Airline industry girds for hackers

Worried that computer hackers attacking banks and media companies could easily shift targets, the airline industry is taking preemptive steps to ensure it doesn’t become the next victim.

Although the “hacking” of planes midair to bring them down is unlikely, many networks, including airline reservation systems and airport parking meters, could be vulnerable to cyberattacks, which could disrupt air travel, weaken travelers’ confidence and deal a major blow to a fragile economy.

“The aviator guys are getting together because they see what’s going on in every other sector,” said Paul Kurtz, chief strategy officer for computer security firm CyberPoint International. “It’s just a matter of time before the bad guys start wondering, ‘How do we start making money off attacking the aviation industry?’”

New technologies and tighter budgets have added to the complexity of safely transporting 2.6 billion air passengers a year worldwide. But officials at airlines, airports and aircraft makers believe they can develop enough safeguards to limit the effects of hackers.

Boeing Co., which by the nature of its business has always focused on aircraft safety and reliability, is now also stressing network and computer systems security. Worries about defects such as hydraulic leaks have been brought up alongside concerns that a miscreant could surreptitiously inject malicious commands somewhere in the 18 million lines of computer programming that help power its latest jet, the 787 Dreamliner.

“I know the media worries about the kid in seat 14B on his laptop hacking the flight controls,” Michael Sinnett, Boeing’s vice president of product development, said at an industry conference this summer. “I’m here to tell you that’s not going to happen. But the question is, ‘Do I have to worry about a guy inside my system for four years before the code even hits the streets?’”

Most of the code is written by Boeing contractors, and Boeing and aviation regulators test for errors. Even afterward, Boeing assumes programs will do something unexpected and prepares backup plans.

For pilots, large suitcases filled with instruction manuals have been reduced to laptops and, more recently, tablet computers. Weather updates and other flight-related information — once relayed via air traffic controllers or paper printouts — are increasingly beamed by Wi-Fi and the new NextGen air traffic control system directly into the cockpit.

Kurtz said protecting those links is relatively easy in the U.S.

“But somewhere in Asia or Africa, the updates and maintenance might not be as (buttoned-down),” he said.

Yet not all airports in the U.S. are ready to guarantee secure connections for airlines. LAX has been among the large airports at the forefront of strengthening defenses through education and monitoring.

But Dom Nessi, LAX’s chief information officer, said that the airport doesn’t offer airlines a dedicated connection because “we don’t think we can give them a secure service.”

Like other airports, LAX remains a juicy target for hackers. A phishing attack in late June and early July tried to deceive airport employees into opening fraudulent emails, Nessi said.

The airport’s cybersecurity investigators said the “highly targeted” emails encouraged users to download files that when opened could have given the remote attacker “complete control over the victim machine,” including the ability to monitor their Internet browsing and email.

The experts traced the attack to a foreign government, Nessi said. Phishing emails have led to several major cyberattacks, including one that led to a New York Times website outage for two days in August.

“Every day a new threat emerges, so you have to build an organization that evolves and evolves rapidly,” Nessi said.

The two Washington, D.C., area airports recently began rigorous testing of computer networks and teaching employees about protecting their computers from hackers, said Martha Woolson, information technology security manager for the Metropolitan Washington Airports Authority.

Woolson said a year and a half ago several employees fell for a phishing email designed to look like one sent by US Airways. During a recent wave of phishing, more than 30 airport workers came to her for advice when they received the email.

Woolson has gone as far as distributing magnets with a simple warning, “When at work, don’t go to any site that would embarrass your granny.”

Cybersecurity experts suggested that airlines and airports must expect that hackers eventually will shut down crucial systems. Having a strategy in place to quickly recover is essential, they said.

“Many airlines are worried about hackers but have no idea where to start,” said Joe Ayson, senior director for aviation cybersecurity firm AvIntel. “Our goal as a practice is to ensure there’s a constantly revised mitigation process in place that’s an actual living, breathing part of operations.”

He recounted the recent experience of an airline in Africa whose reservation system had been sputtering for six weeks. The airline didn’t realize it had been plagued by a computer virus. Ayson’s team found ways to keep the airline running despite the issues.

Peter Andres, vice president of corporate security for Deutsche Lufthansa AG, said being a “sexy” industry heightens the challenges.

“There are so many people who love to play with simulators, who listen to controls, who really study this stuff,” Andres said. “But that of course gives more transparency and tools to people who have malicious intent.”

Airlines, airports and aircraft makers see themselves at a crossroads. The sooner they can show that computer-related threats have been minimized, the more likely the industry won’t face additional government regulation.

“It’s the kind of homework that’s been long overdue,” Andres said.

About the only regulation desired by the industry is legislation protecting airlines from liability and lawsuits if they share information about “hacks” with one another and the government.

