Hacking Aviation Technology

Uploaded on 2015-05-12 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Production-Manufacturing

aircraft-hacking-planes-in-flight-wifi-hacking-gao.jpg

Hard-core engineering industry professionals often believe that if information about how systems might be exploited is published, then the risk of these systems being exploited will increase. In contrast, most security researchers believe that responsibly disclosing security issues creates positive pressure on vendors to address these issues more effectively.

Aviation isn’t the only industry in this position. Energy, utilities, automotive, any industry where operational technology is being integrated, or replaced, with more IT components, experiences this conflict. These are generalizations, of course, and there are extremes on either side, but there’s a core, cultural difference in a response of ‘no one can access this component’ and ‘what happens when someone does?’
Industries that have a life-and-death impact are, understandably, particularly sensitive to this issue. Anywhere failure can actually kill people deserves some special consideration. In aviation, flight safety trumps information security, as it should, but as more and more attacks affect well known organizations, information security is gaining in visibility. There’s a growing recognition that cyber-attacks can have real-world consequences.
Despite this change in visibility, security researchers are concerned that if they demonstrate theoretical attacks on aircraft and aircraft systems, which include things like accessing some flight control systems via the in-flight entertainment system, rather than acknowledging the vulnerability and developing a plan to fix it, regulators and airlines will instead respond negatively and aggressively, with the intent to suppress the information.
This is a big problem because rather than acting on potential security threats to actively reduce risk, suppression ultimately drives criminal interest and increases risk. While this behaviour is often grounded in a desire to keep dangerous information out of criminal hands, other industries have come to realize that suppressing security research just results in less effective response and patching leaving systems more vulnerable to attack. An actively negative response generates more risk, not less.
The aviation industry relies heavily on technology, some of which is directly relevant to the safety of aircraft inflight and others directly impact the service, reputation and financial health of the industry. Despite the critical role technology plays in the safety of air travel, the aviation industry is still not equipped to handle many common cyber-attacks. Some of the challenge is technical, but much of it is cultural, as noted above.
While it might seem like the most obvious information security challenge to the aviation industry would be the increasing sophistication of attacks, the reality is that a lack of basic cyber security ‘best practices’ is an obvious next step in improving resilience and limiting risk. As more corporate IT systems and components make their way into traditionally closed aviation technology systems, they bring with them a number of security issues. These issues aren’t new to traditional IT, but they present new challenges when they are integrated with aging control systems.
The aviation industry involves more than just aircraft, of course. In addition to inflight safety, aviation as a whole now has to worry about how to collectively manage a growing number of security issues, which target adjacent parts of the business. Threats to air traffic control and reservation systems (GDS/CRS) are numerous. With the air traffic control systems, the primary concern is still flight safety, not financial fraud.
Because of the numerous cyber threats to the aviation industry, it is vital that the industry comes together to build adequate security defences. This effort will help detect and protect critical aviation infrastructure from potential cyber-attacks.
Effective aviation cyber security requires organizations to build accurate threat models, which will help define and describe the attacks that could compromise safety, or put customer data and financial information at risk. Accurate threat models are the first step toward building sufficient defence capabilities, and the process of creating these models starts by contemplating how systems can be breached and clearly identifying areas of the network most vulnerable to attack.
Information security researchers can play a key role in identifying these critical vulnerabilities, but only if the industry resists the urge to suppress research around potential cyber-attacks. Instead, aviation industry organizations should seek responsible partnerships with security researchers.
This isn’t a perfect solution, and doesn’t eliminate criminal elements, but most security researchers believe the best approach is responsible disclosure because it minimizes the risk associated with publication and maximizes the effectiveness of vendor response. This model has produced measurable reduction in security risks in other industries, and the potential to improve aviation security relatively quickly is significant.
Tripwire: http://bit.ly/1H9E0Yy

 

« Impact of New EU Data Legislation Not Widely Understood
Cyber War and Peace »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Zentek Digital Investigations

Zentek Digital Investigations

Zentek has been providing digital forensics services to the public and private sector for computers and mobile devices since 2004.

Qualys

Qualys

Qualys is a pioneer and leading provider of cloud security and compliance solutions.

Protegrity

Protegrity

Protegrity is an enterprise and cloud data security software for data-centric encryption and tokenization to protect sensitive data while maintaining usability.

Octopus Cybercrime Community

Octopus Cybercrime Community

The Octopus Community is a platform for information sharing and cooperation on cybercrime and electronic evidence.

Apomatix

Apomatix

Apomatix is a platform that simplifies the complexity of cyber risk audit and management.

Cradlepoint

Cradlepoint

With Cradlepoint customers leverage the speed and economics of wired and wireless Internet broadband for branch, mobile, and IoT networks while maintaining end-to-end visibility, security and control.

Irish National Accreditation Board (INAB)

Irish National Accreditation Board (INAB)

INAB is the national accreditation body for Ireland. The directory of members provides details of organisations offering certification services for ISO 27001.

In-Sec-M

In-Sec-M

In-Sec-M is a non-profit organization that brings together companies, learning and research institutions, and government actors to increase competitiveness of the Canadian cybersecurity industry.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

Cyberi

Cyberi

Cyberi provide specialist technical consultancy and cyber advisory services, from penetration testing and assurance to incident management and response, and technical security research.

CrossCountry Consulting

CrossCountry Consulting

CrossCountry Consulting is a trusted business advisory firm that provides customized finance, accounting, human capital management, risk, operations and technology consulting services.

CSIOS Corp.

CSIOS Corp.

At CSIOS we help our customers achieve and sustain information and cyberspace superiority through a full range of defensive and offensive cyberspace operations and cybersecurity consulting services.

Nuts Technologies

Nuts Technologies

Nuts Technologies are simplifying data privacy and encryption with our innovative and novel data containers we call nuts based on our Zero Trust Data framework.

GoTo

GoTo

At GoTo we help people and businesses to connect and collaborate simply and securely – from anywhere. We’re the trusted partner for companies of all sizes.

CYBRI

CYBRI

CYBRI is a cybersecurity company helping businesses detect and remediate mission-critical vulnerabilities before they get exploited by hackers.

CertX

CertX

CertX is a Swiss functional safety, cybersecurity and artificial intelligence certification body.