Cybersphere - Threats & RisksJohn SynnottManager, Flight Operations Information Technology,IATA

Cybersphere - Threats & RisksRisk Assessment – Data/ Information/ SystemsDoron Bergerbest-EilonFounder and CEO,ASERO

Cybersphere - Threats & RisksAirline Vulnerabilities to HackingChris RobertsChief Security Strategist for Attivo, Advisor for Cympire, Virsec, OverWatch ID

Aviation Threats & Risks…

Chris Roberts, Chief Security StrategistChris@AttivoNetworks.com

Sidragon1 (LinkedIn and Twitter)

Yes…You Invited a Hacker…

The Blue Goatee…• In the InfoSec/Cyber industry for too many years...• Broke Nigeria, ISS, Mars Rover, airplanes, trains, etc.

– Researched a whole lot more…

• Now Chief Security Strategist with Attivo Networks.– Why? Because the deceptive space gives us asymmetric defense for once.– Why? Because change comes from the inside…

• Currently researching humans, consciousness computing and shipping.– Because there’s better ways than passwords!– Because the future’s not already scary enough☺– Because it seemed like a good idea to make a ship roll over…

• Might also have a whisky collection that borders on the obsessive…– Occasionally travels with the whisky football (thanks Inbar!)

And For Those NOT Awake…

This is why I can’t fly on a number of airlines…

Agenda• Quick intro

– You invited a hacker, specifically this one…

• History lesson– And where we are today

• Complexities…– What does that mean for us?

• Let me count the ways I love thee…– How MANY different ways can we attack you?

• All done here, time to change…– Breaking things summed up

• Lets fix things– Back to basics, removing the blinky stuff AND working together!

• Wrapping it all up– Some wise words from someone else

Quick History Lesson:

History Of Avionic Research2010: Began researching avionic systems2011: Presented ground based findings at conferences2012: Presented updated research (ground/air) at conferences2013: Talked with Boeing’s red team2013: Talked to, and was put under NDA by Panasonic2014: Talked with Airbus2014: IOActive also presented issues with Satcom2015: Went very public, and got banned by airlines2017: DHS and research teams validate findings2018: Same as above, research teams validate issues

Reaction From Aviation Industry?

So, Where Are We Now?

And…When It All Goes Wrong…Lawyers:• A team of lawyers gets involved…ALL the time.• A team of lawyers never lets us apologize.• A team of lawyers never lets us discuss our faults in public.• A team of lawyers doesn’t allow us to share our experiences

with our peers (in a timely manner.)• A team of lawyers hinders our ability to affect change.

• And if we ever DO say anything another team of ambulancechasing lawyers is ready to sue us out of existence.

Complexities:

HOW Complex?• Data!

– GE’s engines collect 5,000 data points per second– Boeing 787 collects 500GB of data per flight– Airbus A350 generates 2.5TB of data a day– Airbus 380 has “around” 25,000 sensors– Modern wings can have 10,000 sensors EACH

• 104,000 flights a DAY (globally)– ADS-B (in/out) spoofing

• Next generation planes will TRIPLE the data flow– How do we handle data integrity?– How do we detect data manipulation or modification?

Quick Reference!• 2.5TB of data is the equivalent of:

– 2 human brains worth of capacity

– 520 DVD’s

– 3,800 CD’s

– 200,000 phone books

– 1,000,000,000 typewritten pages of paper

OR

– One A350 flight…

The Simpler Days…

Dear gray haired people, I know this is what you remember…

Today’s Avionic Networks

Technology Has Moved On, We’ve Been Left Behind

Let Me Count The Ways I Hack Thee…

Supply ChainI’d always equated building a plane as being able to get 101 suppliers together…

Apparently Lego also decided that it takes 101 suppliers to build a plane too…

How Many Of You KNOW How Secure Your Vendors Are?

Attack Surfaces - GroundGround maintenance laptops:• Delivered from factory with defaults enabled

• No password OR basic one…• Why do we find them connected to the Internet?

• Updates, I get it, but then disconnect!• Games on them…seriously?

• I know, it gets boring…READ a bloody book!• Congratulations on customizing it…

• Now we can ALL access it via your WiFi/BLE

Worst case, social engineering:• Yellow/orange safety jacket• Correct boots• Blue overalls• Copied ID badge….

