UN's civil aviation body recommends cybersecurity task force

The International Civil Aviation Organization says a task force is merited given new technologies in air traffic control systems

The U.N.'s civil aviation body will recommend creating a cybersecurity task force at a meeting next week in Canada, as new technologies introduced into aviation systems are increasing the risk of cyberattacks.

The International Civil Aviation Organization (ICAO) said a task force is needed due to an increasing reliance on interconnected IT systems with operating systems such as Microsoft Windows and Linux, and protocols such as IPv6 and Avionics Full Duplex Switched Ethernet (AFDX), according to a working paper.

"Currently cyber security is a relatively minor issue in civil aviation, but this is changing," the ICAO wrote. "Although the adoption of new technology is an ongoing activity in civil aviation, the current pace and extent of new information technologies is notably increasing the risk from cyber attacks."

Earlier this year, Cyprus-based researcher Andrei Costin showed at the Black Hat security conference major problems in ADS-B (automatic dependent surveillance broadcast), a next-generation protocol used by air traffic control systems to track aircraft positions.

Costin, who also gave his presentation at the Power of Community (POC2012) security conference on Friday in Seoul, described weaknesses in the ADS-B protocol, which has been adopted so far in Australia and in busy flying areas in the U.S. It allows for more precise aircraft tracking, which allows more planes to fly closer together in the sky, carrying more passengers and bringing in more revenue.

Costin showed how it was possible to tamper with ADS-B tracking data for planes in the sky and also make planes that aren't flying appear to be in the sky to air traffic controllers. The equipment needed for such an attack costs as little as US$1,500. The weaknesses in ADS-B have been known for years, but Costin showed on Friday a practical attack.

"Basically, we kind of helped them [the ICAO] understand that there's a real problem and a real risk in this," Costin said.

But while an ICAO cybersecurity task force would be good development, it won't mean a fix for the ADS-B protocol, Costin said. Fixing ADS-B will be difficult and could cost billions of dollars, he said, an effort that has no business incentive and wouldn't bring in new revenue.

"Nobody will do it [fix ADS-B] for the next 50 years for sure unless there is a big attack," Costin said.

The ICAO cited Costin's research as well as other vulnerabilities, such as jamming of GPS signals, and malicious incidents, as justification for a cyber security task force. In one example, the ICAO wrote three software engineers were accused of sabotaging code in June 2011 at a new airport terminal, allegedly because they didn't get a pay increase from a subcontractor.

Three days later, check-in services failed at the terminal, with 50 flights delayed. Cyberattacks could have "an effect analogous with the recent Icelandic volcanic ash problems, shutting down air travel across parts of Europe for several days. In that case estimated costs run into the billions of dollars or euros," the ICAO wrote.

ICAO's 12th Air Navigation Conference is scheduled to run from Nov. 19-30 in Montreal.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Tags International Civil Aviation Organizationsecurity

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

IT Compliance Solutions

Enforce compliance consistently and cost-effectively across your organization.

Latest Jobs
Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.