UN's civil aviation body recommends cybersecurity task force

The International Civil Aviation Organization says a task force is merited given new technologies in air traffic control systems

The U.N.'s civil aviation body will recommend creating a cybersecurity task force at a meeting next week in Canada, as new technologies introduced into aviation systems are increasing the risk of cyberattacks.

The International Civil Aviation Organization (ICAO) said a task force is needed due to an increasing reliance on interconnected IT systems with operating systems such as Microsoft Windows and Linux, and protocols such as IPv6 and Avionics Full Duplex Switched Ethernet (AFDX), according to a working paper.

"Currently cyber security is a relatively minor issue in civil aviation, but this is changing," the ICAO wrote. "Although the adoption of new technology is an ongoing activity in civil aviation, the current pace and extent of new information technologies is notably increasing the risk from cyber attacks."

Earlier this year, Cyprus-based researcher Andrei Costin showed at the Black Hat security conference major problems in ADS-B (automatic dependent surveillance broadcast), a next-generation protocol used by air traffic control systems to track aircraft positions.

Costin, who also gave his presentation at the Power of Community (POC2012) security conference on Friday in Seoul, described weaknesses in the ADS-B protocol, which has been adopted so far in Australia and in busy flying areas in the U.S. It allows for more precise aircraft tracking, which allows more planes to fly closer together in the sky, carrying more passengers and bringing in more revenue.

Costin showed how it was possible to tamper with ADS-B tracking data for planes in the sky and also make planes that aren't flying appear to be in the sky to air traffic controllers. The equipment needed for such an attack costs as little as US$1,500. The weaknesses in ADS-B have been known for years, but Costin showed on Friday a practical attack.

"Basically, we kind of helped them [the ICAO] understand that there's a real problem and a real risk in this," Costin said.

But while an ICAO cybersecurity task force would be good development, it won't mean a fix for the ADS-B protocol, Costin said. Fixing ADS-B will be difficult and could cost billions of dollars, he said, an effort that has no business incentive and wouldn't bring in new revenue.

"Nobody will do it [fix ADS-B] for the next 50 years for sure unless there is a big attack," Costin said.

The ICAO cited Costin's research as well as other vulnerabilities, such as jamming of GPS signals, and malicious incidents, as justification for a cyber security task force. In one example, the ICAO wrote three software engineers were accused of sabotaging code in June 2011 at a new airport terminal, allegedly because they didn't get a pay increase from a subcontractor.

Three days later, check-in services failed at the terminal, with 50 flights delayed. Cyberattacks could have "an effect analogous with the recent Icelandic volcanic ash problems, shutting down air travel across parts of Europe for several days. In that case estimated costs run into the billions of dollars or euros," the ICAO wrote.

ICAO's 12th Air Navigation Conference is scheduled to run from Nov. 19-30 in Montreal.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags International Civil Aviation Organizationsecurity

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place