“It’s only a matter of time before a security breach occurs on a commercial aircraft.” That ominous warning came from the U.S. Department of Homeland Security, which recently disclosed that its cyber experts were cautioned months ago that the aviation industry will likely experience an in-flight cyber breach. That’s according to government documents obtained by Motherboard. Those documents further revealed that DHS cyber experts had conducted a clandestine experiment in 2016 in which they had successfully hacked into a parked Boeing 757 at the Atlantic City airport.
In response to terrorist attacks and increased threats to global security, late last year the DHS and the FBI issued a rare joint announcement that rattled major economic sectors. They warned that thousands of black-hat hackers are engaging in daily malicious cyberattacks on the U.S. clean-water supply, manufacturing plants, and the airline industry, with no let-up in sight.
It’s no secret that aviation is an appealing target for terrorists and nation-state bad actors. As a specialist in the prevention and detection of vulnerabilities in aviation systems—commercial and military—I’m especially concerned about cybersecurity risks in aviation.
Fear of cyberattacks has become an increasingly gnawing problem for pilots, flight crews, air traffic controllers, and airline executives. A recent industry survey found that cybersecurity risk ranks high on the minds of airline CEOs, with 85 percent expressing concern, compared with 61 percent of CEOs in other industries. And it’s no wonder. Each day across the United States alone, more than 42,000 flights take to the skies, carrying more than 2.5 million passengers, according to the Federal Aviation Administration. That means there’s thousands of cyberattackers conceivably tracking their every move.
Because fail-safe solutions don’t exist, the industry must defend itself in every way possible.
The biggest vulnerability for commercial flights is simply the age of most planes, which have outmoded infrastructure and systems. The vast majority of jets within today’s commercial fleets have been flying for 15 years or more. Most of them are not fully equipped with the latest defenses against cyber threats.
Within each plane is a complex maze of wireless connections that control virtually everything on the aircraft. To be able to fly, the plane almost wholly depends on hardwired software-driven systems, reliable Internet connectivity, and reams of digital data. Each software system is placed in a separate domain, and the domains are interconnected.
That is a system that must evolve, for cybersecurity risk is introduced by the connections between the domains. As much as possible, data flows should be limited so that a cyberattack on one system cannot easily overtake the entire plane.
Take the positioning systems that track an aircraft’s airborne location, for example. One unintended misstep in the cockpit—a simple miscommunication between pilot and copilot, say, or from the control tower—could bring utter disaster.
Equally so, the inability of a plane to detect and deflect a potential hack could have disastrous consequences.
Such attacks include spoofing (when hackers inject a “ghost” flight into the air-traffic radar), jamming (when hackers block legitimate wireless communications between two aircraft or between the ground and plane), supply-chain attacks (when hackers introduce malicious software), and remote hijacking (exactly what it sounds like).
The potential for such life-threatening attacks poses serious threats to our national security and our way of life. It’s no secret that aviation is an appealing target for those who wish to do harm, a forever lesson of 9/11.
Pete Cooper, senior fellow at the Atlantic Council’s Cyber Statecraft Initiative and author of “Aviation Cybersecurity: Finding Lift, Minimizing Drag,” said in a panel discussion we participated in that while adding stronger preventive measures can act as a deterrent, declarations of fully secure aviation systems are unrealistic.
At present, there remains an absence of clear and strong foundations to adequately prepare for and counter emerging threats across commercial and military planes, unmanned aircraft systems, air-traffic management, airports, and their supply chains.
Thus, in the absence of a unified understanding and approach to the threats, aviation cybersecurity might potentially struggle and fail.
Still, there are a few steps the industry can take. For one, every supplier’s components and systems should be required to go through third-party penetration testing. Such testing also should be applied to every aircraft’s integrated systems. This type of testing can unearth risks and flaws that automated vulnerability-scanning tools often miss.
Our challenge as cybersecurity experts is to continuously and assiduously detect, confront, and defuse the threat of cyberattacks by using a vastly accelerated collaboration across multiple stakeholders including government agencies, the aviation industry, and independent experts. Our nation’s airborne safety depends on it.
Christian Espinosa is a professor of cybersecurity at Maryville University, in suburban St. Louis. He has worked as a network and systems engineer, white-hat hacker, trainer, consultant, and entrepreneur in the cybersecurity industry since 1993. He is also founder and CEO of Alpine Security.