Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
1/7/2019
10:30 AM
Bruce Jackson
Bruce Jackson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Threat of a Remote Cyberattack on Today's Aircraft Is Real

We need more stringent controls and government action to prevent a catastrophic disaster.

The Federal Aviation Administration says today's aircraft is safe from cybercriminals. Major aircraft builders say the same thing. But the Department of Homeland Security (DHS) and the Department of Energy say "Not so fast." A few influential politicians and some experts in the aeronautics industry have also voiced their concerns in the past year.

It's not beyond the realm of possibility that a determined, properly prepared malicious actor could break into and compromise an airplane's network — without ever so much as entering the airport.

What's so exasperating is that policies, process, procedures, and tools exist to mitigate the risk. But the wheels of life-preserving change may not be turning quickly enough — a possibility exacerbated by the fact that a widespread skills gap is preventing change from being realized.

Motherboard, one of several Vice channels, reported in June that US government researchers think it's only "a matter of time before a cyber security breach on an airline occurs." Moreover, according to DHS documents the publication obtained via a Freedom of Information Act request, government officials believe aircraft still in use today lack sufficient cybersecurity protections — if they have them at all.

These concerns are not new. Last November, CBS News reported that cybersecurity experts working with DHS in September 2016 took only two days to remotely hack into a Boeing 757 at the Atlantic City (New Jersey) International Airport via radio frequency communications.

The attack was conducted by Robert Hickey, the aviation program manager for the Cyber Security Division of the DHS Science and Technology Directorate. He told Avionics Magazine, "I didn't have anybody touching the airplane. I didn't have an insider threat. I stood off using typical stuff that could get through security, and we were able to establish a presence on the systems of the aircraft." He added that, based on the how most aircraft radio frequencies are configured, "you can come to grips pretty quickly where we went."

A few notes about that attack:

  • The 757 first entered airline service in 1984, but it's been 15 years since one was built. Major airlines are still flying the narrow-body, twin-engine aircraft.
  • The 757 is far less networked than modern planes.
  • 757s have only a handful of software parts, whereas the modern e-enabled aircraft has hundreds of loadable software aircraft components that can be delivered to the aircraft wirelessly.
  • 757s have small numbers of potential entry points, while modern planes have dozens. That means the attack was the equivalent of performing a test on a 1985 Ford Escort instead of on a 2018 Tesla Model S.
  • President Trump's personal plane is a 757, and Air Force Two — the official jet of the vice president — is a Boeing C-32, the US Air Force transportation version of the 757.

Responding to the attack, Boeing issued a multiparagraph statement that included this passage: "Boeing is confident in the cyber-security measures of its airplanes. … Boeing's cyber-security measures … meet or exceed all applicable regulatory standards."

In 2015, the General Accounting Office (GAO) stated that the FAA needed a more comprehensive approach to address cybersecurity. That same year, the FAA initiated the Aviation Rulemaking Advisory Committee to provide industry recommendations regarding aircraft systems information security. The industry recommendations have not been acted upon.

So, Washington, we have a problem.

Addressing the Problem
To solve it, we need industry regulations that require updated cybersecurity policies and protocols, including mandatory penetration testing by aviation experts who are independent of manufacturers, vendors, service providers and aircraft operators. Be mindful of those who claim aviation expertise; few have the necessary experience, but many claim they do.

"Pen testing" is essentially what DHS experts were conducting during the Boeing 757 attack. A pen test is a simulated attack on a computer system that identifies its vulnerabilities and strengths. Pen testing is one of many ways to mitigate risk, and we need more trained aviation and cyber personnel to deal with the current and emerging cyber threats — those that haven't even been conceived of yet.

Unfortunately, a pen-testing skills gap exists. According to a recent SecureAuth survey of IT decision makers, only 43% of organizations say they think they are staffed to handle pen-testing workloads. The skill gap grows far wider when aviation expertise is added to the equation.

Clearly, that issue needs to be addressed by cybersecurity and aviation industry leaders. The FAA Reauthorization Act of 2018 includes language to address cybersecurity. But we need more training, education, and emphasis on preventing malevolent actors from having the ability to use aircraft as potential weapons.

As for government regulations, The Hill wrote on the 17th anniversary of 9/11 that New Jersey Congresswoman Bonnie Watson Coleman and her colleagues are working on a bill that would strengthen the Transportation Security Administration's basic cybersecurity standards. "We cannot allow [cybercriminals] access to cockpits via cyber means," she said.

Agreed. Because at the moment, we're sitting on a ticking time bomb.

Related Content:

Bruce Jackson, President and Managing Director of Air Informatics, has extensive experience with in-flight satellite and Wi-Fi connectivity and was a principal investigator for the NASA Advanced Communication Technology Satellite (ACTS). He was also the wireless architect for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bender-ici
67%
33%
Bender-ici,
User Rank: Apprentice
1/8/2019 | 10:31:37 AM
Threat of Hacking Aircraft is Exaggerated
The Hickey pentest has been used to make all sorts of claims, but nobody mentions that Hickey only made these claims once at a conference and they were unauthorized. As a result, he is no longer an emplloyee of DHS.

Hacking wi-fi on an aircraft is certainly feasible and when it has happened (on only a few occasions), the aircrew simply turned it off. These alarmist commentaries are not news and they fail to mention that wi-fi infrastructure on the aircraft is not related to operational infrastructure - at current, there is no danger to safety of flight. This threat is being grossly exaggerated by people who want to grab attention.

There are a host of technical issues that arer never mentioned by these type articles, who make it sound like it is easy to bring down an aircraft. Even if this were feasible, at some point, interfering with flight safety would get said hacker a very long prison sentence. If they were to bring down an aircraft, that's mass murder - which is a ticket to a lethal injection couch in the U.S. The "I didn't think the plane would crash defense" won't convince any jury.

Pentesting avionics and aircraft systems for vulnerabilities is a good idea and many companies have bug bounty programs. Stirring up fear based on unproven claims is not a good idea.

 
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
1/7/2019 | 1:24:49 PM
Indeed yes
A simple DOWN command would not be good. 
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.