informa
Announcements
Event
How to Launch a Threat Hunting Program | Webinar <REGISTER>
Event
How to Accelerate XDR Outcomes: Bridging the Gap Between Network and Endpoint | Webinar <REGISTER>
Report
Black Hat USA 2022 Attendee Report | Supply Chain & Cloud Security Risks Are Top of Mind | <READ IT NOW>
PreviousNext
Risk
2 MIN READ
News

Aviation Faces Increasing Cybersecurity Scrutiny

Some aviation experts and security researchers are trying to foster closer alliances for securing airplane networks.
Kelly Jackson Higgins
Editor-in-Chief, Dark Reading
August 22, 2019

{Continued from Page 1}

Boeing said there's no "quick" patch program for software in the aviation industry, and development of software for planes follows specific regulatory guidelines.

Jeffrey Troy, executive director of the Aviation-ISAC, the official threat intelligence-sharing arm of the industry, describes patching in avionics systems as a "case-by-case" situation. "Every instance of a vulnerability is a unique case," he says. "You also have to understand what the impact is and how to address it based on that impact."

He says aviation companies, when contacted by researchers, listen and then vet the findings. "They go out and conduct tests to validate whether or not the vuln that has been made known can be replicated. And if so, they do their assessments to determine what they need to do," he notes.

It's only a matter of time before Boeing and other aviation industry vendors are forced to find common ground with the researcher community, experts say. The increasingly networked aircraft fleet naturally will open avenues for security holes that need spotting and fixing.

"We've gone literally from having to physically go to planes and their avionics and upload a floppy [disk] for 20 minutes to now updating them over the air," Pen Test Partners' Munro notes. "You get reduced costs, but it [brings] security implications, too."  

And aviation firms have invested large amounts of money in developing safe and secure code, he says. "It will be some time before avionics opens up their source code" to security researchers, though, he says.

Progress, Actually
John Sheehy, IOActive's director of strategic security services, worked with Santamarta on his disclosure with Boeing. He believes some good progress has been made in relationships between researchers and the avionics industry over the past three years.

"Boeing clearly understood what Ruben was going to present [at Black Hat]," Sheehy says. "They did not take any aggressive action to stop us from doing so. I think they understand the value of this kind of research."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "You Gotta Reach 'Em to Teach 'Em."

 

Vulnerabilities/ThreatsThreat IntelligenceCloudAttacks/BreachesIoTAdvanced Threats
More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports
Webinars
More Webinars
Reports
More Reports
White Papers
More White Papers
Events
More Events
More Insights
White Papers
More White Papers
Webinars
More Webinars
Reports
More Reports