CIOs Get Involved In Efforts To Prevent Airplanes From Being Hacked

CIOs understand that IT systems open planes to cyberattacks
CIOs understand that IT systems open planes to cyberattacks
Image Credit: Shai Barzilay

As though airline CIOs didn’t have enough to worry about dealing with the importance of information technology, some people in the CIO job are now having to worry about IT systems that spend their time flying from city to city. CIOs for the major airlines have become aware that their company’s most expensive assets, their airplanes, may be vulnerable to hacking attacks. As airplanes have become more and more modern, the number of IT systems that they contain has been increasing. The result of this is that each airplane is almost as complex as a flying data center and it has as many vulnerabilities. This means that CIOs need to take steps to find ways to protect them.

The Problem With Planes

The key to solving the problem with planes becoming the targets of hacking attempts starts with awareness. The good news is that concerns that planes could be targeted in cyberattacks are prompting U.S. officials to re-energize efforts to identify airliners’ vulnerability to hacking. The revived program is led by the Department of Homeland Security and involves the Pentagon and the Transportation Department. This effort aims to identify cybersecurity risks in aviation and improve U.S. cyber resilience in a critical area of public infrastructure. The DHS is offering few details on the program but says it will involve some limited testing of actual aircraft.

Transportation and national- security officials along with the people in the airline CIO position remain concerned that aviation is a preferred target for terrorists and that cyberattacks could provide a new avenue to threaten planes and passengers. The new U.S. program is trying to ensure that hackers can’t exploit potential vulnerabilities in electronic systems of both new and old airliners. The scrutiny comes after cyberattacks that, in recent years, have attempted to disrupt such other internet-connected sectors as energy grids and electoral systems.

The U.S. Air Force separately plans to take a bigger role in examining the security of systems used in commercial aviation. Many of the same systems are also used by the military. The military realizes that if they don’t probe first, their adversaries will. The military feels that they have been a little complacent in not trying to attack all of the parts of the airplane. Cyberattacks against airlines have targeted weaknesses in information-technology systems rather than the aircraft themselves. As an example, British Airways is facing a $230 million fine in the U.K. after about a half-million passenger records were accessed during a 2018 cyberattack. Air Canada and Hong Kong’s Cathay Pacific have also reported data hacks last year.

Defending The Planes

What airline CIOs understand is that there are many risks in aviation beyond looking at the aircraft. They know that it’s very important to be looking at the whole ecosystem and identifying key points where a digital system, if it were to malfunction, could cause problems for a lot of people. The Air Force operates more than 5,300 planes—including converted airliners such as the Boeing 747, the model used as Air Force One when carrying the president. The service has used internal teams to probe its systems and look for potential weaknesses adversaries could exploit.

One of the most important things that CIOs realize is that it is important to have more outside scrutiny of aviation cybersecurity because manufacturers aren’t always willing to own up to security problems, especially when fixing them would be costly. Handling the sensitive information that tests can highlight is tricky. The plane-testing component of a Department of Homeland Security effort, called the Avionics Cybersecurity Initiative, was cut short last year amid a disagreement with Boeing Co. over the testing methodology and plans to publicly release some findings.

Examples like this show some of the difficulties that CIOs can encounter as they try to determine what vulnerabilities their planes may have. DHS said as part of that initiative it had acquired a used Boeing 757 airliner in 2016 and spent more than $10 million to identify potential cybersecurity vulnerabilities. Program administrators had planned to run 15 cybersecurity tests on the approximately 30-year-old jet. But the plane hasn’t been touched in more than a year because of the disagreement over some of the program’s early findings. Testers were able to access some of the airplane’s systems using radio frequency communications, according to a report.

What All Of This Means For You

Airline CIOs have a lot on their plates. With the impact on the industry caused by the Covid-19 pandemic, things got even tougher. However, it turns out that they have one major IT area that has not been getting the attention that it probably should be: the security of their planes. Modern planes are a jumble of IT systems and that means that they are targets for hackers. This is an area where CIOs need to spend some time securing their most valuable assets.

The Department of Homeland Security has become aware of the risk that planes are starting to poise. They have started a risk testing program. The focus of the program is on both old and new types of aircraft. Motivation comes from attacks against other sectors that have started to rely on the internet. The military is getting involved in the testing. Previous cyberattacks on airlines have focused on weaknesses in their IT systems. Airline CIOs understand that the entire air control system has to be examined for IT weaknesses. Outside scrutiny is required because the manufacturers of the aircraft may not be willing to admit when there are security issues with their products. When vulnerabilities are found, manufacturers may become defensive.

Airline CIOs need to take steps to prevent their planes from being hacked. It has not happened so far, but there is no reason that something like this couldn’t happen in the future. Airline CIOs know how to secure the company’s networks. Now all they have to do is to take this knowledge and apply it to aircraft. If they can do this, then flying will once again become a safe thing to do.

– Dr. Jim Anderson Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that airline CIOs should offer a reward to people who can hack their aircraft?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

CIOs need to watch over where the people who work at their company go to when they are using the internet at work. I’m pretty sure that we are all up on blocking the gambling, porn, and other inappropriate sites. However, it turns out that there is a new problem that we have to be aware of. The online ads that your workers willingly click on are more likely to make them a scam victim than the robocalls flooding their work phones with urgent messages. A new study found that scammers are far more likely to succeed in engaging and stealing money from potential targets by using websites and social media than through the phone calls and emails they have long used. What’s the person with the CIO job to do?