Or…

Techsat software (one among MANY of the vendors)Upload site vulnerable (WordPress), software is in default build (reverse engineer.)An hour of OSINT work shows code, developer passwords and account intelligence.

All your configurations now belong to me.

Attack Surfaces - Air

How?• Research (lots of it)

– So much of what everyone does IS on the Internet

• Access to a maintenance laptop AND certificates (security things)– Not hard, social engineering and a USB stick– Accessed at same time as tour of facility

• Right place to access on both ground AND air– Ground systems rarely secured, air systems more social engineering

• Time…– This IS the one thing it DOES take!

• Open source intelligence AND a lot of phone calls– Calling all the suppliers and getting code, configurations, etc.

• Built out testing lab (thanks to all YOUR suppliers)– Back to going in prepared….

A Bad Day, For Everyone

The inertial reference system (IRS) is used for airplane position, acceleration, track, vertical speed, ground speed, true and magnetic heading, wind speed and direction.

It also supplies altitude data for the displays, flight management system, flight controls, engine controls, and other systems.

Remember Those Sensors• Supply chain attack:

– Accessing supplier computers and modifying the firmware (e.g., preinstalling back doors,malicious code, etc.) (Acer, Cisco, Android and others being very prominent examples.)

• Data injection:– injecting false data in computer-driven data analysis process through compromised system.

• Jamming:– Transmitting high power signals to impede reception of RF/EO signals (i.e., degrading accuracy

and continuity).

• Spoofing/replay attack:– Building and transmitting false signals to deceive a target RF/EO sensor’s positioning and/or

tracking data.– Capturing legitimate RF/EO signal and rebroadcasting with alterations (e.g., time delay),

affecting the RF/EO sensor estimation accuracy, continuity and/or integrity (GNSS, etc.)

• Malware infection:– Injecting software into the system with deliberate harmful intent including viruses, worms, back

doors, ransomware, etc.

ADS-B

• Automatic Dependent Surveillance Broadcast (ADS-B)

– Message corruption

– Message denial

– Message delay

– Message replay

– Message ghosting

• Tell me again, how much do you rely upon it?

It’s Ok, You’re Not Alone…

Transportation & Intermodal

Cars And Lorries

Volvo – Bluetooth – Engine Management

Hacking cars on the groundOR

Hacking planes at 35,000 feet

YOUR CHOICE

Ships Through The Front Door…

Open RDP to a few container ships??

Make It Roll Over…

RDP to ship then Maintenance system scan to:Ballast control module…May 2018

And…Over Again

SATCOM – Navigation – RDP – Maintenance – Ballast Control

Locomotives:

What to do when you get banned from several airlines…

Trains, Signals And Rail Yards…Rail yard, run by 3rd party, manages freight across the entire country.TELNET access, ID=Admin PWD=Admin1

GE-EMD LocomotiveCellular, rail-line or network

access to trainID=Admin PWD=000000

ElectroLogIXS switch (scattered ALL over the USA.)Allows signals to be interrupted AND changed…Man NOT Present, bypassed. PWD=passwordCan change signals from RED to GREEN Etc.

We’re Broken

So That’s It…

• I’m done talking about breaking things.– We ALL know it can be done

– We ALL know how easy it is

– We ALL realize that things are not getting better

– We ALL know aviation is a target

– Heck, we should ALL know that everything is a target

• So, what the heck DO we do about it?

Stop Complaining, Let’s Fix Things:

Not The Solution

Fix The Basics!

Back to Basics

• The human:

– 1 hour of awareness training PER year

– ½ session of “don’t click shit”

– ½ session of “don’t send shit”

– No understanding of balancing work and life security

– P@ssw0rd1 used at work and on Facebook etc.

– Thinks the “S” in HTTPS is for wimps

Fix the humans

Change the conversation

Safety NOT Security

Back to Basics (2)

• Your computers:

– The ones on the FLAT network running W2k

– The ones in the warehouse running XP

– The ones the vendor said don’t touch

– The ones on the Internet with RDP!!

– The ones on the Internet with 1433/3306/Etc.

– The ones you don’t even know about!

Remove the easy ways in!

Back to Basics (3)• Your perimeter:

– Accept it, you don’t have one

– The laptops, iPhones, IoT took your control away

– Computer No1 on YOUR network is hacked

– 2018’s NGIPS/UBA/NGFW isn’t going to help

– Reactive, static defenses suck and don’t work

– There is NO cake, no fairy and NO simple answer

– Start building deceptive, asymmetric defensive tech

Get eyes inside your world!

