Page 20 - ATA
P. 20
A24 TECHNOLOGY
Thursday 1 augusT 2019
U.S. issues hacking security alert for small planes
By TAMI ABDOLLAH Chris King, a cybersecu-
Associated Press rity expert who has worked
WASHINGTON (AP) — The on vulnerability analysis of
Department of Homeland large-scale systems. "It was
Security issued a secu- never designed to be in an
rity alert Tuesday for small adversarial environment,
planes, warning that mod- (so there's) no validation"
ern flight systems are vulner- that what the system is be-
able to hacking if someone ing told to do is coming
manages to gain physical from a legitimate source.
access to the aircraft. Only a few years ago, most
An alert from the DHS criti- auto manufacturers used
cal infrastructure computer the open CAN bus system
emergency response team in their cars. But after re-
recommends that plane searchers publicly demon-
owners ensure they restrict strated how they could be
unauthorized physical ac- hacked, auto manufac-
cess to their aircraft until turers added on layers of
the industry develops safe- security, like putting criti-
guards to address the issue, cal functions on separate
which was discovered by a networks that are harder to
Boston-based cybersecu- access externally.
rity company and reported The disclosure highlights is-
to the federal government. sues in the automotive and
Most airports have security aviation industries about
in place to restrict unau- whether a software vulner-
thorized access and there ability should be treated
is no evidence that anyone like a safety defect — with
has exploited the vulnera- its potential for costly man-
bility. But a DHS official told ufacturer recalls and im-
The Associated Press that plied liability — and what
the agency independently responsibility manufac-
confirmed the security flaw turers should have in en-
with outside partners and a suring their products are
national research laborato- hardened against such at-
ry, and decided it was nec- tacks. The vulnerability also
essary to issue the warning. highlights the reality that it's
The cybersecurity firm, becoming increasingly dif-
Rapid7, found that an at- This March 12, 2013 photo shows the air traffic control tower at Chicago's Midway International ficult to separate cyberse-
tacker could potentially Airport. curity from security overall.
disrupt electronic mes- Associated Press "A lot of aviation folks don't
sages transmitted across a see the overlap between
small plane's network, for not apply to older small of an aircraft," Troy said. sembly in September, said information security, cyber-
example by attaching a planes with mechanical The Federal Aviation Ad- Pete Cooper, an ex-Royal security, of an aircraft, and
small device to its wiring, control systems. ministration said in a state- Air Force fast jet pilot and safety," said Beau Woods,
that would affect aircraft But Patrick Kiley, Rapid7's ment that a scenario where cyber operations officer a cyber safety innova-
systems. lead researcher on the is- someone has unrestricted who advises the aviation tion fellow with the Atlan-
Engine readings, compass sue, said an attacker could physical access is unlikely, industry. tic Council, a Washington
data, altitude and other exploit the vulnerability with but the report is also "an im- The vulnerability disclosure think tank. "They see them
readings "could all be ma- access to a plane or by by- portant reminder to remain report is the product of as distinct things."
nipulated to provide false passing airport security. vigilant" about physical nearly two years of work The CAN bus networking
measurements to the pilot," "Someone with five minutes and cybersecurity aircraft by Rapid7. After their re- scheme was developed in
according to the DHS alert. and a set of lock picks can procedures. searchers assessed the the 1980s and is extremely
The warning reflects the gain access (or) there's Aviation cybersecurity has flaw, the company alerted popular for use in boats,
fact that aircraft systems easily access through the been an issue of growing DHS. Tuesday's DHS alert drones, spacecraft, planes
are increasingly reliant on engine compartment," Ki- concern around the world. recommends manufactur- and cars — all areas where
networked communica- ley said. In March, the U.S. Depart- ers review how they imple- there's more noise inter-
tions systems, much like Jeffrey Troy, president of ment of Transportation's ment these open electron- ference and it's advanta-
modern cars. The auto in- the Aviation Information inspector general found ics systems known as "the geous to have less wiring.
dustry has already taken Sharing and Analysis Cen- that the FAA had "not com- CAN bus" to limit a hacker's It's actually increasingly
steps to address similar ter, an industry organiza- pleted a comprehensive, ability to perform such an used in airplanes today
concerns after researchers tion for cybersecurity infor- strategy policy framework attack. The CAN bus func- due to the ease and cost of
exposed vulnerabilities. mation, said there is a need to identify and mitigate cy- tions like a small plane's implementation, Kiley said.
The Rapid7 report focused to improve the security in bersecurity risks." The FAA central nervous system. Given that airplanes have
only on small aircraft be- networked operating sys- agreed and said it would Targeting it could allow an a longer manufacturing
cause their systems are tems but emphasized that look to have a plan in place attacker to stealthily hijack cycle, "what we're trying to
easier for researchers to the hack depends on by- by the end of September. a pilot's instrument read- do is get out ahead of this."
acquire. Large aircraft fre- passing physical security The UN's body for aviation ings or even take control The report didn't name the
quently use more complex controls mandated by law. proposed its first strategy for of the plane, according to vendors Rapid7 tested, but
systems and must meet With access, "you have securing civil aviation from the Rapid7 report obtained the company alerted them
additional security require- hundreds of possibilities to hackers that's expected to by The AP. "CAN bus is over a year ago, the report
ments. The DHS alert does disrupt any system or part go before the General As- completely insecure," said states.q
