Cyber Threats to Commercial Airlines

     Cyber security is one of the largest international issues today, with U.S. President Barack Obama calling it, “One of the most serious economic and national security challenges [the U.S.] face[s] as a nation.” (1) Well-documented cyber attacks have occurred on Sony Pictures, the U.S. Office of Personnel Management, and North Korea’s Internet, among others. A rising area of concern is the amount of network technology being utilized on commercial airlines. While networks on planes are useful for increasing operational efficiency, there is a growing concern that increased connectivity means increased risk of breaches (2). The 2014 Malaysia Airlines crash and the recent EgyptAir crash were both shrouded in mystery, with cyber attacks being suspected as a cause. While it is unlikely a cyber attack actually caused either of these incidents, the government and private aviation industry have taken notice and are working to address cyber vulnerabilities on planes (3).
    
      Cyber threats to commercial plane networks became a high profile issue in 2015 when security researcher Chris Roberts claimed to have gained access to a plane’s Thrust Management Computer (TMC) by hacking into the Inflight Entertainment system (IFE) with a modified Ethernet cable. He testified he was able to jump around to the cabin management system, satellite communication system, and potentially the avionics system (4). He also claimed he could have deployed the cabin oxygen masks and was able to slightly veer the plane. This drew the ire of the FBI, who opened an investigation of Roberts resulting in an affidavit for a search warrant of Roberts’s computer. After interviewing Roberts and various aviation experts, the FBI concluded that Roberts was likely exaggerating the amount of access he was able to gain and that his supposed flight alteration was a lie (4). Specifics aside, the revelation that any portion of the network is accessible to a passenger was alarming enough for a federal investigation. Boeing engineer Peter Lemme summarized the security threat by saying, “This behavior of a passenger connecting to something that they’re not supposed to connect to … we’ve got to at least say that’s a bad thing.” (4)    

     Another security concern involving commercial airlines is the potential for a plane’s GPS system to be manipulated by an outside source. Four years ago, North Korea allegedly jammed the GPS signals of 252 commercial flights, forcing them to turn off their navigation systems (5). Aviators and the Federal Aviation Administration (FAA) alike are concerned about the possibility of a spoofed GPS signal. A spoofed, or fake, signal could be transmitted by an outside source to a flight, affecting its navigation and potentially even allowing the transmitter to indirectly influence a flight pattern. With governments such as China, North Korea, Russia, and the United States already engaged in cyber warfare, this is a very legitimate concern. The idea of a packed plane being flown in circles over the ocean until it runs out of fuel is a nightmare scenario for commercial airlines. 

     Precautions against cyber attacks on GPS systems are underway. The U.S. has planned upgrades to its air and ground systems, known as GPS III and OCX, respectively. Besides critical software and integration, the plan includes a fleet of new satellites to replace some aging ones and augments the new ground system’s superior technical capabilities. The proposed upgrades should cyber-harden the system against attacks and vulnerabilities (5). Other nations following suit would help secure the international GPS network from attack.

     In addition to government upgrades, internal changes from airlines and regulatory bodies can help prevent cyber attacks. According to the Wall Street Journal, a panel of government and aviation experts has reached a preliminary agreement on proposed cyber security standards for airliners, including the concept of cockpit alerts in the event that critical safety systems are hacked (6). These notifications would notify pilots if systems such as GPS, communications, or autopilot are hacked and allow them to take action. They are not yet widely used or mandated by regulators. However, commercial and business planes certified during the past several years already feature some more-stringent cyber protections, though the recommendations are expected to go further (6). The recommendations are expected to be broad and policy-focused. Technical improvements will take a year to draft and at least a year to implement (6). 
​
     Outside of the panel, regulatory bodies and individual airlines have already taken action. In November 2015, the FAA issued special conditions effective for four makes of larger jets. They were designed to address a potential loophole in the safety standards involving the ability to connect passenger computer systems to critical aviation systems (3). This could help avoid incidents such as Chris Robertson’s network hack. The FAA’s statement acknowledged that increased network connectivity, “May enable the exploitation of network security vulnerabilities and increased risks, potentially resulting in unsafe conditions for the airplanes and occupants.” (3) In the private sector, leading aerospace manufacturer Boeing has laid out a comprehensive information security plan, saying “The existing in-service fleet of airplanes contains computerized systems, software parts, software control of devices, and off-board communication capabilities that all require an effective security solution.” (2) The aerospace industry must collaborate with the government to protect aviation systems from cyber threats before they become an international security issue.
​
(1) The White House. Office of the Press Secretary. Press Briefings Statements & Releases White House Schedule Presidential Actions Executive Orders Presidential Memoranda Proclamations Legislation Pending Legislation Signed Legislation Vetoed Legislation Nominations & Appointments Disclosures The White House May 29, 2009 Remarks by the President on Securing Our Nation's Cyber Infrastructure. The White House. Office of the Press Secretary, 29 May 2009. Web. 27 June 2016.

(2) Rencher, Robert. "Securing Airline Information on the Ground and in the Air."Aero Magazine. Boeing, Mar. 2012. Web. 26 June 2016.

(3) Norris, Guy. "Boeing, FAA Cut 777 Cyber Vulnerability." Aviation Week. N.p., 20 Mar. 2014. Web. 26 June 2016.

(4) Zetter, Kim. "Is It Possible for Passengers to Hack Commercial Aircraft?"Wired.com. Conde Nast Digital, 26 May 2015. Web. 26 June 2016.

(5) Pociask, Steve. "Your GPS Works Now, But Not For Long." Forbes. Forbes Magazine, 23 June 2016. Web. 26 June 2016.

(6) Pasztor, Andy. "Panel Reaches Preliminary Agreement on Airliner Cybersecurity Standards." Wall Street Journal [New York] 13 June 2016: n. pag. WSJ. Wall Street Journal, 13 June 2016. Web. 26 June 2016.

Image: &copy; Hkratky | Dreamstime.com - <a href="https://www.dreamstime.com/stock-photography-landing-airplane-image3570852#res14972580">Landing airplane</a>