Beasley Allen lawyers Mike Andrews (Personal Injury & Products Liability Section) and Lance Gould (Consumer Fraud Section) teamed up to provide information to unsuspecting consumers about the limitations on cybersecurity within the aviation and aerospace industries. They explain how, often, unsecured networks are vulnerable to opportunistic hackers, exposing consumers’ personal safety and information to those with ill-intent.
Every day, the Federal Aviation Administration (FAA) provides service to more than 42,000 flights in the U.S. In an effort to keep up with the ever-changing landscape of technology, airplane manufacturers and owners have upgraded many aircraft with state-of-the-art avionics and electronic conveniences such as wireless internet. However, experts warn that in the rush to incorporate these improvements, the industry has not been as thorough in securing those systems against inevitable cyber-attacks. Such attacks have the potential to impact passenger safety, although most of the recent attacks have affected the security of passengers’ personal information when they are logged on through a plane’s passenger in-flight Wi-Fi.
In September 2016, Robert Hickey and his team of researchers at the U.S. Department of Homeland Security hacked into the systems of a Boeing 757 parked at the Atlantic City, New Jersey, airport. He explained the hack was facilitated with items that could easily make it through airport security, that the hack occurred without insider help, and that the team wasn’t even on the plane.
The aerospace industry has claimed that this type of attack is nearly impossible. Industry insiders even refuted a 2015 account by agents at the Federal Bureau of Investigation (FBI) that a well-known cybersecurity expert hacked an airplane’s flight controls by accessing the plane’s entertainment system. Allegedly, the hacker was able to force the plane to fly sideways, briefly. Manufacturers and others in the industry claim that multiple layers of protection guard against intrusion, and segmenting the aircraft’s information system domain (safety-critical systems or what controls the plane) and the passenger information and entertainment domain also helps ensure safety.
Some cyber experts disagree.
They explain that hacking an airplane’s onboard Wi-Fi by accessing weak links in aviation’s satellite communication system may not have happened yet. However, passengers and airline staff including maintenance and cabin crews are relying more frequently on personal hand-held devices, such as laptops, tablets and smartphones. This, experts say, increases the exposure of an aircraft’s critical and noncritical systems to potential outside threats such as malicious malware that can open the system to hackers. Even seemingly innocuous apps like weather information sharing apps that can help improve business efficiency can leave the door open to unwanted hackers.
Similarly, onboard Wi-Fi or another inadequately secured system can also put passengers’ personal information at risk. Cyber experts warn that wireless internet is no more secure in the air than it is on the ground at your local coffee shop or bookstore. Viruses introduced to an onboard Wi-Fi system by a passenger’s, cabin crew member’s or maintenance worker’s handheld device can expose personal information of all those logged on to hackers. Third-party vendors such as service providers and suppliers create potential vulnerabilities for aircraft owners, operators and airlines just as they do for other businesses. For example, the Target data breach that exposed the data of 70 million customers and information on 40 million payment cards to hackers in 2013 started with stolen credentials of a heating, ventilation and air conditioning vendor. The stolen credentials were used to infiltrate the retailer’s network.
Experts say there’s much room for improvement when it comes to security.
They warn that aircraft owners and operators should resist the urge to use “commercial off-the-shelf (COTS)” products to update software and upgrade existing systems. While fast and cost-effective, COTS may not be compatible and during the time it takes to address bugs or defects, systems are left vulnerable to outside tampering.
Experts also recommend that manufacturers implement anti-tampering measures, especially for older components that are susceptible to reverse engineering, signal processing and algorithm abuse.
Additionally, the industry can take several proactive steps to better protect personal data.
First, it must ensure that software updates (software assurance) are implemented down the chain from manufacturer to vendor to owners and operators, which will require better collaboration among organizations across the industry.
The industry must also remain vigilant about the supply chain’s integrity. Ensuring it is not corrupted by counterfeit products is one key step but safeguarding against the potential vulnerabilities introduced by the vast network of service providers and suppliers is equally important. This network includes many who are members of the maintenance, repair and overhaul (MRO) industry.
Response to a 2018 survey conducted within the MRO industry raises concern about its preparedness for cyber attacks. While 67 percent of respondents claimed to be prepared, fewer than half recalled conducting a cybersecurity review in the last year. Furthermore, a number of those in the broader aerospace industry reported that they have not established security standards for third-party vendors including 9 percent of independent MRO providers, 50 percent of airframe, engine, and component manufacturers and 41 percent of airlines.
Industries such as aviation and aerospace that rely on ever-changing technology must dedicate the necessary resources to keep pace with the changes to better ensure consumer safety and security.
Federal Aviation Administration