DefCon: You cannot 'cyberhijack' an airplane, but you can still create mischief
DefCon: You cannot 'cyberhijack' an airplane, but you can still create mischief

While a new report from the U.S. Government Accountability Office (GAO) has found that the Federal Aviation Administration‘s (FAA) lagging cybersecurity protocol leaves the greater U.S. aerospace vulnerable to cyber attacks, aviation experts said the report's findings don't make the case that an imminent threat is present.

The FAA needs to firm up its security program, the report stated, especially with consideration to its insufficient controls in preventing, limiting, and detecting unauthorized access to computer resources, as well as its lacking data encryption and trouble monitoring activity on its systems. Furthermore, the GAO reported that the FAA's “implementation of its security program was incomplete,” which puts the “safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk.”

This “uninterrupted service” represents the most pressing concern for aviation experts, and ultimately, is the most likely effect of an attack on the FAA.

“Really what people would be concerned about is systems being turned off at airports or interfering with communications on aircrafts,” said Paul Kostek, senior IEEE member and principal of Air Direct Solutions, in an interview with SCMagazine.com.

Even with communications hindered or certain systems disabled, pilots and aviation staff can maintain operations, albeit more slowly, Kostek said. More than anything, a disruption in aviation could have ripple effects on commerce and people's lives, which would leave fliers feeling insecure about a system they once trusted, he said.

“Again [looking at some of the comments in the report] it's really about the ability of somebody to go in and really just cause problems,” such as shutting off an airport's lights, he said.

Furthermore, Kostek noted, the report's findings apply to any modern enterprise adapting to current cyber threats.

Phil Polstra, associate professor of digital forensics at Bloomsburg University of Pennsylvania, seconded Kostek's sentiments in an interview with SCMagazine.com.

“You could say this about any industry,” Polstra said. “I think someone is checking a box. In the law it says we have to check out security and we did, and they pointed out some issues, and again, even their examples were pretty vague, and we can see why they'd be vague.”

The GAO, for instance, recommended that the FAA “establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training.” It also suggested the FAA “clearly define organizational responsibilities for information security for NAS [National Airspace System] systems, and ensure that all relevant organizations…are in agreement with them.”

This, Polstra said, is already common knowledge for organizations looking to ramp up cybersecurity. However, the agency might not want to share specific vulnerabilities and security lapses because in fear of exposing the FAA to targeted attacks.

Even with this purposeful omission of detail, however, hackers will still try to get in, Polstra reminded.

“That's the mindset, to try and figure out how stuff works, and again, knowing what I know about aviation, I wouldn't be freaked,” he said.