At one point in 2014, there was some discussion that Malaysian Air flight MH 370 might have been hacked, but the jury remains out. There was some early speculation that there was a hack, but perhaps something done by a passenger through the entertainment system. I dismiss that as implausible because the pilots would react to a change of course and altitude. Also, it stretches credibility to contemplate that such a spontaneous hack could also shut down ground communications and transponders, also to navigate a flight path that avoids radar detection. At least, not from an onboard hack. What was never considered was a ground based hack. Given the sophistication of such a hack, It is conceivable that a state-sponsored organization could have designed and practiced such a hack, and then used MH-370 as a proof of concept. We will likely never know. However, the U.S. FAA has acknowledge such risks in its April 2015 GAO-15-370 report (wonder if the 370 is coincidental or tied to MH 370), and has initiated an effort to review inter-connectivity rules for certifying new aircraft systems. In counterpoint, the GAO report findings related to system interconnectivity was characterized by one critic (Dr. Phil Polstra) as something put together by people who don't understand how airplanes really work.
There is one other issue that gets you thinking that these systems cannot be connected. If you have used in flight wifi...I frequently and frustratingly use GoGo...you find it is slow due to bandwidth constraints and bandwidth consumption, and continued connection is completely unreliable. Those would not be good features for flight systems. Some 1,500 commercial planes use GoGo, but JetBlue and Southwest use a different system than GoGo (ViaSat and Row 44, respectively), which provide higher wifi speeds and more reliable connectivity. Still, not likely that they are interconnected. Though, that does not mean the NextGen Avionics systems would not be.
Recently, I have started to engage with the Automobile Industry on similar issues. Automobile systems are clearly inter-connected and IP accessible through a shared vehicle gateway. The ability to hack and take control of modern vehicles has been proven. So far, nobody has demonstrated the ability to target a specific vehicle without knowing its IP address, which is good news. But, some expect that it is only a matter of time. Imagine a remote Internet technical hijack of a major political figure's vehicle; kidnapping the children of a high-net worth individual; or hijacking a truck with a high-value cargo. The design and operating principle is simple, but has been ignored...logical isolation between disparate systems, and both logical and physical isolation of command/control systems.
Lessons for the Commercial Enterprise:
- As we develop new products and services, our applications will suffer from errors of omission and commission, resulting in vulnerabilities. As a recent example, a major financial services company released a change in a customer Web portal. A major banking customer wondered if it could change the bank name in the URL and get another bank's records. They found they could, and got into another bank's data. Alarming and embarrassing.
- Vulnerabilities will be discovered, accidentally or by attackers...benevolent and malicious.
- Vulnerabilities can lead to a security breach and exploitation.
- Your Security Operations Center is the "Sin-Eater", and its capabilities (technological and human) are key to timely detection of such attacks, breaches, and exploits by developing an understanding of what normal activity looks like, and being able to identify anomalous activity.
- "Aggressive Vigilance" (a phrase I have coined) is necessary to timely detect and interdict attacks before an exploit advances further down the cyber-kill chain. Interdiction is action taken by the SOC and network or computer operations to interrupt anomalous activity for investigation before allowing it to continue.
For those who say that they could never do 5. above, consider that your security will remain vulnerable if your determination to protect yourselves does not equal or exceed the determination of the threat actors to compromise you.
Views by Brian Cummings