A year ago, security researcher Chris Roberts grabbed headlines for hacking an airplane.
More specifically, he hacked the plane's inflight entertainment system. Details did grow a little murky from there, with an FBI affidavit asserting that Roberts hacked a plane inflight, causing it to veer off course – a claim that plane manufacturer Boeing and aviation adamantly denied as humanly possible.
Special Multimedia Report
Critical Risk: Assessing the cybersecurity of the nation's infrastructure
But questions of what is or what may be possible are exactly what spur increasing fear among the traveling public – some legitimate, some not – and attention from leadership within the transportation sector, tasked with managing the risk.
All modes of transportation are becoming more reliant on cyber-based functions, and as technology asserts itself, that will become more the case, said Mark Troutman, director at the Center for Infrastructure Protection and Homeland Security at George Mason University. He pointed to a proposal under development for a new system that can link trucks together under the control of one human driver.
"You and I would see four or five trucks tailgating each other, hooked together virtually," he said. "That's great, because you can have five tractor trailers that are controlled by one person. If I'm a business owner, it's perfect; immediate cost control. But think of the ability of an adversary to untether those."
"That's just one example," Troutman added. "There are others," covering the gamut of planes, trains and automobiles.
But in cybersecurity there is a fine line between rational threat analysis and fear mongering. Cybersecurity experts often say that criminals and enemy nation states have the ability to do cyber damage, but choose not to. For the former, the payoff is too uncertain and for the latter, the potential retaliation too staggering. As Troutman said, "I can spin a scenario of untethering a truck, but that would be complex to pull off and one would need to ask why anybody would bother to properly evaluation the nature of the threat.
That is a struggle for the aviation industry, which has been evolving toward much more interconnected systems by necessity, where data is shared between government and industry, which the Federal Aviation Administration in turn must regulation – from airlines as well as the aircraft manufacturers.
"As we are sharing information across technological systems, we're opening certainly more gateways into those systems, and we need to be very, very vigilant and thoughtful about who we provide access," said FAA Administrator Michael Huerta. He described a "very aggressive and multilayered approach to ensure that we do not have cyber disruptions in our national airspace system" – one which undergoing a technological upgrade as we speak, via the Next Generation Air Transportation System, or NextGen. That system transforms air traffic control from a radar-based system with radio communication to a satellite-based one. NextGen is far more efficient. But some have questioned whether it is more vulnerable.
So then, can someone hack into an airplane? Huerta said that the FAA has seen no documented cases of an individual being able to hack into the core avionics systems.
"It's not just the companies and their operating systems. It's also the avionics systems in the aircraft themselves. We want to make sure that we have a very clear understanding of how those systems operate," he said. "It wasn't that long ago that all objectives in cyber were to keep the bad guys out. And I think we across industry generally have evolved to a different framework of thinking: let's assume they may get in. It's really a question of how do we respond to that."
Jill Aitoro is editor of Defense News. She is also executive editor of Sightline Media's Business-to-Government group, including Defense News, C4ISRNET, Federal Times and Fifth Domain. She brings over 15 years’ experience in editing and reporting on defense and federal programs, policy, procurement, and technology.