U.S. Steps Up Scrutiny of Airplane Cybersecurity
Concerns that planes could be targeted in cyberattacks are prompting U.S. officials to re-energize efforts to identify airlinersâ vulnerability to hacking.
The revived program, led by the Department of Homeland Security and involving the Pentagon and Transportation Department, aims to identify cybersecurity risks in aviation and improve U.S. cyber resilience in a critical area of public infrastructure, a DHS official said. DHS is offering few details on the program but says it will involve some limited testing of actual aircraft.
Transportation and national- security officials remain concerned that aviation is a preferred target for terrorists and that cyberattacks could provide a new avenue to threaten planes and passengers.
The new U.S. program is trying to ensure that hackers canât exploit potential vulnerabilities in electronic systems of new and old airliners. The scrutiny comes after cyberattacks that, in recent years, have attempted to disrupt such internet-connected sectors as energy grids and electoral systems.
The U.S. Air Force separately plans to take a bigger role in examining the security of systems used in commercial aviation. Many of the systems are also used by the military. âIf we donât probe first, our adversaries will,â Will Roper, the serviceâs assistant secretary for acquisition, technology, and logistics, said in an interview. âWeâve been a little complacent in not trying to attack all of the parts of the airplane.â
SHARE YOUR THOUGHTS
Should the government recruit hackers to hunt for airplane cybersecurity vulnerabilities? Join the conversation below.
Cyberattacks against airlines have targeted weaknesses in information-technology systems rather than aircraft. British Airways is facing a $230 million fine in the U.K. after about a half-million passenger records were accessed during a 2018 cyberattack. Air Canada and Hong Kongâs Cathay Pacific also reported data hacks last year.
âThere are many risks in aviation beyond looking at the aircraft,â said
Jeffrey Troy,
president of the Aviation Information Sharing and Analysis Center, a nonprofit industry organization focused on cybersecurity. âItâs very important to be looking at the whole ecosystem and identifying key points where a digital system, if it were to malfunction, could cause a bad day for a lot of people.â
The Air Force operates more than 5,300 planesâincluding converted airliners such as the Boeing 747, the model used as Air Force One when carrying the president. The service has used internal teams to probe its systems and look for potential weaknesses adversaries could exploit. Mr. Roper said he wants the Air Force to look with more urgency for cybersecurity weaknesses.
The Air Force sent 28 people to Defcon, the annual hacking convention, in Las Vegas this year to participate in its first-ever dedicated âhacking village,â where researchers could try to find vulnerabilities in aviation systems.
Photo:
U.S. Air Force
Stefan Savage,
a computer- science professor at the University of California San Diego, said it is important to have more outside scrutiny of aviation cybersecurity because manufacturers arenât always willing to own up to security problems, especially when fixing them would be costly.
âBeyond trusting Boeing, whoâs the backstop?â he said. Mr. Savage is on a team of researchers who assembled a test bed containing many of the systems found on a Boeing 737 to carry out security testing.
Handling the sensitive information such tests can highlight is tricky. The plane-testing component of a Department of Homeland Security effort, called the Avionics Cybersecurity Initiative, was cut short last year amid a disagreement with
Boeing
Co.
over the testing methodology and plans to publicly release some findings.
DHS said as part of that initiative it had acquired a used Boeing 757 airliner in 2016 and spent more than $10 million to identify potential cybersecurity vulnerabilities. Program administrators had planned to run 15 cybersecurity tests on the approximately 30-year-old jet. But the plane hasnât been touched in more than a year because of the disagreement over some of the programâs early findings.
The programâs manager,
Rob Hickey,
a former Air Force pilot, described some of the findings at a November 2017 aeronautics cybersecurity conference, saying testers were able to access some of the airplaneâs systems using radio frequency communications, according to a report in the trade publication Avionics International.
Boeing, which disputed some of the findings, felt blindsided by Mr. Hickeyâs disclosure, according to current and former DHS officials, and testing of the planeâs systems was put on hold. âWe had some disagreements about some of the specific tests. We had to work through those,â one official familiar with the program said. âThere were valid points on both sides.â
Mr. Hickey said in an emailed statement he hopes the DHS resumes the testing protocol that his team developed âfor the good of allâespecially the flying public.â
Boeing said it supports the reconstituted cybersecurity initiative and may participate at next yearâs Defcon conference. âWe need to bridge the gap between the hacking community and the industry,â an official said.
Write to Robert McMillan at Robert.Mcmillan@wsj.com and Dustin Volz at dustin.volz@wsj.com
Copyright Š2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Gloss