Bottom line: It is not only conceivable, but Boeing itself has warned about it.
As a former United States Air Force Aviator, and also an Electronic Warfare Officer on B-52s for several years, I’ve learned that aircrafts are vulnerable, just like everything else. My time spent in service to our country provided me unique insight into these security vulnerabilities and that’s why I feel this is an opportunity for me to share the knowledge I’ve gained from my experience, especially as the discussion of airline safety fills daily headlines.
Some notable things (not always noted) about this threat:
- First, listed in the Federal Register, (an item amazingly and often overlooked) is an issued guidance by the Boeing Company to the government on the special conditions on Boeing 777s.
- Second, the mobile threat of information security no longer refers to our mobile phones, but rather, and more importantly, the embedded systems used in many of our modern day mechanical devices – cars, TVs, refrigerators, and yes, commercial aircrafts.
Why are these two points relevant? Because the cyber threats of yesterday were distant notions to the everyday common citizen. Businesses accosted by “cyber burglars” and threatened infrastructure of foreign countries weren’t and still aren’t relatable by everyone. This new threat hits home and is as real as the threat of terrorism the U.S. felt on Sept. 11th.
The following is the text listed by the US Gov’t on the Boeing 777 aircraft: “These special conditions are issued for the Boeing Model 777-200, -300, and -300ER series airplanes. These airplanes, as modified by the Boeing Company, will have novel or unusual design features associated with the architecture and connectivity of the passenger service computer network systems to the airplane critical systems and data networks.
This onboard network system will be composed of a network file server, a network extension device, and additional interfaces configured by customer option. The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.”
Simply stated: the threat to an aircraft from a cyber attack has not been made part of the requirements for the airworthiness of modern day airliners.
Given that cyber attacks have become common and have even affected uranium enrichment centrifuges. (e.g. Stuxnet virus), why and how have we reached this conclusion? Shouldn’t modern day commercial aircrafts be tested for cyber security vulnerabilities prior to granting airworthiness certificates?
In case you’re thinking that we have some time to come up with compensating controls as the threat environment would need to change dramatically for these perceived threats to come together, there was a demonstration during the enormously popular trade-show crucible called “Blackhat.” Using approximately $1,000 of radio equipment, a security researcher demonstrated how an airplane’s signal to an air traffic controller could be “spoofed.”
Security professionals have long understood the threat that embedded systems create for modern day critical infrastructure. We need to test and protect these systems and it’s high time to drive these processes into modern day transportation vendors to ensure public safety.
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.