Evaluating the impact of NextGen ’ s air traffic system on aviation security

Networked Next Generation Air Transportation System (NextGen) opened the gate to digital National Airspace System (NAS) in cyberspace. Air traffic improvements from NextGen system, accompanied by the risk of long-standing cyberattack issue in information technology industry became an increasingly challenging matter to the aviation community and Air Traffic Management (ATM), as cybersecurity challenges in the NextGen system could affect NextGen's principle assurance of safety and security in air transportation. The technological shift of NAS infrastructure from traditional radar-based systems to networking system of systems leads to a review, revision and redefinition of current policies, standards regelations, cultures and norm to reflect and mitigate new risks. Through analysing reports, regulations, standards, practices, recommendations from government and industry, the researchers analyse security impacts to NextGen; the risk of a cybersecurity incidents; and regulations to identify most effective and efficient control measures over information systems in ATM, and direction to further research.


Introduction
A question raised from incidents is, how do we prevent cyber-attacks in ATM?Before looking for the answer, another question should be answered first.What have we done to prevent cyber-attacks in ATM? NextGen information systems (IS), not only creates billions dollars in economic value and millions of job opportunities like other industries [1], but it also has distinctive and immediate impact on the NAS security and public safety, as it provides safe and accurate air communication in a complex environment.Upgrade to network-based IS in aviation concerns security, safety, aircraft design research, aviation regulations, and training certification in both government and private sectors.Understanding development status, limitations, and responsibilities of each part will better position aviation for approaching aviation cybersecurity.
2 NextGen in the U.S. National Airspace System (NAS)

Network Construction
Interconnections of physical components using network technology, Information Systems (IS), hardware and software created a NextGen net-centricity environment to share aeronautical data "timely and seamlessly among users, applications, and platforms" [2].Based on FAA official website data, information from FAA Telecommunications Infrastructure (FTI) Overview [3, 4, &5], the fundamental infrastructure enabling net centric operations is System Wide Information Management (SWIM) built upon Federal Telecommunications Infrastructure.

Characteristics
U.S. Government Accountability Office (GAO) [2] described cyberattacks as "evolving, growing", "intentional or unintentional" (p.1), and cyber-based or physically damaging adversaries against NextGen system with various sources.Testimonies [6,7] further revealed that criminal groups, hackers, insiders, other nations, and terrorists had been the primary actors of cyber threat based on government and nongovernment data.Leaders of National Business Aviation Association (NBAA) and American Association of Airport Executives (AAAE) stated insiders' threat was the biggest issue of cybersecurity [8].

Methods
GAO report [6] and testimony [7] also revealed more than 20 methods and exploits of cyberattacks commonly used against federal systems, and among some of them were uncommonly known to the public.For example, creating fake wireless internet access point in public, such as coffee shops, to collect information of victims frequently visited websites, and injected malware to websites to attack targets (watering hole), driving in targeted areas with wireless capability equipped computers to search for unsecured network (war driving), or transmitting more data than system could handle resulting in deletion of data or execution of malware (buffer overflow).Based on target of the attack, threats can be classified as direct, indirect, and human.

Science of modern communication
The core of NextGen is the integration of numerous NAS IS platforms using digital communication technology wirelessly or wired.Wireless communication IS, such as Data Comm, SBSS, AatS, and ACARS transmits on-and-off electrical signal using modulated radio wave or microwave at a frequency ranging from 30 MHz to 3000GHz within electromagnetic (EM) spectrum [8,9].The client is an application or interface allowing users to access servers to create, change or delete data.Some client interfaces allow users to make a critical change to the IS depending on protocol and level of authorization.In the context of NextGen IS, which consist of both wired and wireless network channels in many physical facilities such as airports, ATC towers, ground stations, and air routes in space, access to encrypted and modulated signals from authorized or unauthorized devices, systems or computers could be everywhere.

Culture artifacts
Motivations behind unauthorized access to NextGen IS varies.Not understanding these motivations resulting in "prematurely reactive" threat response [10].State-sponsored attacks and terrorist attacks call for immediate actions of both private and government efforts with thorough preparation, while random phishing emails could be mitigated through in-house training, education, and continuous monitor.Motivations of threat actors could be divided into 6 categories: curiosity, revenge, revelation, espionage, destruction, and money.

