
- Apply RTCA and NIST finest practices. Requirements akin to RTCA DO-355/356A and NIST SP 800-53 provide lifecycle danger frameworks, encryption suggestions and audit mechanisms. Although full-stack encryption could also be infeasible, tailor-made implementations can scale back the assault floor with out compromising efficiency.
- Validate each subsystem. Each avionics and help subsystem should endure teardown, high-resolution imaging and verification in opposition to trusted baselines. Parts failing this scrutiny must be changed with licensed home equivalents.
- Safe the toolchain. Distributors should meet DFARS cybersecurity necessities and ideally CMMC Stage 2 or greater. Firmware builders and diagnostic engineers should function inside a verified safe improvement lifecycle (SDLC).
- Implement persistent telemetry and monitoring. Static scans are inadequate. Ongoing community conduct evaluation, anomaly detection and forensic auditing are important. This aligns with DoD suggestions within the 2023 Airborne Methods Value Estimating Information.
Value and acquisition realities
Whereas a donated airframe could seem economical, retrofitting prices can match or exceed new plane procurement. DoD and GAO benchmarks present that safe retrofits might price a whole bunch of tens of millions and nonetheless fall wanting purpose-built assurances.
Home management nonetheless issues
Residual danger persists with foreign-origin techniques, even after exhaustive assessment. This underlines the rationale behind VC-25B (Subsequent AF1) procurement, a platform constructed domestically, underneath safe situations. The undertaking was slated for completion in 2024, Boeing now estimates 2027 – 2028. Which might nonetheless put supply in step with, or forward of a retrofit undertaking, which might take 2-4 years based on Protection One and Aviation Supply Information.
For a have a look at what would go into attempting to safe this aircraft, learn a pattern blue staff playbook.
Conclusion: A playbook for IT/OT convergence
This state of affairs serves as a high-stakes case research in securing legacy, cyber-physical techniques. Cybersecurity leaders will more and more face unconventional challenges. Whether or not it’s an influence plant, a legacy fleet or a retrofitted plane, those that can bridge IT and OT worlds will form the way forward for security technique.
This text is revealed as a part of the Foundry Knowledgeable Contributor Community.
Need to be part of?
