Keeping step with developments in civil aircraft, military aircraft are increasingly embracing digital technologies and relying on a plethora of connections to ground-based systems. While this hyper-connectivity provides a solution to vital operational requirements, it is also a source of new cyber-vulnerabilities. What are these? And what defences are available? We take a bird’s-eye view in this cyber paper.
The date: August 2018. The Secretary of the US Air Force, Will Roper, bluntly states to the national press: “One of our planes could be taken out with just a few keystrokes.” This shocking admission comes in the wake of an experiment conducted by the Pentagon, in which groups of “white hat” hackers were tasked with hacking into the onboard systems of the US Air Force’s F-15. And they achieved their goal: the (theoretical) possibility of bringing down a warplane in mid-air. “This hack is also the result of decades of neglect of cybersecurity by the US Air Force,” Will Roper admits.
Hyper connectivity equals efficiency… and vulnerability
Naturally, the technical details of this hacking were not disclosed, and remain highly confidential. However, the reason these “white hats” were able to hack into such a critical fighter aircraft is that – in common with many other planes – the F-15 is now highly digital and connected. “The software in modern fighter aircraft is based on millions of lines of code. If this program code were to be printed out, it would create a pile of paper more than 10 metres high,” explains Matthias Bertram, deputy sub-project manager for engineering in the “New Fighter Aircraft” project in Switzerland, in an interview.
The question of cyber protection for fighter aircraft is a real concern in Switzerland, which intends to acquire new American F-35s in the near future. These warbirds are presented as being ultra-modern, yet they have also been criticised for their large digital attack surface. These aircraft are therefore a textbook example of the cyber-threats to which an aircraft of this strategic importance may be exposed today. In a report by the French Institute of International Relations (IFRI) on the French military’s efforts to address cyber risks, three of the F-35’s major subsystems are identified as problematic: target recognition software, predictive maintenance software for the aircraft, and the flight simulators for this aircraft. The first sub-system, the Joint Reprogramming Enterprise, compiles a large number of known signatures for existing combat aircraft and enables the automatic detection and identification of nearby threats (tanks, drones, etc.). This provides pilots with crucial information, helping them to make tactical decisions in real time. The problem is that “by tampering with its updates, hackers could introduce false data into the system to make certain targets undetectable, or to fool the firing system.” The second problematic sub-system, theAutonomic Logistics Information System, is another on-board program. Its purpose is to improve the aircraft’s predictive maintenance capabilities by self-assessing the state of wear of some of its components. By transmitting this information flow to Lockheed Martin headquarters (the aircraft’s manufacturer), it is possible to obtain replacement parts ahead of potential failures, thus optimising the availability of the aircraft – a significant advantage in a conflict situation. However, were this data flow to be intercepted, experts fear that it could “inform potential enemies about the structure of the aircraft and the content of its missions.” Finally, before ever leaving the ground, F-35 pilots are trained on flight simulators – a third problematic sub-system. These simulators are extremely advanced, and are programmed to deliver an ultra-realistic pilot experience. However, they are also highly connected (particularly for maintenance purposes) and, if hacked, could enable cyber-enemies to “deduce key information about how the fighters operate.”
These various vulnerabilities highlight the cyber-risks accompanying data exchange between aircraft and ground infrastructure. However, “in the military sphere, we try to minimise such connections, which also provide threat vectors for the aircraft,” explains Airbus security architect Alain Mingam. But contemporary operational realities require communications with the ground to be available, while offering appropriate security measures. “Over the past 15 years, the military aviation industry has become aware of this weakness. “For several decades, operational safety has been strongly integrated into the aircraft development process,” says Christopher Cachelou, a Pre-Sales Engineer specialising in the defence sector at Stormshield. “It relies on a functional risk analysis to ensure that the device operates correctly, both in hardware and software terms. Product cybersecurity is much more recent and less well integrated into the development process. It is also based on a risk analysis, but cyber risk in this case – as, for example, with the EBIOS method.” Mingam confirms this state of affairs, both in military and civil aviation. “What with ACARS (for flight operations management, air traffic control and maintenance), FOMAX (for predictive maintenance) and in-flight entertainment (IFE) systems, the number of digital tools that communicate with the ground are much greater in civil aviation, and they have been around for much longer.” Contrary to what one might be tempted to think, the civilian industry in fact often paves the way for the military industry in terms of cyber security. For example, the A400M (military transport aircraft) designed by Airbus and proposed to the European Organisation for Joint Armament Cooperation Organisation (OCCAR) is said to have benefited greatly from the cyber protection studies carried out for the A380.
Could we see cyber-warfare in the air?
The secretive and poorly-documented nature of cyber-warfare automatically means that the number of studies of the cyber threat in the military domain is limited. However, it is interesting to note the number of cyberattacks against civil aircraft and infrastructure. According to the European Aviation Safety Agency (EASA), this figure has exceeded 1,000 attacks per month on average since 2016.
And although the information regarding the F-15 was obtained from pentesting, there have already been reports of (more or less successful) hacks against military aircraft from several different countries. In 2009, computers at Villacoublay Air Force Base 107 were infected by the Conficker virus, which is thought to have spread via non-updated Windows workstations. Several Rafales were actually grounded for two days, according to a confidential letter sent to the Intelligence Online website. Some classified documents revealed by Edward Snowden also showed that US and UK intelligence services had been able to intercept and decrypt video feeds from Israeli aerial drones and F-16 fighters, providing them with important tactical information on the fringes of geopolitical tensions in Iran. At the same time, the IFRI report recounts testimony from the former head of French cyber-defence, Rear Admiral Arnaud Coustillière, explaining that a French Harfang drone had fallen victim to a hijacking attempt in Afghanistan. The attack eventually failed, but is said nonetheless to have disrupted the aircraft’s mission.
