To understand Santamarta’s work—and Boeing’s subsequent refutation—you need to know a little about the electronic networks aboard e-Enabled aircraft. Airlines and manufacturers—through the Radio Technical Commission for Aeronautics (RTCA), a consortium that develops engineering standards—agree to organize onboard networks into three, isolated domains. The Aircraft Control Domain, which includes avionics and flight controls, is the holy of holies. Only the pilots can access it. The Airline Information Service Domain, which includes the information and management systems Santamarta claimed he could reach, provides information to the pilots—in some aircraft models, through something known as an electronic flight bag, a digital edition of all the old paper sectional charts, terminal procedures, and flight-regime calculations that pilots used to lug around in black leather flight bags. This domain includes a system that reports engine health measurements as well as system performance problems to an airline’s maintenance crews, by satellite link in flight, before the airplane lands. The third domain is the Passenger Information and Entertainment Services Domain, which contains the videos and ground tracks that passengers watch from their seats in the cabin. By industry standards and by Federal Aviation Administration regulation, these three domains must not share data pathways, and all three must be hardened against cyberattack.

Aircraft makers are continually updating and upgrading onboard systems. They have to if they are to stay ahead of the bad guys, said Joel Otto, an executive at Collins Aerospace, a supplier of avionics and integrated systems in airliners. Otto, who has spent more than 30 years designing and building avionics for aircraft, said the avionics on commercial airliners are constantly being hardened against cyberattack. Data pathways, for example, are made one-way: Data can reach the passenger cabin but data from the cabin can’t be transmitted in the other direction. Onboard networks have firewalls and layers; to infiltrate, an attacker must get through concentric shells of protection that use varied security controls at each level.

The direction of data flow is also controlled by hardware like routers and switches. Automated systems include switches that determine when they are activated. A recent U.S. Government Accountability Office report on aircraft cyber­security gives an example: “Airplanes use a weight switch in the wheels to verify that an airplane is on the ground before it will allow software changes to be uploaded to an airplane’s avionics systems. Such a system prevents software changes while an airplane is in flight.”

“We have begun to think of security as a process parallel to safety,” Otto said. “This process spans the entire lifecycle of a product.”

In 2019, when Santamarta described the attack paths into Boeing’s onboard networks, IOActive reported his findings to Boeing and its suppliers, A-ISAC, and several federal agencies before Santamarta sounded the alarm. “We take all these claims seriously,” says Vanguardia. “We spent several months in our labs really digging into this, and we did testing on an aircraft. We’re design engineers, and we know the system really well. Ruben didn’t have access to all the aircraft systems that we do.” Boeing concluded that the paths Santamarta theorized were not exploitable.

“We presented our findings community-wide to get a second level of check,” says Vanguardia. “We wanted third-party attestation to make sure that we weren’t missing anything.” Boeing also reported its test results—and its suppliers’ test results—to the FAA and the Department of Homeland Security (DHS). Boeing also shared its conclusion with IOActive before the Black Hat conference, but Santamarta went forward with his presentation. “IOActive disagreed with Boeing’s conclusion, which gave no details of controls that would prevent exploitation,” says John Sheehy, senior vice president for research and strategy.

Santamarta’s bombshell was costly for the airplane maker. “That was a big disruption,” says Vanguardia. “We pulled so many people off of design projects. Three or four months of airplane and lab testing. It was a multi-million-dollar effort.”

Claims of vulnerabilities in Boeing systems increased after the well-publicized FBI investigation of Chris Roberts, who in 2015 tweeted from a 737 in flight that he was tampering with its systems. Roberts says that before this incident, he had alerted the airlines to these flaws and gotten nowhere. Since that time, cyberattacks on airports, hospitals, businesses, and government systems have grown more frequent and more serious. The Center for Strategic and International Studies tallied 34 significant cyber events in 2015. (The Washington, D.C.-based think tank uses the term “significant” to describe attacks “on government agencies, defense and high-tech companies, or economic crimes with losses of more than a million dollars.”) For the last three years beginning in 2017, CSIS has counted more than 100. Boeing itself was the victim of a ransomware virus in March 2018 that exploited a vulnerability in a version of Microsoft Windows software. A spokesperson told news outlets that remediation was quickly applied and limited the damage to the few affected systems at the South Carolina production facility. (It was not serious enough to interrupt production.)

“When something big happens due to a lapse of cybersecurity, people will be asking how we got there,” says Carl Herberger, a former B-52 pilot and vice president of the cybersecurity firm RadWare. “I really believe it is kind of a 9/11 thing.”

As cyberattacks increase, so do the defensive actions taken by government and industry, notably within aviation. In October 2019, the International Civil Aviation Organization (ICAO) published its first Aviation Cybersecurity Strategy, which recommended planning for cyber incidents, information sharing as a means of prevention, and increased vigilance. “It is critically important that the civil aviation sector takes tangible steps to increase the number of personnel that are qualified and knowledgeable in both aviation and cybersecurity,” the ICAO stated.

Last year in the United States, the administration established an Aviation Cybersecurity Initiative task force with representatives from DHS, the FAA, and the Department of Defense (DoD). The task force focuses not just on airliners but on what its three chairpersons call “the aviation ecosystem.” It includes airports, air traffic control, airlift and cargo operations, airlines, and the employees who work in all these areas.

