The aviation industry is stepping up efforts to enlist coordinated international support in the battle against the threats posed to airlines and passengers by hackers and those seeking to exploit IT systems.
The security of commercial airlines and whether the systems crucial to fly planes are vulnerable to cyber attacks hit the headlines in April after a security researcher claimed he had been able to hack into flight controls via his under-seat entertainment unit.
Along with WiFi and electronics on board, airlines, airports and air traffic management companies are sharing more information than ever before to make flying more efficient and deal with increasing numbers of passengers.
But that provides more interfaces that can be exploited by attackers, aviation industry representatives said at the AVSEC World aviation security conference in Dublin on Monday. Those seeking to do mischief also know that attacking an airline will guarantee maximum impact, they said.
As part of initiatives to shore up the industry’s defences, a team has been put together by leading aviation industry associations to work on a declaration on cyber security to put to members of the United Nations’ aviation safety arm next year.
One of the issues being looked at, for example, is the security of the ADS-B system on aircraft, which sends information on a plane’s position. The data is unencrypted, which could make it susceptible to outside interference.
“Protecting our industry from cyber threats is hard, probably one of the hardest things we are facing because we do not know what we are facing or for what we have to prepare,” said Jeff Poole, director general of the Civil Air Navigation Services Organisation (CANSO), highlighting the swiftness with which the threat is changing.
Poole is part of the team coming up with recommendations that will be presented to the International Civil Aviation Organisation (ICAO) next September, when the UN body holds its regular triennial meeting.
It will then be up to ICAO member states whether to sign the declaration or not, though this would not impose any mandatory standards.
Jim Marriott, the ICAO’s deputy director aviation security and facilitation, said that signing a declaration would be a statement from member states that they are taking the issue seriously. States are also free to take action at a national level before then, he said.
“We can only go so far ourselves as an industry. States have an important role to play,” Poole said.
Aircraft manufacturers can also do their bit, said Tony Tyler, director general of the International Air Transport Association (IATA), particularly as they often have experience in the military sector.
Boeing’s director for aviation security, James Vasatka, told the conference that his company hires hackers to test the systems and software it puts on its planes.
“They [the hackers] are absolutely stunned at the quality we put in our software and products. It would be very difficult in today’s environment to disrupt that for the flight-critical systems,” he said.