Shirley, You Can't Be Serious. Airplanes Are Hackable?!

There are two ways to describe an important report issued by Congress’ General Accountability Office this week about airplanes and computers. Here’s how the GAO titled its paper: “FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen.”

And here’s how many observers described the report: “Airplanes can be hacked through passenger WiFi!”

As always, the truth is somewhere in the middle. The world’s air transportation systems are going through the same changes as all industrial control systems, and these changes bring both opportunities and peril. Once upon a time, it was nearly impossible to remotely hack into a power plant because the plant used old-fashioned proprietary systems that required hands-on users for operation. Slowly, critical infrastructure systems like power plants are transitioning to off-the-shelf software, and at the same time, they’re being connected to the Internet. This allows remote access, which is both a good and a bad thing. It’s good to be able to manage power plants from a long distance. It’s bad because it creates an avenue by which, at least theoretically, hackers can also break in.

So it is with airplanes. The Federal Aviation Administration is transitioning to its “Next Generation Air Transportation System,” known as NexTGen. Modernizing is a necessity. But as air traffic control systems and in-flight avionics systems are increasingly networked, the risk of unauthorized access increases. Any time you connect a computer to the world, the world can connect to that computer.

It makes sense to ring the alarm bell about these possibilities before they actually occur, and that’s what this week’s GAO report does. Auditors asked 15 cyber experts to conjure up worst-case scenarios, and they did a fine job of it. The report does not say that airplanes are currently being hacked. But it does raise a series of possibilities that frankly sound straight out of a horror movie — such as a computer virus causing a flight disaster.

“One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” the report noted.

You would think that in-flight WiFi could never be used to connect to pilot controls — after all, the systems are quite different — but several experts said it could be possible.

“Firewalls protect avionics systems located in the cockpit from intrusion by cabin system users, such as passengers who use in-flight entertainment services onboard. Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented,” the report said. “The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.”

The report also talks about the added risk of an insider threat from connected systems — a malicious airline employee or FAA worker might be able to remotely cause havoc with specialized knowledge of Internet-connected planes. There’s also the contractor problem. The FAA and airlines must not only certify the security of all the systems they build, but of systems built for them by third parties. Imagine a back-door being inserted into a critical airplane system that a malicious programmer could use later.

It’s important to notice the presence of the word “if” in all these disaster scenarios, as in “if the cabin systems connect to the cockpit avionics systems.” They shouldn’t be physically connected, of course. It’s easy to imagine that happening, however, in the pressure-packed, cost-sensitive world of airline operations.

That’s why the GAO report urges the FAA to “develop a holistic threat model” towards airline hacking, and criticizes the agency for failing to do so. The report does praise the FAA for other cyber security initiatives it has already undertaken.

The FAA says it has already addressed many of the concerns the GAO report raises.

“We take this risk seriously,” said Keith Washington, acting assistant secretary for administration for the FAA, in a response to the report. He noted that the FAA recently established a cyber test center so it could more closely examine potential threats.

But the GAO report, while not suggesting that air travel is unsafe today because of hackers, pulls no punches about possibilities in the future.

“Significant security control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system,” the report concludes.