To be sure, airlines run the risk of overreacting about the risks of technology. Boeing’s Sinnett compared cybersecurity with lightning. Every plane is struck by lightning once a year, he said. But Boeing doesn’t expect a plane to get hit by a dozen shocks at once.

“You account for it as much as you can and reduce its impact,” Sinnett said. “It’s not perfect physics, but it’s a black art.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

A closing sign hangs above the entrance of the Big Lots at Evergreen and Madison on Monday, July 22, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Big Lots announces it will shutter Everett and Lynnwood stores

The Marysville store will remain open for now. The retailer reported declining sales in the first quarter of the year.

George Montemor poses for a photo in front of his office in Lynnwood, Washington on Tuesday, July 30, 2024.  (Annie Barker / The Herald)
Despite high mortgage rates, Snohomish County home market still competitive

Snohomish County homes priced from $550K to $850K are pulling in multiple offers and selling quickly.

Henry M. Jackson High School’s robotic team, Jack in the Bot, shake hands at the 2024 Indiana Robotics Invitational.(Henry M. Jackson High School)
Mill Creek robotics team — Jack in the Bot — wins big

Henry M. Jackson High School students took first place at the Indiana Robotic Invitational for the second year in a row.

The computer science and robotics and artificial intelligence department faculty includes (left to right) faculty department head Allison Obourn; Dean Carey Schroyer; Ishaani Priyadarshini; ROBAI department head Sirine Maalej and Charlene Lugli. PHOTO: Arutyun Sargsyan / Edmonds College.
Edmonds College to offer 2 new four-year degree programs

The college is accepting applications for bachelor programs in computer science as well as robotics and artificial intelligence.

FILE — Boeing 737 MAX8 airplanes on the assembly line at the Boeing plant in Renton, Wash., on March 27, 2019. Boeing said on Wednesday, Feb. 21, 2024, that it was shaking up the leadership in its commercial airplanes unit after a harrowing incident last month during which a piece fell off a 737 Max 9 jet in flight. (Ruth Fremson/The New York Times)
Federal judge rejects Boeing’s guilty plea related to 737 Max crashes

The plea agreement included a fine of up to $487 million and three years of probation.

Neetha Hsu practices a command with Marley, left, and Andie Holsten practices with Oshie, right, during a puppy training class at The Everett Zoom Room in Everett, Washington on Wednesday, July 3, 2024. (Annie Barker / The Herald)
Tricks of the trade: New Everett dog training gym is a people-pleaser

Everett Zoom Room offers training for puppies, dogs and their owners: “We don’t train dogs, we train the people who love them.”

Andy Bronson/ The Herald 

Everett mayor Ray Stephenson looks over the city on Tuesday, Jan. 5, 2015 in Everett, Wa. Stephanson sees  Utah’s “housing first” model – dealing with homelessness first before tackling related issues – is one Everett and Snohomish County should adopt.

Local:issuesStephanson

Shot on: 1/5/16
Economic Alliance taps former Everett mayor as CEO

Ray Stephanson will serve as the interim leader of the Snohomish County group.

Molbak's Garden + Home in Woodinville, Washington will close on Jan. 28. (Photo courtesy of Molbak's)
After tumultuous year, Molbak’s is being demolished in Woodinville

The beloved garden store closed in January. And a fundraising initiative to revitalize the space fell short.

Everett Mayor Cassie Franklin, Advanced Manufacturing Skills Center executive director Larry Cluphf, Boeing Director of manufacturing and safety Cameron Myers, Edmonds College President Amit Singh, U.S. Rep. Rick Larsen, and Snohomish County Executive Dave Somers participate in a ribbon-cutting ceremony on Tuesday, July 2 celebrating the opening of a new fuselage training lab at Paine Field. Credit: Arutyun Sargsyan / Edmonds College
‘Magic happens’: Paine Field aerospace center dedicates new hands-on lab

Last month, Edmonds College officials cut the ribbon on a new training lab — a section of a 12-ton Boeing 767 tanker.

Gov. Jay Inslee presents CEO Fredrik Hellstrom with the Swedish flag during a grand opening ceremony for Sweden-based Echandia on Tuesday, July 30, 2024, in Marysville, Washington. (Ryan Berry / The Herald)
Swedish battery maker opens first U.S. facility in Marysville

Echandia’s marine battery systems power everything from tug boats to passenger and car ferries.

Helion Energy CEO and co-founder David Kirtley talks to Governor Jay Inslee about Trenta, Helion’s 6th fusion prototype, during a tour of their facility on Tuesday, July 9, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
State grants Everett-based Helion a fusion energy license

The permit allows Helion to use radioactive materials to operate the company’s fusion generator.

People walk past the new J.sweets storefront in Alderwood Mall on Thursday, July 25, 2024, in Lynnwood, Washington. (Olivia Vanni / The Herald)
New Japanese-style sweets shop to open in Lynnwood

J. Sweets, offering traditional Japanese and western style treats opens, could open by early August at the Alderwood mall.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.