Over 40% of airlines still don’t have a cybersecurity plan to deal with possible hacking attacks on in-flight systems, according to ongoing research into the industry by commercial aviation consultancy AirInsight.
The study has so far covered 46 airlines around the world and discovered that 42% currently don’t have a cyber defense plan in place, according to a report by industry title Runway Girl Network.
Electronic Flight Bags (EFBs) are thought to be particularly at risk from malicious attackers in certain situations.
These are tablets or other electronics devices which pilots use typically in the cockpit to calculate and display aviation information on things like fuel, GPS coordinates and real-time satellite weather feeds.
However, the fear is that if the EFB is not installed inside the cockpit it might be more prone to attack.
“If an EFB is installed, like on the Airbus A380, that device can’t be moved around or impacted as easily as a portable device. Someone would have to come to the aircraft and infect the system,” said AirInsight, according to the report.
“On the other hand, the nice thing about Class 1 portable EFBs is that they’re not connected to the flight deck; there is still a human brain processing what the flight deck is saying and what the tablet is saying.”
The research is still a work in progress and may end up with different results by its conclusion, the report added.
So far there has not been a successfully recorded incidence of a hacking attack brining down a commercial airliner.
However, Eugene Kaspersky regularly uses the case of Spanair flight 5022 – which crashed after take-off from Barajas airport in 2008, killing 150+ people on board – as an example of what happens when malware in mission critical systems is ignored.
In that case, malware was not directly responsible but distracted engineers from another issue which ended up downing the plan, he has argued.
On the positive side, AirInsight noted last week that the industry has launched a new group - the Aviation Information Sharing & Analysis Center – a non-profit body designed to act as a “specialized forum for managing security risks.”