Alan Burke, the task force DoD chairperson, says that in 2017, there was a change among security experts in the perception of risk. The change came in the wake of NotPetya, an encryption virus that denied access to everything on the computers it infected. NotPetya first targeted Ukrainian infrastructure—power companies, airports, and public transportation—but, as a Wired reporter wrote, “its blast radius was the entire world.” It shut down the port terminals of Danish shipping concern Maersk for two days, costing the company $300 million. What was most frightening about NotPetya was that it wasn’t ransomware, as its forerunner Petya was. If Petya encrypted a computer’s files, the user could pay an amount in bitcoin to have them unencrypted. NotPetya gave its victims no remedy. Its only purpose was to cause havoc.

“The NotPetya attack on the maritime sector was a big eye opener for many in the Department of Defense,” says Burke. “I know of more than one senior leader who [uses] the example of the Maersk attack to demonstrate that the cyberthreat is real.”

To bolster their lines of defense against the cyberthreat, some in the aviation industry have begun a new approach. At the Aviation-ISAC virtual summit last September, Mike Vanguardia called Boeing’s 2019 experience with Santamarta a turning point. In a presentation he called “Operation Reverse Thrust,” Vanguardia described Boeing’s new Security Researcher Technical Council, which brings researchers together with Boeing engineers to cooperate on strategies to defend against evolving cyberthreats.

“By working together we’re hoping the researchers will give us a unique perspective on attacks into our platforms,” he says. “We’ve also seen that a lot of these folks just really want to help make our industry better, safer, and more secure.”

Boeing has also instituted a vulnerability disclosure program and a website for security researchers to report potential vulnerabilities directly to the company. Randy Talley is the DHS chairman on the aviation cybersecurity task force. Noting Boeing’s new programs, Talley says he’s seen a “tremendous change over the past two years” in the attitudes of airlines, manufacturers, and suppliers. “At the Aviation-ISAC Summit in Barcelona last year,” says Alan Burke, “[we learned] that less than 10 percent of the companies at the summit had a program of cyber vulnerability disclosure. We can encourage avionics companies to work together and report vulnerabilities when they are discovered. It helps strengthen the herd.”

Reporting software vulnerabilities requires trust; design and data are proprietary. But the threat outside the aviation industry is forcing companies to focus less on the threat inside.

Boeing continues the industry-wide practice of wargaming, both to rehearse responses in case the worst happens and to simulate exercises aimed at defending aircraft from cyberattack. In these exercises, a “blue team” defends an asset, while a “red team” tries to invade it. In one of the exercises Vanguardia conducted, he put avionics subject matter experts and pilots on the blue team. “We studied the robustness of the airplane’s position, navigation, and timing systems. We looked at points of weakness: Is it a network interface? Is it [data traveling] over radio frequency? How would I attempt to send bad data?” Bad data could make a pilot believe her aircraft is in a position different from its actual position, at a higher or lower altitude in its landing approach, for example. The defenders search for the system to protect the airplane from that scenario. “But we would search also to see if an attack would be discoverable and to see how the pilot would react,” says Vanguardia.

Another safeguard against a cyberattack on U.S. airliners is the oversight of the FAA. An October 2020 report by the U.S. Government Accountability Office, however, concluded that the FAA “is not providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.” The FAA has not been absent, and the GAO acknowledges that the agency has established cybersecurity requirements for airframe manufacturers as part of the certification process and that it continues to monitor airlines to make sure they adhere to security programs. But those security programs are ones the airlines themselves have created, based on the manufacturers’ recommendations. “Industry stakeholders across the aviation sector expressed concern that FAA lacks personnel with cybersecurity expertise,” the GAO reported; the agency recommended that the FAA institute training programs and develop guidance for the industry on the periodic testing of airliners, among other measures.

At the same time, the Aviation Cybersecurity Initiative task force has as one of its goals to improve the “confidentiality and integrity” of aviation transponder data; in other words, to decide how to deal with ADS-B.

The Automatic Dependent Surveillance-Broadcast system, ADS-B, is the satellite-based successor to the ground-based radar that has been the foundation of air traffic control for at least half a century. As of last year, all aircraft in the U.S. national airspace are required to continually broadcast their position and speed—information gleaned from GPS satellites—so that controllers and other aircraft with ADS-B receiving equipment (which is not required on all aircraft) know where they are. The problem is that anyone with a receiver can know where they are—as well as who they are, how big they are, and how fast they’re traveling.

The DoD has obtained waivers from the FAA so that many military aircraft can fly without transmitting this data. (It would, after all, defeat the purpose of the almost $70 billion the Pentagon spent to develop and purchase a fleet of F-22 stealth fighters if the Raptors were out there on every training mission screaming “Here I am!”) All other aircraft, however, are left exposed.

The concern over signal integrity is that there is no way to authenticate the signals sent by aircraft transponders; therefore, someone could “spoof” the system by sending a signal that purports to come from an aircraft transponder. In a recent email statement to Air & Space, the FAA noted that the ADS-B equipment itself protects against false information: “The FAA has worked to ensure that … onboard avionics equipment using ADS-B Out information” validates received data before displaying it to the pilot. Airliners are also equipped with collision avoidance systems. The FAA considers this system an additional verification of the received picture of aircraft flying in the vicinity, stating, “This allows the airline pilot to have confidence in the traffic information seen on their displays.”

As the FAA begins to implement the GAO recommendations, industry red and blue teams continue to wage battle in the labs, hackers search for vulnerabilities to present at Black Hat and other conferences, A-ISAC updates its 84 industry members at an annual summit, and thousands of engineers test and probe aircraft systems so that passengers can rest easy. How easy are those engineers resting? They are not letting their guard down.