The Federal Aviation Administration says today's aircraft is safe from cybercriminals. Major aircraft builders say the same thing. But the Department of Homeland Security (DHS) and the Department of Energy say "Not so fast." A few influential politicians and some experts in the aeronautics industry have also voiced their concerns in the past year.
It's not beyond the realm of possibility that a determined, properly prepared malicious actor could break into and compromise an airplane's network — without ever so much as entering the airport.
What's so exasperating is that policies, process, procedures, and tools exist to mitigate the risk. But the wheels of life-preserving change may not be turning quickly enough — a possibility exacerbated by the fact that a widespread skills gap is preventing change from being realized.
Motherboard, one of several Vice channels, reported in June that US government researchers think it's only "a matter of time before a cyber security breach on an airline occurs." Moreover, according to DHS documents the publication obtained via a Freedom of Information Act request, government officials believe aircraft still in use today lack sufficient cybersecurity protections — if they have them at all.
These concerns are not new. Last November, CBS News reported that cybersecurity experts working with DHS in September 2016 took only two days to remotely hack into a Boeing 757 at the Atlantic City (New Jersey) International Airport via radio frequency communications.
The attack was conducted by Robert Hickey, the aviation program manager for the Cyber Security Division of the DHS Science and Technology Directorate. He told Avionics Magazine, "I didn't have anybody touching the airplane. I didn't have an insider threat. I stood off using typical stuff that could get through security, and we were able to establish a presence on the systems of the aircraft." He added that, based on the how most aircraft radio frequencies are configured, "you can come to grips pretty quickly where we went."
A few notes about that attack:
- The 757 first entered airline service in 1984, but it's been 15 years since one was built. Major airlines are still flying the narrow-body, twin-engine aircraft.
- The 757 is far less networked than modern planes.
- 757s have only a handful of software parts, whereas the modern e-enabled aircraft has hundreds of loadable software aircraft components that can be delivered to the aircraft wirelessly.
- 757s have small numbers of potential entry points, while modern planes have dozens. That means the attack was the equivalent of performing a test on a 1985 Ford Escort instead of on a 2018 Tesla Model S.
- President Trump's personal plane is a 757, and Air Force Two — the official jet of the vice president — is a Boeing C-32, the US Air Force transportation version of the 757.
Responding to the attack, Boeing issued a multiparagraph statement that included this passage: "Boeing is confident in the cyber-security measures of its airplanes. … Boeing's cyber-security measures … meet or exceed all applicable regulatory standards."
In 2015, the General Accounting Office (GAO) stated that the FAA needed a more comprehensive approach to address cybersecurity. That same year, the FAA initiated the Aviation Rulemaking Advisory Committee to provide industry recommendations regarding aircraft systems information security. The industry recommendations have not been acted upon.
So, Washington, we have a problem.
Addressing the Problem
To solve it, we need industry regulations that require updated cybersecurity policies and protocols, including mandatory penetration testing by aviation experts who are independent of manufacturers, vendors, service providers and aircraft operators. Be mindful of those who claim aviation expertise; few have the necessary experience, but many claim they do.
"Pen testing" is essentially what DHS experts were conducting during the Boeing 757 attack. A pen test is a simulated attack on a computer system that identifies its vulnerabilities and strengths. Pen testing is one of many ways to mitigate risk, and we need more trained aviation and cyber personnel to deal with the current and emerging cyber threats — those that haven't even been conceived of yet.
Unfortunately, a pen-testing skills gap exists. According to a recent SecureAuth survey of IT decision makers, only 43% of organizations say they think they are staffed to handle pen-testing workloads. The skill gap grows far wider when aviation expertise is added to the equation.
Clearly, that issue needs to be addressed by cybersecurity and aviation industry leaders. The FAA Reauthorization Act of 2018 includes language to address cybersecurity. But we need more training, education, and emphasis on preventing malevolent actors from having the ability to use aircraft as potential weapons.
As for government regulations, The Hill wrote on the 17th anniversary of 9/11 that New Jersey Congresswoman Bonnie Watson Coleman and her colleagues are working on a bill that would strengthen the Transportation Security Administration's basic cybersecurity standards. "We cannot allow [cybercriminals] access to cockpits via cyber means," she said.
Agreed. Because at the moment, we're sitting on a ticking time bomb.