14 DAY TRIAL // Increased adoption of Internet connectivity in aircraft systems poses security challenges, as hackers could work their way through the network to the avionics systems and compromise them.
A study from the US Government Accountability Office (GAO) on the dangers stemming from the Federal Aviation Administration (FAA) transitioning to the Next Generation Air Transportation System (NextGen) revealed that cyber security risks could emerge from insufficient protection of air-traffic control information systems and aircraft avionics involved in operating and guiding aeroplanes.
NextGen will be implemented in several stages by 2025 and the process started in 2012. The purpose is to switch the ground-based system used by air-traffic controls (ATC) to a satellite-based approach that relies, among others, on GPS technology to shorten routes.
Complete network segregation is the safe option
Cyber security experts speaking to GAO on the matter have said that using software-based firewalls to separate the avionics systems in the cockpit from in-flight entertainment services (cabin systems) used by passengers is not a safe approach.
According to the report citing expert input, “because firewalls are software components, they could be hacked like any other software and circumvented” if vulnerabilities are discovered and exploited.
Cockpit and cabin systems sharing the same physical wiring or router could be leveraged by an onboard attacker to reach the avionics systems in the cockpit. However, an FAA official said that stronger security controls could be implemented on board to reduce such risk.
Hackers could attack via passenger's infected devices
Another reason of concern highlighted in GAO’s report is increased availability of in-flight Internet connection, which “should be considered a direct link between the aircraft and the outside world,” thus a door to potential threat actors on the ground.
Considering that use of tablets and smartphones with Internet connectivity is common during flights, some of them could be compromised by hackers to access airplane control systems.
The same risk occurs when such devices are present in the cockpit, giving an attacker the possibility to access IP-connected on-board information systems.
Historically, avionics systems are isolated from the rest of the aircraft systems and are not exposed to cyber security risks. Because of this, FAA has not created regulations for certifying the security of the avionics systems; but by adopting NextGen, potential danger becomes evident.
Among GAO’s recommendations for FAA, there is a more comprehensive cyber security approach and the development of an agency-wide threat model.
