'Only a Matter of Time' Before an Airline Cybersecurity Breach, Secret Government Docs Warn
A team led by the Science and Technology Directorate at the U.S. Department of Homeland Security (DHS) recently conducted an experiment proving that it could remotely penetrate the control system of a commercial aircraft using a Boeing 757 that was parked at the Atlantic City, N.J., airport.
The disclosure was made by Robert Hickey, the aviation program manager in the DHS Cyber Security Division. According to an article at Good Planes, "The disclosure of the hacking ultimately cost Hickey his job."
Motherboard obtained DHS and other U.S. government documents in which DHS predicts it’s only a matter of time before a cybersecurity breach on an airline occurs.
The DHS response was, “While certain details of the assessment remain classified,” Hickey’s comments “lack important context, including an artificial testing environment and risk reduction measures already in place." DHS added, "Along with our federal and industry partners, DHS takes aviation cybersecurity seriously and works with both researchers and vendors to identify and mitigate vulnerabilities in the aviation sector. The aviation industry, including manufacturers and airlines, has invested heavily in cybersecurity and built robust testing and maintenance procedures to manage risks.”
Translated, it says little to address the concerns among the aviation and cybersecurity communities.
In one of the presentations from the Pacific Northwest National Laboratory (PNNL), a Department of Energy government research laboratory, it states that the “potential of catastrophic disaster is inherently greater in an airborne vehicle, and it’s just a matter of time before a cyber security breach on an airline occurs.”
Cyber attacks of the airlines’ wireless systems have already occurred. According to the FBI, in 2015 a security researcher, Chris Roberts, claimed that he had penetrated the in-flight entertainment system of an aircraft and had overwritten code on the plane’s thrust management computer while on the flight and caused the plane to briefly change course. How did he do it? According to a report from the U.S. Government Accountability Office released that same year, some Boeing and Airbus planes have Wi-Fi networks used for passenger entertainment and to connect to the Internet. These networks are also connected to the avionics systems of the aircraft themselves!
“Today’s commercial aviation backbone is built upon a network of trust; most commercial aircraft currently in use have little to no cyber protections in place,” a 2016 DHS presentation warned. Boeing estimates a 20-year-plus service life for its current aircraft, which means “15-20 years of higher cyber vulnerability,” the DHS document adds.
And according to John Hultquist, director of intelligence analysis at cybersecurity firm FireEye, "In the instances where we have seen targeting of airports, the targeting was done by actors who we believe were carrying out reconnaissance for attack. Airlines have been targeted as well. The information they have could be valuable to an actor seeking to identify and track persons of interest. The actors who shut off the lights twice in Ukraine and caused over a billion dollars in economic damage and Russian hacking groups have already probed airports."
What's the government doing about this and other cybersecurity issues? According to the New York Times on May 15:
The White House eliminated the position of cybersecurity coordinator on the National Security Council on Tuesday, doing away with a post central to developing policy to defend against increasingly sophisticated digital attacks and the use of offensive cyber weapons. A memorandum circulated by an aide to the new national security adviser, John R. Bolton, said the post was no longer considered necessary because lower-level officials had already made cybersecurity issues a “core function” of the president’s national security team. Cybersecurity experts and members of Congress said they were mystified by the move, though some suggested Mr. Bolton did not want any competitive power centers emerging inside the national security apparatus.