Civil Aviation Cyber Security Put to Test
This post is also available in: 
עברית (Hebrew)
The cyber security of civil aviation has been put to the test recently. A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said recently.
“Two days after we got the airplane, I was successful in accomplishing a remote, non-cooperative, penetration,” Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate, told aviationtoday.com. “This means I didn’t have anybody touching the airplane. I stood off, using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”
Hickey, who is a staff officer in the Office of the Director of National Intelligence on assignment to DHS S&T, said that while aviation is a subsector of the transportation component of the National Infrastructure Protection Plan, the focus is squarely on traditional terrestrial-based systems. The reservation and scheduling systems of airlines aren’t part of the research, he said. “There’s a different type of critical infrastructure, and that’s critical infrastructure that’s in motion, of which aviation is one of the third of that,” Hickey said. The others are surface and maritime transportation, he said. He added that he doesn’t know the answers yet for aircraft cyber infrastructure, adding that it’s not a policy issue yet because more research needs to be done on these systems to understand what the issues are.
The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems onboard 737s, he said, adding that other airlines that fly 737s would also see their earnings hurt. Hickey said newer models of 737s and other aircrafts, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind.
Aircrafts also represent different challenges for cybersecurity and traditional land-based networks, Hickey said. He said that whether it’s the U.S. Air Force or the commercial sector, there are no maintenance crews that can deal with ferreting out cyber threats aboard an aircraft.
