In a widely publicized report released last week titled "FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen," the US Government Accountability Office (GAO) details the potential vulnerabilities and dangers of offering in-flight wifi services during air transit. By essentially granting customers IP networking capabilities for their devices, airlines may be opening up their avionics systems for attacks:
“Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.”
In a nutshell, the issues all boil down to a single question: what are the chances of a hacker hijacking a plane? This question has likely occurred to everyone at some point, perhaps more so (and in greater detail) for those working in IT and security. For Chris Roberts, noted IT security researcher and expert of airline security, entertaining these thoughts via Twitter landed him in a bit of hot water:
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)— Chris Roberts (@Sidragon1) April 15, 2015
Roberts was detained by the FBI at the airport shortly thereafter and was subsequently was banned from United flights. Interestingly, he was on his way to speak at the RSA security conference when the incident occurred.
Since the cat is already out of the bag-- quite a few airlines already offer in-flight wifi services to customers-- the greatest concern now is mitigating the security risks around private aviation IT systems in the presence of other publicly accessible internet services. It’s unclear how tightly the latter is coupled with the avionics systems used for aircraft operations, but given the grave possibilities, one assumes the most extreme measures should be taken to preserve mission-critical systems-- since in this case, mission-critical means critical to preserving life.
To make matters even more dismal, the FAA apparently lacks guidance and direction on the matter:
“... significant security control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system. FAA has agreed to address these weaknesses. Nevertheless, FAA will continue to be challenged in protecting ATC systems because it has not developed a cybersecurity threat model.”
Per the GAO report, the FAA has some work cut out for them in creating and enforcing regulations/policies mandating tighter aviation security controls and mechanisms-- especially around technologies that could interrupt normal flight operations. Mobile phone use during flight is still prohibited by the FAA, but the verdict is out when it comes to in-flight wifi for customers. On a whole, the report seems to indicate that the FAA has not taken the issue of in-flight cyber security seriously:
“NIST guidance, as well as experts GAO consulted, recommend such modeling to identify potential threats to information systems, and as a basis for aligning cybersecurity efforts and limited resources. While FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so. Without such a model, FAA may not be allocating resources properly to guard against the most significant cybersecurity threats.”
While the FAA plays catch up, it’s up to airlines to take the initiative in identifying vulnerabilities and weaknesses in their existing security models. Luckily, wifi is not a standard, ubiquitous convenience of air travel just yet-- though in-flight entertainment does offer internet access, which could potentially be compromised as well. GAO’s review of the FAA’s cyber security efforts not only serves as a cattle prod for the agency, but also heightens the scrutiny around publicly available services such as in-flight wifi for customers. These services and their impact on aircraft security must be gauged carefully in order to mitigate any inherent security risks, and if deemed necessary-- should be discontinued until they can be safely implemented.
There’s little doubt that customers would be willing to do away with said services if it means reducing the odds of a catastrophe. The first casualty of security is convenience; this is a commonly accepted trade-off that applies in most scenarios. Doors with double locks are twice as annoying to open but offer double the protection in unsecure physical environments. Corporate IT policies that force users to create new passwords regularly are necessary for preserving enterprise security. In most contexts, security and convenience are at odds with each other-- increasing one seems to decrease the other.
This conundrum is especially relevant to the rise of IoT: technologies created for the convenience of users can ultimately do serious damage if compromised. What happens if a Nest smart thermostat, designed to help homeowners easily automate the temperatures in their home environments, is hijacked by intruders? Fortunately, UpGuard can now monitor, secure, and validate configurations for IoT, making implementing such technologies safer and more secure.
As avionics communications are increasingly IP-based, lightweight tools like UpGuard can be utilized for unobtrusive but critical monitoring and validation for all types of infrastructures-- including both terrestrial-based and in-flight systems. Just as airport scanners are needed to detect would-be terrorists attempting to smuggle explosives onto commercial flights, UpGuard provides X-ray vision into IT infrastructures to spot vulnerabilities and critical issues that could result in security compromises.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >