It’s called NextGen, and if not properly protected, the system designed to make aviation safer, may present the most dangerous risk to the national airspace system and even the nation itself, particularly if attacked by an insider threat.
NextGen is the ongoing transformation of the Federal Aviation Administration’s complex air traffic control, radar, navigation and weather-prediction systems, from stand-alone equipment, to highly integrated and interdependent computers and digital networks (Elias, 2015). NextGen, the umbrella term for the long-awaited upgrade to the air traffic control system that many have been waiting for, comes with it’s own unique set of challenges, mostly related to cyber-security, and if a 2015 GAO report is to be believed, the FAA is already behind the curve.
Most travelers know that commercial aircraft are mostly on autopilot, with the pilots actually taking control during take-off, landing, turbulence or emergencies. Aircraft systems today are computerized and networked, and when a pilot pulls back on the stick, or pushes forward, he or she is more or less making a suggestion to the computer about what the pilot wants to do. In-flight navigational and communication systems are also tied together creating, in effect, a little on-board networked environment. So far, that environment has been safe from hackers, unless someone was actually on board and could somehow tie into it.
In 2015, security researcher Chris Roberts was removed from a United flight after tweeting a joke about hacking the plane’s inflight entertainment system. While Boeing, the maker of the aircraft Roberts was on, and aircraft experts explained that it would not have been possible to affect the navigational computer or flight controls by way of the in-flight entertainment system, it did raise many questions. First, could the aircraft actually be hacked from in flight, and second, what’s going to happen when the industry completely integrates NextGen into the nation’s air traffic control system? What was once a stand-alone network (the airplane) will be connected to a complex weather, communications and navigational system that ties computers, air traffic control facilities and aircraft from all over the country, together.
Author Dana Haynes played out a nightmare scenario in his novel, Crashers (St. Martins, 2010), where an insider threat tampers with an aircraft on-board computer system that causes the aircraft to crash. But in his book, the insider threat needed tremendous knowledge and insight into the workings the aircraft systems, and a high level of physical access to the aircraft. Imagine the nightmare scenario if someone could take over the controls, or at the very least, start sending erroneous data to pilots and aircraft navigation systems, all by logging in from their home computer.
In the fear-driven solutions that were proposed immediately after 9/11, some proposed a system be put into place on commercial aircraft so that if hijacked, it could be taken over from the ground and flown safely to an airport. The idea was mostly academic at the time, but NextGen may make it possible, which opens up the real possibility of someone on the ground, hijacking an aircraft if they can penetrate the network and work their way to the aircraft’s navigation or flight-control system.
With NextGen, radar will be replaced with a system called, Automatic-Dependent-Surveillance-Broadcast (ADS-B), which is a gigantic version of marco polo. Each aircraft must be equipped with a GPS transmitter and a receiver unit. The transmitter will continuously transmit the aircraft’s position information, while receiving the transmissions from other aircraft to form a picture of air traffic on a scope in the flight deck. Air traffic controllers will eventually replace their radar systems with ADS-B monitoring systems that receive the transmissions from properly equipped aircraft.
Other NextGen improvements such as DataComm, will allow more external access to the aircraft, and integrated weather reporting systems will provide more accurate weather information. While the industry has needed such upgrades to make flying safer and more efficient, NextGen cannot be implemented without a huge nod to protecting the networks from cyber attack.
In 2015, the GAO released a report that said while the FAA has taken some steps to protect its ATC system from cyber-based threats, significant security weaknesses remain that threaten the FAA’s ability to ensure the safe and uninterrupted operation of the national airspace system (GAO, 2015). Further, the GAO noted that as modern aircraft are increasingly connected to the Internet, which can potentially provide unauthorized remote access to the aircraft avionics system, the FAA’s Office of Safety, which certifies interconnected systems, must be a part of the FAA’s Cyber Security Steering Committee – it presently is not. The FAA is also falling short of meeting NIST standards requiring modeling to identify potential threats to information systems, and they have not adopted changes to NIST security controls to align with standards for intrusion detection systems.
Even if the FAA fixes the problems noted in the GAO report, which will likely reduce the possibility of an outsider accessing the network, the threat posed by an insider threat increases ten-fold. Above the NIST standards, the FAA should continue to work towards insider threat detection systems that can warn authorities, managers and supervisors of unauthorized activity that may be a set-up to a much larger threat.
NextGen is too important to aviation safety to stick with old ways of doing things, but as we move forward with the implementation of technologies to make our skies safer, we must remember that the threats will change. As a new technology makes one thing possible, others are quickly looking to exploit it for their own possibly destructive purposes. And as networks are better protected from external threats, terrorists and criminals will move to get insider access. The message to industry: don’t just worry about protecting the front and back doors, keep an eye on what’s going on inside the system as well.
Elias, B. (2015, June 18). Federation of American Scientists (United States, Congressional Research Service). Retrieved January 3, 2016, from https://www.fas.org/sgp/crs/homesec/IN10296.pdf
GAO. (2015, April 14). Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen. Retrieved February 3, 2016, from http://www.gao.gov/products/GAO-15-370
Subscribe to the Proofpoint Blog