Back to Basics (4)• Passwords (still)

– Stop the re-use!

– Teach pass phrases and password vaults.

– Teach separation/segmentation

– 2FA, it’s NOT hard to integrate

– All your users DON’T need to be admin!

– All your admins NEED to be separated

– All your developers DON’T need to hardcode

– AND , taser the vendor who leaves defaults!

Education and simpler integration

Back to Basics (5)

• Get a plan– Face it, shit’s going to hit the fan at some point.

– Be prepared, simpler to reach for the IR forms than wonder WHAT to do…

– Have the communications plan in place ready to go…

– Have the humans prepared. (No, not cannibalism)

– Practice makes perfect, headless chicken mode is NOT needed…

– Know the steps (OODA or NIST IR)

Get a plan!

Or, In Our Language…

PS: Duct Tape Does NOT Fix Everything…

Security, Safety OR Risk?

Safety vs. Security

• Human’s have evolved over thelast 50-60,000 years.

• Humans have always beentargeted, depending uponvarious circumstances.

• We UNDERSTAND safety.

• Security is NOT part of ourlanguage.

There is NO such thing as security.

There is just the measurement of RISK.

• Arguably there is nothing that can be totally secured.– Therefore, does a state of security really exist?– If yes, then HOW do you measure security?– If no, then WHY are we going round in circles trying to tell folks

what exactly?!?

• Change the conversations, talk about risk.– NOT “cyber risk” but simply business risk.– We know that companies have quantified risk for as long as

someone’s been willing to sell insurance.– If we can’t beat them…join them!

Risk Not Security:

Existential Crisis For InfoSec…

Replace The Blinky Stuff…

Static Defense…

Static Defenses (Mk2)

Walls… Fire, Brick, Etc.

“Walls for the last 4,100 years have provided temporary relief at best, but a fools folly for the most part. They are nothing more than a willy

waving exercise designed to attract MORE attention and innovation in how to circumvent and bypass.”

Assets!

How many of you KNOW what assets you HAVE

Let alone where they are…

Blunt• You don’t have a perimeter:

– You lost that when you allowed email to become mobile and the cloud took it to a wholenew level, let alone your 3rd parties and supply chain have access everywhere...

– When the coffee machine talks to the fridge and Alexa answers…you don’t have a perimeter!

• You haven’t fixed the basics:

– Patches done ALL over the place (on stuff you can find) hopefully…ish

– You have an SDLC for developers and all those teams are managed correctly?

– You have shared code ALL over your apps, and don’t know it.

– Defaults in place, passwords not separated, local admin for users?

– You train your users annually and expect them to remember? (never mind PPC’s)

• I’m here..

– And you are not watching all your logs ALL the time OR you’ve tuned me out?

– You think that antivirus is effective or rely upon endpoint protection.

– You think your firewall’s going to save you…

Assume Breach

Adversaries WILL get in, we can’t stop them. (if they’re not already there)

The question is simple…

HOW will you know, and WHAT are you going to do about it?

Preventative, Proactive, Deceptive!Asymmetric Defense!

To Me, This IS Your Network

Let’s Change The Picture!

Let’s ADD More Doors…

Remove The Welcome Mat…

Add Some Surprises…

AND, Put It All Back Neatly…

THIS Is Now Your Network…

Behind those doors are traps and lures and WELL camouflaged deceptive technology

Can YOU tell the difference?

Wrapping It All Up…

Our History

Our Future

All Of Us…• Irrespective of your background.• Irrespective of your race, creed, color, faith, or eye color.• Absolutely irrespective of your orientation!• Change takes ALL of us.

– This isn’t securities problem, it isn’t the researchers fault, weneed to stop blaming the hackers.

– This isn’t the C-Suites blame to carry, nor is it the users issue tosolve. Developers need to be out of the firing line as doesEVERYONE in the business.

• We ALL take some of the responsibility, therefore we ALLhave to solve it…together!

Collaborate Or Die

5 million apps, 6 billion connected people, 26 Billion devices, 3 million shortfall in InfoSec…

Breaking things is easy…

…fixing them is a whole lot harder

“We may have all come on different ships, but we’re in the same boat now”

Martin Luther King, Jr.

119

I will fail

We will succeed

“So long and thanks for all the fish”Douglas Adams, you are missed.

Thank you to IATA and everyone here!