Risking chaos in the sky

Higher tech makes flight ops more vulnerable.

The annual Black Hat conferences are highly technical information security expos that bring together thought leaders from all corners of the infosec world, from the corporate and government sectors to academic researchers and even underground hackers.

The obvious solution might be to cut the ATC system off so that hackers have no way to get in. Unfortunately, that seems impractical. According to Daniel Mehan, FAA’s assistant administrator for information services, it would be just too expensive to set up even an ATC system like today’s without connecting it to the outside world.

“It’s very, very hard to get at the air traffic system,” says Mehan. “But you will never develop a system that can’t have any intrusion ever.” NextGen makes the job all but impossible. Unfortunately, one critical decision may have made securing NextGen even harder than it needed to be.

Fuhrman cites one specific vulnerability—what he calls supply chain risk. “How do we make sure we can trust the security of aviation equipment procured from offshore manufacturers when we don’t have control of the facility or process?” he asks. The answer is simple. You can’t, especially if you choose suppliers with a history of cyberespionage.

Security insecurity

One critical feature of NextGen is the embedded graphics display systems, which are intended to improve pilot situational awareness in the cockpit. Early this year, ALT Software of Toronto ON won the contract to provide hardware design services and software drivers for the graphics processors to be used in these systems.

Much of the actual work will be carried out by the Chinese Aeronautical Radio Electronics Research Institute (CARERI.) The institute specializes in R&D for avionics systems and core equipment. It operates a “center of excellence” in Shanghai known as the Critical Embedded Graphics Technology Lab. It is hard to overstate the security hazards posed by this arrangement.

In each of the large-scale hacking incidents uncovered in recent years—the intrusions into 1500 sensitive government and commercial sites announced by Canadian researchers last year, Operation Aurora, and 2 major events at the end of 2008 and beginning of 2009—China has been the prime suspect.

Allowing Chinese engineers to design any part of the NextGen system or to write software for it invites the inclusion of back doors and software “bombs” that could allow intruders to take over or disable the controls of an airplane or the ATC network. This is one case where saving money today could prove extraordinarily costly in the future.

Western security specialists have said for years that Beijing tolerates, and almost certainly sponsors, widespread hacking of commercial and government computer networks. In response, China has recently been trying to burnish its image. This February, the state-run Xinhua News Agency announced that 3 people had been arrested in Nov 2009 and accused of making hacking tools available online.

Distributing hacking software had been banned earlier in 2009. The authorities also closed down the group’s website, which had 12,000 subscribers and produced an estimated $1 million in income. Xinhua described the arrest as a major bust of computer hackers. A 2009 report released by the country’s National Computer Network Emergency Response Coordination Center claimed that hacking cost China the equivalent of $1.1 billion that year.

Nonetheless, security experts investigating the cyberattacks on Google and other corporations say that the assault originated at 2 schools in China. One is the Shanghai Jiaotong University, which operates one of China’s top computer science programs. (Not long ago, its students won an international programming competition called the “Battle of the Brains,” sponsored by IBM.)

The other is Lanxiang Vocational School. That institution was established with military support and supplies computer scientists for the People’s Army. Its computer network is operated by a company linked to Baidu, the Chinese equivalent of Google and a competitor of the original. Although there are doubters, some American analysts believe that the vocational school is being used to hide cyberspying by the Chinese government.

Chinese military officials have often stated that they consider cyberspace a critical battlefield for all future conflict. Allowing any part of the Next­Gen system to be designed or produced in China offers Beijing’s hackers an obvious chance to tamper with a critical part of US national infrastructure, and very likely with those of other countries that conform to the NextGen system.

It will be extremely difficult—if not impossible—to verify that China’s contribution to NextGen is free from security threats. Nonetheless, making the attempt should be an essential part of certifying NextGen for use. It is an attempt that should not have been necessary. There are other potential problems, too.

One is inherent in the kind of airplane it takes to use NextGen—highly automated, with a series of interlinked computer networks monitoring, and often operating, its flight control, communications, environmental, entertainment and other systems. Tomorrow’s aircraft will carry their own miniature Internets within them.

Exchanging data constantly with both other aircraft and ground control systems, they will almost inevitably be subject to the same kind of intrusion as any other computer network. The issue has already come up. FAA recently held up certification of the Boeing 747-8/8F because of concerns that the airliner’s highly computerized network could be hacked, compromising flight safety and perhaps giving intruders access to external networks as well.

Extreme scenarios

Picture flying along one day 10 or 15 years from now, comfortable in the knowledge that NextGen will keep you on course and properly separated from other aircraft. Suddenly, something unexpected happens.

Perhaps your aircraft veers off course, into the path of a nearby airplane. Maybe its engines just shut down. Conceivably, it pitches down, aiming toward a major office building, bridge or natural gas storage facility. And your flight controls no longer have any effect on the airplane. You and your colleague in the other seat will arrive at the scene of the accident first.

Your passengers will not be far behind. These are extreme scenarios, of course. Many network intruders might find it more effective just to crash the navigation system, leaving a sky full of airplanes suddenly guided by dead reckoning, with too few controllers on the ground to handle the snarl.

It wouldn’t be that difficult, according to the hackers gathered at the 2010 annual Black Hat convention in Virginia. One computer scientist showed the audience how to attack or jam the GPS signal that is central to NextGen. Either way, this is the kind of world aviation is flying into. It is utterly dependent on having all its high technology working as it was intended to, and it is impossible to guarantee that tomorrow’s skilled hackers will not bring the entire system crashing down—and perhaps some airplanes as well.

A well tried safety net

The US has had a backup system for GPS and NextGen since 1942. This is the Loran-C network that guided 2 generations of aviators and mariners before GPS came along. It provides almost exactly the same location and timing information as GPS, but with a completely different infrastructure.

If GPS goes down, Loran could still be there to keep the nation’s airspace operating smoothly. Ironically, it is being shut down. Washington has decided that Loran is no longer needed in a world where GPS units are available in any Wal-Mart—and scrapping Loran will save an estimated $190 million over the next 5 years. Most of the network has already been mothballed. The last 5 Loran stations will be closed in June.

According to one estimate, it would cost about $100 million to replace the existing Loran-C system with a fully automated one. This is about half the cost of sending one new GPS satellite into space. It seems like cheap insurance against a potential disaster in American airspace, and there is a strong case for putting a modern Loran-C system into place immediately.

However, since it seems that the decision to ignore this high-tech life preserver is set in stone, we will be looking ahead to a Loranless, GPS-dependent future—and keeping our fingers crossed.

Marvin Cetron is a forecaster/futurist and president of Forecasting Intl. His study for the Pentagon, Terror 2000, written in 1994, offered an accurate prediction of the subsequent course of terrorism.


1 | 2| 3