Recently, a Colorado man named Chris Roberts was questioned by the FBI for allegedlyhacking the in-flight entertainment system of a United Airlines plane and issuing a command to one of the aircraft engines. The command caused the plane to climb and tilt in one direction. Mr. Roberts claims to have hacked airplane systems for a number of years and was only caught this time because he tweeted about his attack on that flight.
For many in the general public, this shocking news represented a new battlefront in an ever-escalating cyber war. Unfortunately, for cybersecurity experts this attack was not a surprise, but rather another publicized case representing the vulnerability of today’s “connected” world.
From an airline industry perspective, this was an attack waiting to happen. For many years, pundits have raised alarms that vulnerabilities exist within airline systems. Despite their exhortations, the airline industry hasn’t done enough to mitigate them. In fact, responsibility for security remains unclaimed as airline manufacturers argue that their planes are secure, but become less secure with post-delivery modifications such as the addition of Wi-Fi.
There are two aspects to this story that require examination – timeliness and sufficiency of response. The airline industry was clearly aware that their systems were vulnerable. So, why does it take an allegedly successful hack before companies address the problem? As with many big industries, priorities and attention change slowly – even in light of mounting evidence that change is necessary and urgent. Thankfully, the Colorado man hacked the airplane to prove a point on security, not to cause harm and destruction.
It’s a race against time. The warning for industry – any industry – is not only are there real and present vulnerabilities to control systems, but also that they must act quickly and sufficiently. Cyber attackers move at cyber speed while industry tends to move at a slower pace relying sometimes on outdated or not-fit-for-purpose safeguards that provide an operational pretense of safety. And if safety is at risk, then so is company brand and viability.
But in the end, safety is really the point isn’t it? This is what was at stake for passengers and crew of United Airlines back in April. And, for industries like Power, Oil & Gas, and Manufacturing, that is what’s at stake for plant workers, people living in neighborhoods around the plant, and people using products or services provided by the plant.
What are your thoughts? Is your industry doing enough to address the cyber vulnerabilities that exist today?