TYSONS, Va.—A team of government, industry and academic officials last year successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting, says a Department of Homeland Security (DHS) official.
“We got the airplane on the 19th of September 2016, two days later I was successful in accomplishing a remote, non-cooperative, penetration,” which “means I didn’t have anybody touching the airplane, I didn’t have an insider threat, I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft,” says Dr. Robert Hickey, the aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.
Hickey says the details of the hack and the work his team are doing are classified but said they accessed the aircraft’s systems through radio frequency communications, adding that based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft.
The aircraft that DHS is using for its tests is a legacy Boeing [BA] 757 commercial plane purchased by the S&T branch. He tells our sister publication Defense Daily after his speech at the CyberSat Security in Aerospace conference hosted by our sister publication Via Satellite that the testing is with the aircraft on the ground at the airport in Atlantic City.
The initial response from experts was, “’We’ve known that for years,’” and “It’s not a big deal,’” Hickey says. But in March 2017, at technical exchange meeting, he said seven airline pilot captains from American Airlines and Delta Airlines in the room that were attending the event had no clue.
“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible’” Hickey says.
Hickey, who is a staff officer in the Office of the Director of National Intelligence on assignment to DHS S&T, says that while aviation is a subsector of the transportation component of the National Infrastructure Protection Plan, the current focus is squarely on traditional terrestrial-based systems.
The reservation and scheduling systems of airlines aren’t part of Hickey’s research, he says.
“I want to suggest to you that there’s a different type of critical infrastructure, and that’s critical infrastructure that’s in motion, of which aviation is one of the third of that,” Hickey says. The others are surface and maritime transportation, he says.
“And I look at all of those and say, ‘If we’re not looking at those from a different perspective, we’re going to miss the boat, no pun intended,’” Hickey says. He says he doesn’t know the answers yet for aircraft cyber infrastructure, adding that it’s not a policy issue yet because more research needs to be done on these systems to understand what the issues are.
Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey says. The cost to change one line of code on a piece of avionics equipment is $1 million and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737 aircraft, it would “bankrupt” them if a cyber vulnerability was specific to systems onboard 737s, he says, adding that other airlines that fly 737s would also see their earnings hurt.
Hickey says newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind but that legacy aircraft, which make up more than 90 percent of the commercial planes in the sky, don’t have these protections.
Aircraft also represent different challenges for cyber security and traditional land-based networks, Hickey says. He says that whether it’s the Air Force or the commercial sector, there are not maintenance crews that can deal with ferreting out cyber threats aboard and aircraft.
“They don’t exist in the maintenance world,” Hickey says, noting that when he was in the Air Force he commanded a logistics group. Hickey was also an airline pilot for more than 20 years.
The chief information officers of airlines also “don’t know how to chase a cyber spark through an airplane either,” Hickey says. “Why? Because they have been dealing with, and their programmed to, and they do a great job of protecting the terrestrial-based networks. Airplanes are absolutely different. Crazy different.”
Trying to deal with airplane cyber security the same way it is approached for land-based networks “is going to leave us short of the mark,” Hickey says.
Hickey’s team for his work includes Massachusetts Institute of Technology, the Department of Energy’s Pacific Northwest National Laboratory, Univ. of California San Diego, Sierra Nevada Corp., SRI International, and QED Secure Solutions. QED is led by Jonathan Butts, a retired Air Force officer who has done cyber vulnerability assessments of Minuteman III intercontinental ballistic missiles and B-52 bombers, Hickey says.
Two years ago a security researcher claimed to have hacked into a passenger aircraft through its in-flight entertainment system while he was traveling aboard the plane. However, there is no evidence he accessed flight control systems.