It has been reported that concerns that planes could be targeted in cyberattacks are prompting U.S. officials to re-energize efforts to identify airliners’ vulnerability to hacking. The revived program, led by the Department of Homeland Security and involving the Pentagon and Transportation Department, aims to identify cybersecurity risks in aviation and improve U.S. cyber resilience in a critical area of public infrastructure, a DHS official said. DHS is offering few details on the program but says it will involve some limited testing of actual aircraft.
This legislation is not only warranted, but practically a requirement if our institutions are to have a fighting chance against these types of cyber attacks. Mega-corporations with significant cyber security budgets struggle to address these threats effectively. How could a school or local municipality even begin to do what’s needed without this kind of assistance and guidance? They simply don’t have the resources.
The best part about this legislation is not just the aid in recovery if and when an attack does happen, but the focus as well on mitigating these threats through proactive assessment and fortification of school and city technology infrastructures. With this could only come greater awareness and understanding of the threats we collectively face in organizations of every shape, size, and type.
Improving the cybersecurity of aviation and, indeed, all areas of critical infrastructure, is an admirable goal. However, a stopgap, after the fact effort to evaluate security will provide only temporary benefits. To effect real and lasting change in critical infrastructure cybersecurity, the organisations that create the software products that are used in critical infrastructure must themselves be infused with secure software development practices. This includes a software development life cycle that considers security at every stage as well as the use of more and better testing tools such as source code analysis, software composition analysis, and fuzz testing.
It’s important to understand that aviation cybersecurity isn’t just about the planes themselves. Each airline, airport and all the interconnected systems that support air travel are part of the overall attack surface for aviation.
The idea that an attacker could remotely control a plane makes a good headline, but there are much more likely compromises affecting supporting systems.
Aviation, like many industrial environments, is generally slower to change technology than your average commercial enterprise. That means that vulnerabilities are harder to address and the risk is likely to be present for a longer period of time.
There’s significant cooperation and shared technology between the military and commercial aviation, which means that addressing risks in one is likely to benefit the other.
The threat of cyberattacks against the aviation industry has raised concerns for a long time. Commercial airplanes often do not have the necessary cybersecurity protections in place, which leaves systems increasingly vulnerable to attack.
The airline industry needs to pay closer attention to the risk of cyberattacks to their systems. This revived program led by the Department of Homeland Security is an important step forward in securing such a critical area of public infrastructure. Taking this pre-emptive step will enable us to manage and mitigate against vulnerabilities and security weaknesses.
Manufacturers that take aviation cybersecurity seriously and work with hardware vendors, information security experts and government officials to identify and mitigate vulnerabilities will be in the best position to ensure the security of all critical systems and customer data.