NextGen cyber issues
GAO report [5] stated FAA heavily relied on a huge network of hardware, software, and communication equipment including over 100 different systems to function properly.The agency showed weaknesses in user access control to its systems, control of network system, software and device change and update, uncompleted agency-wide information security program required by Federal Information Security Management Act of 2002, improper governance structure and practice in accordance with National Institute of Standards and Technology guidance (NIST), and ineffective response to and detection of cyber issue.Another GAO report [4] revealed that both FAA and security experts acknowledged avionics systems onboard aircraft could be accessed and planted in with virus or malware from inside and outside of the airplane through in-flight Internet Protocol (IP) based network; and FAA accepted security control of NextGen system provided by its contractors without evaluation and oversight on the matter.Another research showed that SBSS network was also subject to the same cyber threats [11].Furthermore, ADS-series, ADSbased systems such as CPDLC, WAM, TCAS, FIS-B, TIS-B, radar-based navigation aids systems such as PSR, SSR, GPS, VHF VOR, ILS, NDB and DME, are subject to jamming denial of service, spoofing, and authentication issue [12].Though impact on confidentiality, integrity, and availability of aeronautic information due to technology or systemic vulnerability could be minor, however, the aviation industry is subject to another more severe threat: human aspect.

Summary
Former Obama signed Presidential Policy Directive (PPD) 41 on 26 July, 2016 to form the Cyber Unified Coordination Group (UCG) to handle significant cyber incidents which were "likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people" [13].The three agencies will coordinate closely to detect, protect and recover from significant cyber incidents involving federal government system unless such incidents affect private entities, in which case, the relevant sectorspecific agencies would coordinate federal government recourse to determine response action [12].

Organizational
Under current FAA structure, five offices and one committee would be responsible for cybersecurity [4].GAO [4] discovered cybersecurity responsibilities within the agency were not clearly identified and clarified.Additionally, the FAA did not fulfil its external cybersecurity responsibilities established by Department of Transportation (DOT) [14].Despite this requirement, DOT was not aware of any cyber incidents which FAA reported directly to DHS since the deployment of NextGen; and it did not have access to NextGen air transportation information, or receive any request from the FAA to change or monitor the system; critically, DOT discovered issue of partially monitoring of NAS which was previously identified by GAO in early 2015 [14]; [4].The increasing demand for cybersecurity, which would play a determining role in maintaining continuity of NextGen operation, inside FAA could affect its performance.FAA has been relying on its inspectors and National Transportation Safety Board (NTSB) to provide safety guidance and regulation over civil aviation in the physical world.Reports from the GAO and DOT provided evidence to show FAA could only observe cybersecurity matters in its traditional safety mind set not from a security perspective.

Cybersecurity vs safety culture
As governing body of aviation and safety, FAA [1] has been emphasizing the foster of positive safety culture (PSC).However, does PSC effectively help FAA to address challenges of cybersecurity?PSC has five aspects of culture: informed, reporting, just, learning, and flexible [15].Informed culture addresses IS administrators as having knowledge of system/s in various aspect to determine safety readiness; and reporting culture refers to people' readiness in an organization to report incident or accidents.FAA has failed on these two aspects both externally and internally [14].Poor reporting culture resulted in poorly informed culture.Years of partial system monitor show the lack of practical cybersecurity guidelines.During the audit OIG saw a mitigation plan developed.The audit report showed FAA's lack of just culture, with an atmosphere that did not lead to people understanding the difference between acceptable and unacceptable behaviour and the promotion of acceptable behaviour.The FAA failed to develop a required Plan of Action and Milestone (POA&M) as per DOT Cybersecurity Compendium to resolve 273 cybersecurity incidents [16].The FAA has a learning culture, an organizational climate that encourages continuous improvement, but was not evident in its response to the known issues as it was found to repeat some of the same cyber issues [4; 5; 14].Good learning culture not only includes active response to knowns issues but also embraces proactive effort to improve the system as a whole.Flexibility culture in FAA was positive as the agency allocated multidepartment's resource to confront challenges, for example, creating ARAC to address NextGen cybersecurity.At this point, FAA's actions, and behaviours did not "demonstrate a commitment to safety over competing goals and demand" [1, p 11].However, drawing the conclusion of positive safety culture in the context of cybersecurity during the development of the cyber system is premature as the foster of culture takes time, especially, in the case when established cultural experience has a challenge of new risks.

Airline and airport cyber development
Before NextGen network-based IS has been in place in airports and airlines.Thus, they both have some levels of cybersecurity ownership.How each develops future information technology (IT) will affect integrity and security of NextGen systems as airports provide critical and physical entrant to the NAS.

Airlines
SITA [17], a major worldwide telecommunication and IT service provider to air transportation industry, has been conducting annual airline IT trends for years.Its latest report revealed airline fleet aircraft have and will continue to become more connected with internet using new systems.In cybersecurity, more airline board-level executives and management are assuming responsibility.About 25% of airlines were prepared for cyberattack and 70% airlines had strengthened cybersecurity education and training.These data were based on a survey of the 200 top airlines worldwide of which 14% represented airline from the Americas [17].

Airports
SITA also followed airports and investment in PED based service such as a mobile purchase at an airport and saw increases of service needed [18].Airports also began to implement IT, for example, cloud services and sensors to improve operation efficiency.However, more than 40% of airports were still developing cybersecurity strategy, and only 19% were prepared for a cyber-attack [18].