Lastly, the sensitive data stored within the ground infrastructure is also a prized target. In 2017, almost 30 GB of commercial (but unclassified) data related to Australian defence programmes was exfiltrated in a cyber-attack on a government contractor. Another example came in 2020 when Leonardo, one of the main European aerospace industrial groups (of Italian origin) noticed an abnormal flow of data leaving its systems, and alerted the Italian authorities. The investigation determined that one of the hacked computers contained classified information about the experimental “nEUROn” project. Under French control since 2012, its aim is to design a new European military defence aircraft. More recently, a group of cybercriminals posted the technical details of the Swedish-Canadian Globaleye (a military surveillance and intelligence aircraft) on the dark web. This information appears to have been collected from the systems of Bombardier, the Canadian manufacturer involved in the manufacture of the aircraft.
Although rare, the threat of digital hijacking of military equipment is taken very seriously by all nations that operate such devices. In France, the army has already established a contingent of 1,100 cyber fighters, which will be bolstered by 5,000 additional personnel in 2025, divided between the armed forces, the French General Directorate of Armaments (DGA) and the French foreign intelligence service (DGSE). Is this simply in anticipation of a cyber-war? No, according to Air Force Brigadier General Didier Tisseyre, Deputy Director of the Comcyber Command Centre, as reported by IFRI: “We have already conducted cyber attacks in theatres of operation in which the French army is engaged, such as in the Levant and Sahel regions. This may involve intercepting intelligence prior to an operation, decoying anti-aircraft radar or immobilising enemy defences.”
Evasive action: what are the options?
Cyber protection for combat aircraft is therefore a highly sensitive issue. In theory, protecting a combat aircraft from cyber threats is similar to protecting any terminal connected to a civilian network, as Bertram points out. For further protection in the military sphere, an aircraft-level functional breakdown is carried out in conjunction with a safety impact analysis, in particular through a document called “Functional Hazard Assessments” (FHAs). “This is what enables us to precisely map the various functions of the equipment and the potential consequences in the event of a malfunction,” Mingam explains. We can then review the digital attack vectors that could potentially disrupt them, identify an associated risk and deduce the security components that need to be placed in the path of the potential attacker to make the risk acceptable. ”
But what are the requirements in this area? In France, both civilian and private operators of vital importance must comply with the cybersecurity requirements set out in Article 22 of France’s Military Planning Law. These requirements cover both the organisational processes and technological solutions to be implemented to secure physical and digital infrastructure. At European level, the NIS Directive includes a number of air transport sector operators in the list of Essential Service Operators.
From an organisational point of view, general security for a combat aircraft is based on a combination of three complementary systems:
- groundinfrastructure security: this is the responsibility of the site manager, and consists of securing bases, airports, command centres and other military (and civilian) structures essential to the day-to-day operation of military equipment;
- information systems and network infrastructure security (ISS): this is provided by the OSSI, and is traditionally covered by an IT security charter which governs operating processes, the rights of military and civilian employees and personnel to access and view digital resources, etc;
- product security: this is the responsibility of the Product Security Officer (PSO), involving all hardware and software solutions directly fitted to the product concerned (in this case, the combat aircraft) to bring it up to the required security standards.
In terms of products, Bertram mentions – by way of example – the use of firewalls providing “signatures, encryption, role-based access, virus scanners and real-time analysis of running systems.” These solutions must also be designed to withstand extreme physical conditions (temperature, pressure, shock, etc.) to make it possible to monitor the equipment in its various environments.
And what about tomorrow?
Military aircraft must now be created as “cybersecure by design”. If this is the case in the future, another question arises: how to maintain sufficient protection throughout the life cycle of the equipment? An average fighter aircraft has a lifespan of 30 years. At the breakneck speed at which the digital world is evolving, tomorrow’s cyber threats will be drastically different from today’s. In response to this problem, manufacturers are adding a security maintenance service (or MCS) to their operational maintenance (MCO) services. “The MCO ensures that the aircraft is maintained in operational condition throughout its life cycle,” Cachelou explains. “At the same time, the MCS ensures that the aircraft is maintained in a secure condition throughout its life cycle. It ensures that the aircraft is constantly upgraded to the appropriate security levels in the face of constantly changing cyber risks and threats.” For example, it is believed to have been the addition of new digital features, coupled with a lack of cyber security updates, that made the US F-15 vulnerable.
Alain Mingam takes us a step further into the future. Whereas cybersecurity is currently thought of as a series of barriers aimed at preventing or slowing any attempted cyberattack, manufacturers and publishers are planning future responses. “We are implementing protection systems; but no protection is impenetrable, so we have to come up with something else.” What if these protections were able to react and evolve to better respond to an offensive; or could even enable the defender to counter-attack? “Our cyber defence component is dedicated to this issue, and we are devising architectures consisting of monitoring devices and reaction capabilities. We are moving towards real-time electronic defence processes.” In such a war, just as in a “real” war, cybersecurity would no longer be a question of just taking the hits, but also returning them.
