Here’s a fun thing to think about as you plan your next holiday: Researchers at a number of US government agencies including the Department of Homeland Security believe that a cyberattack against an aeroplane is inevitable and could lead to a “catastrophic disaster”. Have a nice trip!
Motherboard got its hands on a number of government documents via Freedom of Information Act request, which yielded internal presentations and risk assessments from DHS. The agency has been looking into potential vulnerabilities in commercial aircraft and found that most planes lack necessary cybersecurity protections, which is not reassuring.
A portion of the documents come from a presentation put together by the Pacific Northwest National Laboratory (PNNL), a research group that is part of the Department of Energy. The lab conducted tests earlier this year in which it attempted hack an aircraft via its Wi-Fi internet service.
The presentation, dated 10 January 2018, seems to suggest PNNL succeeded in part, noting that researchers were able to “establish actionable and unauthorised presence on one or more onboard systems”. However, another slide noted the group was “unable to penetrate via selected access vector”, leaving it unclear just how successful the simulated attack was.
What the research does make clear is the fact that they view a potential hack of an aeroplane as a viable threat and one that should be taken seriously. “Potential of catastrophic disaster is inherently greater in an airborne vehicle,” part of the presentation said. Another troubling part claims that it’s just “a matter of time before a cyber security breach on an airline occurs,” the document adds.
While the PNNL documents come from earlier this year, DHS has been probing the possibility of a cyberattack against commercial aeroplanes for some time now. A document from 2017 reported that “early testing indicates that viable attack vectors exist that could impact flight operations”. A team of researchers at the agency reportedly successfully hacked the electronics systems of a commercial aircraft last year, bolstering concerns that malicious actors could make planes a target for attack.
Making the situation all the more worrisome is that DHS stated in a 2016 presentation that “most commercial aircraft currently in use have little to no cyber protections in place”. Per the presentation, most current aircraft have about a 20-year or longer lifecycle, which means “15-20 years of higher cyber vulnerability”.
That is a significant period of time to rely on the existing cybersecurity protections on planes, which the DHS describes as “a network of trust”, suggesting companies are basically just banking on the idea that they won’t get hacked.
DHS also warned in a presentation that it expects “significant reluctance by the commercial world to expend resources” to prevent cyberattacks. (Boeing, in a statement to Motherboard, said it is “confident in the cyber-security measures of its aeroplanes”.)
If a hack were to occur, it could spell a considerable amount of trouble for the industry. Not only could it do damage to the plane itself, but DHS warns that it could “create conditions where public perceives there is risk to aircraft operations”. The agency also raises the possibility of a hack causing a disruption to the operation of commercial and military flights and could have a significant economic impact on plane manufacturers.
In a statement to Motherboard, DHS said it “takes aviation cybersecurity seriously” and is working with researchers and vendors to “identify and mitigate vulnerabilities in the aviation sector”. One document notes the agency has moved from penetration testing to mitigation development last year, suggesting it is helping companies develop defences against attacks.
The spokesperson for DHS also noted, “The aviation industry, including manufacturers and airlines, has invested heavily in cybersecurity and built robust testing and maintenance procedures to manage risks.”