Report Analysis
Both reports provided IT development trends in the global market.It did not provide specific details of US airlines and airports.Additionally, though airlines showed support for cybersecurity training and educations, evaluations of cybersecurity efficiency were not present.Effective cyber training and education alone will not guarantee effective cybersecurity measures, but would move towards hardening the systems.Also, resources to invest in IT and develop cybersecurity strategy varies among airlines and airports depending on finance and skills the organizations possess, resulting in a different level of understanding and preparedness of cybersecurity [17;18].

Challenges
This research identified multiple challenges.First, FAA's lack of effectiveness and efficiency in addressing aviation safety due to cyber issues to fulfil its responsibilities during NextGen's implementation in long term.Before the intention and method of attack could be determined by DHS, as directed by PPD-41, FAA was not being able to identify the cause of an issue, nor direction to approach solution while other aircraft having the same design would remain under risk.Second, is the increasing dependence on integrated and automated IS requiring FAA to monitor and maintain NextGen.For example, malfunction or replacement of SBSS components.Comparing automobiles relying on GPS for navigation on an interstate highway where separation is small, any GPS malfunction could result in automobile crashes, and the risk would be high.The third challenge, shortage of cybersecurity talents.As the aviation industry would become more and more connected with internet, it would demand investment in cybersecurity.Morgan [19] estimates the US shortage of cybersecurity employees in the thousands.The fourth was effective monitoring and intelligence collection for positive cybersecurity without intruding privacy.Cybersecurity would necessitate a large amount of monitoring, such as monitoring employees to comply with policies, IS configuration, internet usages, and passengers' behaviours, and collecting personal information from the internet to determine a level of risk.Privacy would become a more sensitive matter as consumers are exposed more to the internet.The fifth was cybersecurity requirement without regulation for airports and airlines.Airports and airlines have approached cybersecurity differently based on their own MATEC Web of Conferences 189, 10030 (2018) https://doi.org/10.1051/matecconf/201818910030MEAMT 2018 situations.Cyber-attacks occur at weaknesses which have the least amount of difficulty and resistance.Once one system is compromised, other systems are potential victims.Thus, airlines and airports have shared cyber risk and cyber responsibility.However, lack of regulations would result in different approaches and standards.Last, the growing numbers and evolving techniques of cyber-attacks from various sources.Continuous investment, education, training, and learning is required; however, the outcome of such effort is not promising in a complex environment consisting of both cyber and physical worlds.

Countermeasure redefined
Understanding of issues and identification of challenges would better prepare the airline industry for developing solutions that would encompass conceptual ideas of objectives and methods.The word cybersecurity has been used commonly on the internet as a countermeasure against cyber-attacks and cyber threats.Federal government defined cybersecurity as: Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure [20].This definition manifests every aspect of actions and activities related to cybersecurity which could apply to the aviation industry on an organizational scale instead of global infrastructure scale.

Approach
Different activities have a different level of impact on cybersecurity.Proactive activities such as threat and vulnerability reduction would lead to a direct positive outcome, while the effect of incident response and recovery policies would not be seen until an incident occurs, and it improves an organizations' experience.This difference of impact causes organizations to emphasize policies and activities deemed to be effective based on their knowledge, skills, resources, risk, and priority.

Holistic
Keanini, Chief Technology Officer of Lancope Inc, network security analytic service provider owned by American networking hardware company Cisco, said holistic approach was based on decision-making theory of OODA Loop [21], created by military strategist and former U.S. Air Force Colonel John Boyd.The holistic approach is a comprehensive and continuous process to address cybersecurity by using OODA loop consisting of observation, orientation, decision, and action.The holistic approach calls for operating OODA loop at faster pace continuously than threat actors to increase resistance to threat and raise expenses for threat actors while strengthening cybersecurity.NIST and other security experts also recognized that this approach would allow an organization to develop a comprehensive understanding of threats against IS and level of risk [4]; however, they acknowledged this approach is "costly and time-consuming" (p.17

Offensive
Paganini [22] discussed offensive approach involves attribution and retribution; attribution referred to any effort to hunt for and track threat actors and retribution was retaliating action following identification of threat actors.He further pointed out attribution was achieved using a series of aggressive techniques, such as intrusive malware, malicious code, massive-area wiretapping, monitoring, and spying, and that organization damaged or monitored threat actors' system using guaranteed sophisticated methods like zero-day vulnerabilities.This approach, however, came with ethical and legal issues as it threatened privacy.Spying and monitoring have become so easy through commonly used smartphones and applications.Remaining unknown to many, companies have been tracking location history, recording conversations, and monitoring internet usage along with face recognition, for the purpose claimed to be marketing research [23].Another concern is offensive approach would increase the market demand for zero-day vulnerabilities.Fundamentally, this could encourage hackers and other cyber talents to research, test, and develop more vulnerabilities and exploits to satisfy the market need.Many exploits have been opensource and free for use, potentially it increases cyber threat.

