It took a while after the disappearance of flight MH370 and a series of harebrained conspiracy theories … a month in fact … before the necessity to tamper-proof avionics became a topic for discussion.
For example, Andy Pasztor and Jon Ostrower wrote a piece in The Wall Street Journal of April 7, 2014, with the title “Support Grows to Make Jets Tamper-Proof: Flight 370’s Disappearance Prompts Discussion of Measures to Prevent Midair Disruption of Plane’s Electrical Systems.” The article discloses just how open to abuse and compromise the systems, which control aircraft functions and allow aircraft to communicate with the outside world, turn out to be. It is scary to learn how exposed such critical flight-management and communications systems are to physical and logical lock-out, access and abuse.
In my March 24, 2014 BlogInfoSec column, “Another Big Lesson from Flight MH370,” I recommended the addition of strong authentication and access control management to critical aircraft software systems such as transponders. The issue is clearly much broader and deeper than merely transponders, as Pasztor and Ostrower describe in their article. There are a number of other systems, including ACARS (Aircraft Communications Addressing and Reporting System), and voice and data recorders, which need to be given stronger protection.
The WSJ article mostly focuses on physical tampering, and gives as an example the ease with which circuit breakers can be thrown, thereby locking out the communications systems. However, we must pay more attention to securing all safety-critical systems, particularly from malicious hackers. In my April 22, 2013 BlogInfoSec column, “Hacking Avionics Systems,” I refer to a April 10, 2013 blog post by Zeljka Zorz and Berislav Kucan, “Hacking airplanes with an Android phone.” The article describes how someone using an Android smart phone with particular apps might be able take over the flight management systems of aircraft … see http://www.net-security.org/secworld.php?id=14733 . The FAA, EASA, Honeywell and Rockwell Collins specifically questioned the feasibility of such a hack, as one would expect them to do … see http://www.net-security.org/secworld.php?id=14749  .
I have been preaching the need to build both safety and security into critical software-intensive systems, as have others, for quite some time. I feel so strongly about the subject that I invested more than a year in writing a book “Engineering Safe and Secure Software Systems” (Artech House, 2012), which addresses the particular issue of ensuring that safety-critical and security-critical software-intensive systems are both safe and secure, especially when they are interconnected and combined into systems of systems. There is such critical urgency in assuring ourselves that, as we interconnect readily-accessed information systems with safety-critical control systems, the resulting systems have adequate security measures built in to account for nefarious and unintentional misuse as well as damaging and destructive actions. I further suggest the use of tamper-proofing technologies to immunize computer systems from unauthorized changes.
How many more catastrophes relating to controlling aircraft, nuclear power plants, electricity grids, oil pipelines, and other high-impact systems upon which we depend every day, must we endure before action is taken to protect such systems from intentional and accidental hacking incidents? I’m glad that Pasztor and Ostrower have recognized the need for tamper-proofing aircraft communications systems against unauthorized physical acts. That’s certainly important and something that might well have mitigated or eliminated factors that led to the loss of flight MH370. However, we must extend this concern to critical software systems, determine how they might be protected from abuse, misuse and destruction, and implement such protective measures posthaste.
While the chances of someone hijacking flight-management systems might be considered by some to be low, the consequences of such an attack are enormous. Therefore we need to implement strong security measures to make sure that such frightening scenarios as a takeover of an aircraft’s controls stay within the realm of fiction.