Where the Rubber Hits the Road…or Tarmac

Jennifer A. Kurtz, MBA

Siri, the seemingly ubiquitous "intelligent personal assistant”, is a source for entertaining, albeit potentially horrific, anecdotes of drivers being urged to the edge of a cliff or to the far side of an airport ("run across the field as fast as you can" was the advice my sister received after being directed away from the terminal and rental car return).

Reliability issues with onboard communications systems become more disturbing, however, when vehicle doors can be unlocked, VINs and real-time traffic information (RTTI) accessed, gas gauge and speedometer readings modified, and emergency call information altered. BMW recently upgraded its ConnectedDrive software, embedded in more than two million vehicles, to correct security flaws in its central monitoring system and other driver convenience systems. BMW is not alone in failing to consider the vulnerability of its control systems to cyber hacks. Jaguar, Audi, Mercedes, and Ford have all experienced successful exploits against their vehicle systems.i The automotive industry is beginning to recognize the need to address the risks in the Internet of Things and has started to gather cybersecurity experts at national conferences like the Automotive Cyber Security Summits in Detroit (March/April 2015) and San Francisco (October 2015).

As drivers, we can choose to opt out of relying on potential vehicular attack surfaces like Connected Drive or OnStar. Some of us may decide that we do not want our speed and location communicated to others. As air passengers, however, we don't have that power. The General Accounting Office (GAO) issued a study in April 2015 that raises significant questions about the future reliability of US air transportation systems, especially as the FAA's transitions to its Next Generation Air Transportation System (NextGen). This system will be used to modernize the US air traffic control system, and would invest heavily in GPS and satellite technologies to accommodate the growth in air traffic demand (projected by the FAA to be about 2.2% per year through 2033).ii

Cyber security experts consulted by the GAO question the wisdom of sending flight information and commands from systems—designed as stand-alone components with point-to-point connectivity, so without embedded security mechanisms (like role-based access control)—over IP-based networks. Several suggested “the presence of personal smart phones and tablets in the cockpit increases the risk of a system being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems."iii

As a taxpayer, frequent flyer, and technology cynic, I question the FAA's rush to largely replace traditional radar with GPS-dependent NextGen for ensuring the safety of our airspace. One justification, of course, is that NextGen will reduce human error associated with air traffic control,iv although white-hat hackers, like Professor Todd Humphreys of the University of Texas/Austin, have shown the vulnerability of GPS signals to spoofing.v Such spoofing can compromise the control of unmanned aerial vehicles (UAVs or drones), as well as air and marine craft. On the other hand, the FAA's technology initiative could be expanded to include protections against trusted insider threat, for example, the kind of pilot misuse of instrumentation that led to the deaths of 150 Lufthansa passengers March 24, 2015, and perhaps similar crashes of other airlines.vi

Responsibility for cyber security oversight is fragmented at the FAA; this is reflected in its approach to securing our airspace. In its report, the GAO recommended "that the FAA: 1) assess developing a cybersecurity threat model, 2) include AVS as a full member of the [Cyber Security Steering] Committee, and 3) develop a plan to implement NIST revisions within OMB’s time frames."vii Although the FAA concurred with the first and third recommendations, it did not see the need for including the AVS—the FAA's Office of Safety (with responsibility for certifying interconnected systems on aircraft)—on the Cyber Security Steering Committee. This leaves a significant gap in coverage and subject matter expertise.

The GAO report cites FAA staff concerns that the FAA is taking a reactive approach to aviation control system safety, rather than a proactive one that applies the risk-based approach to information system development recommended by the National Institute for Standards and Technology (NIST).viii The risk-based methodology relies on a holistic assessment of an interconnected system's potential vulnerabilities and promotes the understanding about how changes in a subcomponent of that system, which could include the addition of ad hoc devices to the network system (via passenger internet connectivity), can cause cascading failures.

Regis University information assurance and cyber security graduate students use the NIST Risk Management Framework (SP 800-37)ix to learn the steps for performing a comprehensive, organizational risk and threat-modeling analysis. Our CIAS students understand that any system is only as reliable, secure, and assured as its weakest link. This is where the rubber meets the road or tarmac or any mission-critical infrastructure, transportation, communication, or business system.

Want to learn more about Regis University’s cybersecurity degree specialization? Call 877-820-0581 or request more information.

iMax Cooter (6 February 2015), "BMW ConnectedDrive flaw exposes 2 million cars to remote unlocking," SC Magazine. Retrieved from http://www.scmagazineuk.com/bmw-connecteddrive-flaw-exposes-2-million-cars-to-remote-unlocking/article/396868/
iiFAA Aerospace Forecast: Fiscal Years 2014–2034. Retrieved from https://www.faa.gov/data_research/aviation/aerospace_forecasts/
iiiGovernment Accountability Office (April 2015), "Air traffic control: FAA needs a more comprehensive approach to address cybersecurity as agency transitions to NextGen," GAO-15-370, p. 20. Retrieved from http://www.gao.gov/assets/670/669627.pdf
ivRethinking the FAA's 2013 policy change on recruiting air traffic controllers that ended partnerships with post-secondary FAA-approved training programs could also address that human error component. At least, that is one of the suggestions made by a group of 29 Congressional members in a 2014 letter to the FAA. See John Hilkevitch (27 May 2014), "House members demand FAA shed light on air-traffic controller hiring," Chicago Tribune. Retrieved from http://articles.chicagotribune.com/2014-05-27/news/chi-29-us-house-members-demand-faa-shed-light-on-airtraffic-controller-hiring-20140527_1_hiring-policy-controller-air-traffic
vCyrus Farivar (29 July 2013), "Professor fools $80M superyacht’s GPS receiver on the high seas," ARS Technica. Retrieved from http://arstechnica.com/security/2013/07/29/professor-spoofs-80m-superyachts-gps-receiver-on-the-high-seas/
viNicholas Kulish and Nicola Clark (18 April 2015), "Germanwings crash exposes history of denial on risk of pilot suicide," The New York Times. Retrieved from http://www.nytimes.com/2015/04/19/world/europe/germanwings-plane-crash-andreas-lubitz-lufthansa-pilot-suicide.html?r=0
viiGAO, p. 2.
viiiGAO, p. 16.
ixSee <http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf> to access the NIST Risk Management Framework.