Hacking Aviation Technology

aircraft-hacking-planes-in-flight-wifi-hacking-gao.jpg

Hard-core engineering industry professionals often believe that if information about how systems might be exploited is published, then the risk of these systems being exploited will increase. In contrast, most security researchers believe that responsibly disclosing security issues creates positive pressure on vendors to address these issues more effectively.

Aviation isn’t the only industry in this position. Energy, utilities, automotive, any industry where operational technology is being integrated, or replaced, with more IT components, experiences this conflict. These are generalizations, of course, and there are extremes on either side, but there’s a core, cultural difference in a response of ‘no one can access this component’ and ‘what happens when someone does?’
Industries that have a life-and-death impact are, understandably, particularly sensitive to this issue. Anywhere failure can actually kill people deserves some special consideration. In aviation, flight safety trumps information security, as it should, but as more and more attacks affect well known organizations, information security is gaining in visibility. There’s a growing recognition that cyber-attacks can have real-world consequences.
Despite this change in visibility, security researchers are concerned that if they demonstrate theoretical attacks on aircraft and aircraft systems, which include things like accessing some flight control systems via the in-flight entertainment system, rather than acknowledging the vulnerability and developing a plan to fix it, regulators and airlines will instead respond negatively and aggressively, with the intent to suppress the information.
This is a big problem because rather than acting on potential security threats to actively reduce risk, suppression ultimately drives criminal interest and increases risk. While this behaviour is often grounded in a desire to keep dangerous information out of criminal hands, other industries have come to realize that suppressing security research just results in less effective response and patching leaving systems more vulnerable to attack. An actively negative response generates more risk, not less.
The aviation industry relies heavily on technology, some of which is directly relevant to the safety of aircraft inflight and others directly impact the service, reputation and financial health of the industry. Despite the critical role technology plays in the safety of air travel, the aviation industry is still not equipped to handle many common cyber-attacks. Some of the challenge is technical, but much of it is cultural, as noted above.
While it might seem like the most obvious information security challenge to the aviation industry would be the increasing sophistication of attacks, the reality is that a lack of basic cyber security ‘best practices’ is an obvious next step in improving resilience and limiting risk. As more corporate IT systems and components make their way into traditionally closed aviation technology systems, they bring with them a number of security issues. These issues aren’t new to traditional IT, but they present new challenges when they are integrated with aging control systems.
The aviation industry involves more than just aircraft, of course. In addition to inflight safety, aviation as a whole now has to worry about how to collectively manage a growing number of security issues, which target adjacent parts of the business. Threats to air traffic control and reservation systems (GDS/CRS) are numerous. With the air traffic control systems, the primary concern is still flight safety, not financial fraud.
Because of the numerous cyber threats to the aviation industry, it is vital that the industry comes together to build adequate security defences. This effort will help detect and protect critical aviation infrastructure from potential cyber-attacks.
Effective aviation cyber security requires organizations to build accurate threat models, which will help define and describe the attacks that could compromise safety, or put customer data and financial information at risk. Accurate threat models are the first step toward building sufficient defence capabilities, and the process of creating these models starts by contemplating how systems can be breached and clearly identifying areas of the network most vulnerable to attack.
Information security researchers can play a key role in identifying these critical vulnerabilities, but only if the industry resists the urge to suppress research around potential cyber-attacks. Instead, aviation industry organizations should seek responsible partnerships with security researchers.
This isn’t a perfect solution, and doesn’t eliminate criminal elements, but most security researchers believe the best approach is responsible disclosure because it minimizes the risk associated with publication and maximizes the effectiveness of vendor response. This model has produced measurable reduction in security risks in other industries, and the potential to improve aviation security relatively quickly is significant.
Tripwire: http://bit.ly/1H9E0Yy

 

« Impact of New EU Data Legislation Not Widely Understood
Cyber War and Peace »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Linklaters LLP

Linklaters LLP

Linklaters is an international law firm. Practice areas include Information Management and Data Protection.

Redcentric

Redcentric

Redcentric is a leading UK IT managed services provider. We deliver managed IT, cloud computing, data backup, information security services and managed networks.

Trust Guard

Trust Guard

Trust Guard services provide complete security for your website.

HDI Global SE

HDI Global SE

HDI Global SE provides customised insurance solutions for industrial and commercial clients worldwide including Cyber Liability insurance.

Cyber Security Agency of Singapore (CSA)

Cyber Security Agency of Singapore (CSA)

The CSA is the national agency overseeing cybersecurity strategy, operation, education, outreach, and ecosystem development.

BooleBox

BooleBox

Boolebox is the innovative suite of enterprise data protection applications that preserve the integrity and confidentiality of data from any unauthorized access.

Miradore

Miradore

Miradore is a software company specializing in effective, cloud-based device management. Our goal is to help IT Service Providers and IT departments secure and control devices.

DQM GRC

DQM GRC

DQM GRC are one of the UK's leading providers of data governance, e-privacy and GDPR services, to commercial organisations across all industries in the UK.

StepStone

StepStone

StepStone is one of the leading online job platforms in Germany, and other countries, covering all industry sectors including IT and cybersecurity.

Lifespan Technology

Lifespan Technology

Lifespan Technology provides the full range of IT Asset Disposition services. This includes hardware recycling and disposal, data destruction, and hardware resale.

Global EPIC

Global EPIC

Global EPIC is an international cybersecurity initiative designed to combat growing world challenges by facilitating global collaboration in the field of cyber security.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

1898 & Co

1898 & Co

Keep your critical assets secure with a comprehensive portfolio of services from high-level assessments to fully managed security services designed for operational technology applications.

Prelude

Prelude

Prelude offer the first autonomous platform built to attack, defend and train critical assets through continuous red-teaming.

Kingston Technology

Kingston Technology

Kingston is a leading global manufacturer of memory and storage solutions including encrypted storage solutions to protect data inside and outside the firewall.

OccamSec

OccamSec

OccamSec is a leading provider in the world of cybersecurity. We provide accurate, actionable information to reduce risk and enable better informed decisions.