The possibility of an aircraft being hacked has been demonstrated, but it hasn’t taken place in reality – yet. In 2019, cybersecurity firm Rapid7 showed how an attacker could disrupt electronic messages transmitted across a small plane’s network. The researchers demonstrated how attaching a small device could impact aircraft systems, allowing false measurements to be sent to the pilot, including engine readings, compass data and altitude.
The research was taken so seriously that it led to an alert by the Department of Homeland Security (DHS)’s critical infrastructure computer emergency response team – which recommended that plane owners restrict unauthorized physical access until the industry develops safeguards.
It wasn’t the first warning of its kind. In 2016, the DHS remotely hacked a Boeing 757 passenger aircraft parked at Atlantic City airport. In October 2020, the US Government Accountability Office released a report warning of increasing risk to connected aircraft and called for hardened defenses.
Modern airplanes are increasingly e-connected in areas such as communications and radar. They often include in-flight entertainment systems as well as accommodating a growing number of Wi-Fi-enabled devices.
There is growing concern that hackers could launch over-the-air attacks remotely, leading to potentially disastrous consequences, such as rerouting flights. Just how realistic is this threat to planes in the air? What potential damage could be caused? And what mitigations should airlines be putting in place to secure live aircraft?
The Risk
The risks to the industry span multiple vectors. After the 2008 crash of Spanair flight 5022, it was discovered that a central computer system used to monitor technical problems in the aircraft was infected with malware. Spanish newspaper El Pais reported that the infected computer failed to detect three technical problems with the aircraft, which, if discovered earlier, could have prevented the plane from taking off.
Yet, while the concept of aircraft hacking is alarming, experts believe it’s very unlikely a plane could be hacked while in flight. “Aviation is one of the safest modes of transport, partly because all incidents are independently investigated, shared with the industry and learned from,” says Ken Munro, partner and founder of Pen Test Partners.
Additionally, hacking a plane “isn’t a matter of having a pop at the in-flight entertainment system,” says Munro. Plane systems are segregated in to distinct domains: The aircraft control domain that manages the engines and flight surfaces is separate from everything else. “There’s a one-way data feed to the moving map in your seat, but that’s it,” Munro explains.
The main issue with aviation security is not a single system but a vast array of software, hardware and systems within the aircraft itself – which may be decades old, says Sarb Sembhi, global CISO at AirEye. “If any of those are not hackable, the systems that they connect to – not necessarily within the aircraft – are probably hackable.”
One of the biggest challenges is “there are so many of them,” ranging from communication systems and GPS through to entertainment and haulage systems, he says. “Because the technology in the planes was designed and installed in an era when cybersecurity wasn’t a thing, there were no security safeguards built-in by default.”
Aircraft are also highly targeted by adversaries: Aerospace is the fifth most attacked sector, according to aerospace and defense vendor Thales. Airlines and aircraft manufacturers continue to say their critical safety systems are segregated from their non-critical systems, yet the hacker community “keeps on demonstrating there are holes within the many systems that connect the plane to the outside world,” says Sembhi.
With planes becoming increasingly connected as efficiency and environmental concerns become more important, new systems are emerging to aid pilots. The electronic flight bag (EFB) is typically a tablet or laptop computer that helps the pilot calculate how much power is needed for take-off. These require data such as wind, weight, temperature and runway length to make their calculations.
There have been numerous cases of pilots mis-keying the data, setting too little power and nearly running off the end of the runway or hitting the tail when rotating, says Munro. Yet even worse, he says, Pen Test Partners has found multiple vulnerabilities in EFBs that would cause the engine power to be wrongly set.
In addition, he warns: “Numerous other connected systems are emerging to help use airspace more efficiently and further improve flight safety, including digital communications to the flight management systems from the ground. Older versions of these are unencrypted and unauthenticated, and interoperability requirements across the globe make improving security quite challenging.”
The most realistic high-risk scenario of a cyber-attack on aviation could target the air traffic control or passenger tracking systems, says Bob Kolasky, senior vice president at Exiger. However, he says an actual attack on a plane with the intent of causing harm while in the air is “extremely unlikely” and “would be highly complex to conduct successfully.”
A particular concern is ransomware attacks on portions of the aviation system, says Kolasky. “These could have significant impacts on air traffic and ground hundreds of flights if the industry is not properly prepared.”
It’s true across all sectors, but the supply chain is a “far more pressing concern, especially around the repair of parts, which are flight safety-critical,” says Billy Hogg, security consultant at Prism Infosec. He explains: “The average age of aircraft is over a decade. Given that many were not a new design when they were manufactured and the computers sourced were older still, the operating systems are often no longer supported. This means that the test equipment used to maintain and repair these systems is also often running unsupported operating systems, along with the inherent risks associated with them.”
The systems require additional controls to protect them from attacks, such as air-gapping or other network boundary controls, he says.
Steps to Secure Aviation
The risk is real, but government and industry have recognized it for “at least a decade,” says Kolasky. With this in mind, he says “substantial steps” have already been taken to better understand scenarios that could have significant consequences.
The most prominent of these is the Aviation Cyber Initiative, a partnership between the US Federal Aviation Administration, the Cybersecurity and Infrastructure Security Agency and the Department of Defense to work with the industry to enhance aviation cybersecurity.
Responsibility for security largely lies with manufacturers, which conduct testing to achieve certification for an aircraft type. Generally, “this is a good thing,” says Hogg. “The manufacturer is without doubt the subject matter expert for the aircraft and how to operate and maintain it.”
Meanwhile, airlines have direct control over their own IT systems and how they test them varies. However, initiatives such as the UK’s Civil Aviation Authority (CAA) ASSURE program highlight to organizations and regulators where improvements to cybersecurity should be made.
Beyond this, many of the steps needed to protect the aviation industry apply to all organizations. Airlines and airport services are vulnerable to disruption, says Jonathan Reiber, vice president for cybersecurity strategy and policy at AttackIQ. He cites the examples of recent ransomware attacks on SpiceJet airways and Swissport. To prepare for potential cyber-attacks, he says organizations need to “invest in a strategy and security controls – people, processes and technologies – to defend themselves.”
Multiple layers of protection and monitoring need to be in place to detect any form of attack and make the system fail-safe to prevent damage or take over, says James Griffith, co-founder and technical director of Cyber Security Associates. Most airlines will have security operations staff constantly monitoring systems, he says.
The most important aspect of mitigation is managing supply chain risks, says Kolasky.
“Particularly software supply chains, regularly patching known vulnerabilities.”
In addition, he recommends “having in place plans to operate airplanes and the air traffic system amid digital degradation; frequent sharing of information about cyber-risks; and ensuring control systems are not linked to the internet.”
Longer-term investments in research and development and workforce training are essential to address risks, says Kolasky.
A major barrier to further research in this area is cost: “You can’t simply go and buy a plane,” Munro points out. Yet he says the COVID-19 pandemic has made access to planes a little easier because plane ‘breakers yards’ – where aircraft are sent to be retired – are backed up with functional but retired hulls. “That’s enabled us to carry out vanilla research into aviation cybersecurity.”
Steps are being taken, but collaboration is integral to ensuring the aviation industry remains secure in a fast-developing threat landscape. It’s certainly happening, but Hogg thinks there could be better collaboration across the industry. “Going forward, we’d like to see a single focal point at the International Civil Aviation Organization to manage collaboration between the aviation industry and cybersecurity sector, plus an initiative to pool and utilize the skills of subject matter experts from both sides.”