Commercial airlines are the next big cybersecurity risk

If the past few years have taught us anything, it’s that anything can be hacked: small businesses, multinationals, schools, and even smart devices in our homes.

It shouldn’t come as a surprise, then, to learn that the U.S. G.A.O. (Government Accountability Office) is worried about the risks associated with commercial airlines.

In a post on its website, the G.A.O. notes that modern airplanes are equipped with a wide variety of technologies that could be targeted by criminal hackers, including networks that share data with pilots, passengers, maintenance crews, other aircraft, and air traffic controllers.

The agency warned that airlines must focus on the ways they can protect those systems, and highlighted the risks associated with poor patch management, insecure supply chains, and outdated systems.

How can airlines protect themselves?

The GAO provided six actions that the Federal Aviation Administration should take to mitigate the risk of cyberattacks:

  1. Conduct a risk assessment of avionics systems to identify cybersecurity risks and appropriate measures to address them.
  2. Perform cybersecurity staff awareness training for agency inspectors.
  3. Develop and implement guidance for avionics cybersecurity testing on new airplane designs.
  4. Review policies and procedures for monitoring the effectiveness of cybersecurity controls.
  5. Develop a mechanism to ensure that avionics cybersecurity issues are tracked and resolved.
  6. Review the way in which oversight resources are committed to avionics cybersecurity.

Tim Mackey, the principal security strategist at the Synopsys CyRC, believes the G.A.O.’s advice is appropriate to the level of risk.

“Aircraft, like passenger cars, have seen an increase in computerization with software controls becoming an integral component of modern flight systems,” he said.

For airlines to manage their cybersecurity requirements, they must anticipate the risks that are associated with those technologies, he added.

“For example, in recent years the concept of a software supply chain vulnerability has become front of mind as the growth of open source software usage grew. Such attacks can target not only open source software, but the commercial software built using compromised components.

“Detecting such attacks is challenging in part due to the potential for an attacker to mask their malicious code within a fix for an independent, but legitimate software bug.

“While the primary goal of such an attack might be financial, were a component compromised in this manner to be used in flight operations, it could offer an opportunity for another malicious group to target an airline or airline operations.

“This is an example of how attackers define the rules of their attacks and use the opportunities available to them and is also an example of the types of threats highlighted by the GAO.”

The weekly Round-up