Risk based
National Institute of Standards and Technology (NIST) [24] developed and updated a riskbased framework to demonstrate a common process of cybersecurity implementation led by organization senior executive and top management.The framework consists of five core elements, four implementation tiers, and profile.Five core elements are to identify, protect, detect, respond and recover to threats.Implementation tiers, used to describe the level of preparation, includes partial, risk-informed, repeatable, and adaptive.At last, profile refers to the level of achievement in terms of established objectives such as current or target profile.Top managers and senior executives make a cybersecurity profile based on priorities, risk assessment and decisions, middle-level managers allocate organization resources to implement the profile.Businesses would adapt to this approach easily.However, positive outcome relies on senior executive level's skills, experiences, and expertise to make the right priority and decision once the profile is implemented.

International movement
International Civil Aviation Organization (ICAO), International Air Transport Association (IATA), Airports Council International (ACI), Civil Air Navigation Services Organization (CANSO), and International Coordination Council of Aerospace Industries Association (ICCAIA) have been taking join action to address cyber treats in all levels since 2014; Civil Aviation Cybersecurity Action Plan was signed in effect to align with 27000 series standard of International Organization for Standardization and NIST, which was the risk-based approach [25].Moreover, 39th Session of ICAO Assembly recommended cybersecurity regulation suggesting best standards and practices [26].ISO 27000 series have established requirements, guidelines and general principles to implement the information security management system (ISMS); specifically, the ISO 27005 has provided guidelines and process for organization information security risk management to assess, treat, and monitor risk [27].Guidelines and processed are available.Global concurrence and participation is needed

Best Practice
At this point, research found previously mentioned approaches and standard did not provide effective and specific methodology, except the overall processes and areas of actions encompassed in the definition of cybersecurity.Looking at the matter from standpoint of aircraft operating environments and challenges, no best standards or practices is hack-proof.Best practices of cybersecurity should be systems that organizations periodically and continuously review every cybersecurity matter to identify, assess, treat, and improve risk of cyber threats involving effort of executives, managements and employees and adapt to change so that organizations remain strategically competent in an evolving and complicated digital environment.Cyber threat, cyberattack, and cybersecurity is not a war between digital machines, but it is the war between humans.Human resource is the best tool every organization can have.And the best practice is to reduce, or eliminate threat from insider, and better equip employees and management with reliable information, effective training, and efficient resources.

Management and cybersecurity
Before any regulation is put in effect, aviation service providers (non-federal) set their own standards and practices of cybersecurity.Though statistics showed low level cyberattacks with limited impact, risk of catastrophic attacks remained as they were difficult to detect [26].Therefore, it is imperative for organization executives to have a holistic and realistic observation of risk, challenges and assets before establishing cybersecurity program.Incorporation of cybersecurity program which requires monitoring of employees' activities is also a critical challenge for leadership of executives and managements who depend on an effective team of employees to achieve organizational goal.Efficiency to incorporate cybersecurity program in aviation organization would further justify whether executives and managements possess great leadership to influence their employees to accept being monitored to achieve organizational cybersecurity; most importantly, complying with or institutionalizing cybersecurity would have direct impact on cybersecurity readiness [27].Compliance is to put a program into action, and contrarily, institutionalization is to foster culture, custom and atmosphere of cybersecurity throughout the organization to achieve maximum level of cybersecurity readiness with all-hand participation.Without institutionalization of cybersecurity, even the most secured systems would be exposed to cyber threat induced by humans.

Conclusion
Finally, this research found that, beginning its long-term implementation and development, fundamental shift to advanced technology based NextGen NAS had caused numerous gaps and introduced a significant amount of impact to the transportation industry, which could be potentially tragic to aviation security and public safety in the context of cybersecurity.These gap involves legislation, regulations, industry culture and customer, standards and policies in governments and agencies from both federal and states, aircraft and parts manufacturers, suppliers and customers, airline operators, pilots, aircrews, ground personals, contractors, and other related service providers; and it required aviation industry immediate actions to shorten the gap before disaster strikes in the NextGen system of systems for air traffic management.Positive cybersecurity outcome rests on aviation to develop shared vision, responsibility, intelligence, and resources, to institutionalize standardized circle of cybersecurity, and to fight cybersecurity as united entity.Four directions of further research were also identified during this research: effect of regulating minimum cybersecurity requirement on outcome of incorporating cybersecurity program in private sector, effective institutionalization of cybersecurity in airlines and airport, effective approach for airlines to ). MATEC Web of Conferences 189, 10030 (2018) https://doi.org/10.1051/matecconf/201818910030MEAMT 2018