Cyber risks inherent in NextGen transition, GAO warns
- By Mark Pomerleau
- Apr 27, 2015
The Federal Aviation Administration’s efforts to modernize the nation’s air traffic control systems really are like rebuilding a plane in mid-flight. And now the cybersecurity vulnerabilities inherent in the move to a connected airspace have been detailed in a report from the Government Accountability Office.
The FAA’s 40-year-old air traffic control system, Host, uses point-to-point, ground based radar to connect each communication unit across the network. Under this system, computers and communication devices are connected by wires, passing information from point to point, which limits overall network connectivity.
To address the limits of a pre-Internet system, the FAA’s NextGen “call[s] for the new information systems to be networked together with IP technology into an overarching system of interoperating subsystems,” the GAO said. That means the new system would “allow any controller, anywhere, to see any plane in US airspace. In theory, this would enable one air traffic control center to take over for another with the flip of a switch,” wrote Sara Breslor for Wired.
This upgrade makes sense from a management, communications and modernization standpoint, but it also opens the FAA – and airline passengers – to unforeseen vulnerabilities. The legacy systems are difficult to access remotely given their limited connectivity, while the NextGen system is more easily compromised because it is connected to the Internet and is software based, GAO warned. As with any software, it can be hacked into, and security experts consulted by GAO warned that “if one system connected to an IP network is compromised, damage can potentially spread to other systems on the network, continually expanding the parts of the system at risk.”
GAO found that the FAA has taken some steps toward mitigating future breaches but has remained deficient in overall efforts throughout the multiyear NextGen project.
Smartphone-toting passengers introduce an additional vulnerability to an IP-networked system. Mobile devices that connect to the Internet could be providing a gateway for hackers to gain access to FAA networks and avionics systems. “Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” GAO said. Malware or viruses picked up from websites visited by passengers on their mobile devices in flight or attached to emails can compromise the entire system, according to a cybersecurity expert cited by GAO.
Not everyone agrees that the cyber threat to passenger air travel is imminent, however.
“While it’s true that firewalls could potentially be bypassed by those with ill intent, we have to remember that aircraft systems are built with safety in mind. These systems, which we deem life- or safety-critical, have redundancies in place to lessen the chances of tragic outcomes should they be compromised,” said Jovi Umawing, malware intelligence analyst for Malwarebytes Labs. “As the GAO report does not clearly elaborate if this new threat via cabin Wi-Fi takes into account such systems, we can't know for sure if an attack like this would be successful.”
Similarly, former director of the National Security Agency Keith Alexander acknowledged that there are “vulnerabilities in all the platforms” that are widely used. But “[t]he airline industry and others, the car industry and all these, are working these problems significantly,” Alexander said in an address at the American Enterprise Institute. He went even further, suggesting, “I think that they’ve separated the operational system from the Wi-Fi.”
While greater connectivity allows for more efficiency in communication, vulnerabilities must be mitigated, which is not to say that legacy systems are inefficient, but they were built exclusively for specific tasks. GAO offered three recommendations to mitigate cybersecurity threats to NextGen systems:
- Assess the potential cost and timetable for developing an agencywide threat model and the resources required to maintain it.
- Incorporate the Office of Safety into FAA’s agencywide approach by including it on the Cybersecurity Steering Committee.
- Develop a plan to fund and implement the latest revisions to NIST security control guidance within OMB’s timeframes.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.