Airliners fly in face of cyber attack scares

Nov 03, 2010 by Adrian Addison
Air traffic controllers monitor flights at Hong Kong's international airport. Almost five billion passengers were transported by airplane in 2009, but experts are concerned that a computer attack on aviation control systems could wreak havoc with the finely-tuned network.

Around the world, around the clock, circles of flickering screens keep aircraft apart in the air, ease them gently down to the ground and guide their precious human cargoes off the runway.

This finely choreographed global ballet of speeding metal, fuel and flesh moved almost five billion passengers in 2009, according to data from Airports Council International.

But what if all those screens went blank?

Inside the hot and stuffy glass bulb of the Hong Kong control tower, a dozen staff watch the dots on their computers transform into planes rapidly descending from a clear blue sky.

A few floors below, more staff sit at screens in a room with no windows and keep digital tabs on all of the city's airspace, from the tip of the tower to far out over the South China Sea.

Computers everywhere.

Radar. Navigation and systems. Radio communications.

All work together to bring hurtling aircraft to the point where the black rubber lips of the airbridge kiss the doors and weary passengers can safely shuffle off the plane and get on their way.

Then ground control systems cut in to turn the plane around and get fresh passengers in the air until, finally, it exits Hong Kong's airspace and registers as a blip on some far away controller's screen.

But computers are vulnerable to cyber attack -- and that worries the world's intelligence community.

The head of Interpol, Ronald K. Noble, issued a stark warning to the international police agency's first ever cyber-threat conference in Hong Kong in September.

"We have been lucky so far that terrorists did not -- at least successfully or at least of which we are aware -- launch cyberattacks," he told 300 of the world's top law enforcement officials from 56 countries.

"One may wonder if this is a matter of style. Terrorists may prefer the mass media coverage of destroyed commuter trains, buildings brought down.

"But until when?"

Chart showing the world's busiest international airports including Hong Kong's Chek Lap Kok

Within weeks of Noble addressing the conference, news broke of the world's first 'cyber superweapon' which was said to be targeting Iran's nuclear facilities as well as infrastructure systems in China.

The Stuxnet worm could break into computers that control machinery at the heart of industry, allowing an attacker to assume control of critical systems like pumps, motors, alarms and valves.

It could, technically, make factory boilers explode, destroy gas pipelines or even cause a nuclear plant to malfunction.

A worm is piece of malicious software (malware) which copies itself and sends itself on to other computers in a network, usually without the computers' operators even knowing it is there.

But at Hong Kong's Chek Lap Kok airport, nobody seems particularly worried.

Carl Modder is the senior man on deck in a control tower that handles a take-off or landing every minute of the day.

"Our system runs on rails really," Modder told AFP. "And we have multiple layers of contingency procedures and fall-back systems that can cut in when required to minimise risk of failure to the air traffic control system.

"For instance, we have four separate radar systems. They can all work independently. If one were to go down the others would still work.

"Plus," he says, gesturing to the controller in charge of the runway used for landing. "The human element is also very much part of the system.

"The final decision to allow an aircraft to take-off or land is taken by a human, not a computer."

He waves a hand out over the vast state-of-the-art facility built on flattened islands and land reclaimed from the sea as yet another plane gently touches down, brakes and exits the runway.

"We even have a back up control tower," he smiles. "We often have drills where we simulate an evacuation from the main tower and 'use the spare'. We have to be prepared to the best of our ability for any eventuality."

And Ir Leung Ping-keung, the man in charge of the airport's 50 technical systems, is certain that there is no risk from cyber attack.

"It is a closed system," he told AFP. "There is no connection between our systems and the Internet nor is there USB access."

Yet computer security experts are not convinced.

Air traffic controllers monitor flight traffic in the control tower of Hong Kong international airport. Staff watch screens in a room with no windows and keep digital tabs on all of the city's airspace, from the tip of the tower to far out over the South China Sea.

Alan Paller, director of research at US-based computer security organisation the SANS Institute, says there is a fundamental weakness in the "not connected to the Internet" argument.

The average cannot email or surf the web from the control systems, he explained.

"But when most managers say there is no connection to the Internet, they are unaware of maintenance connections," he told AFP.

"Behind the scenes there are almost always semi-direct connections through routers shared between the control system and business systems that can be exploited. Worms and attackers can find them easily."

In January 2003, he said, the Bank of America reported that its ATMs had been disabled by an Internet worm -- that was after the banks assured the world that their ATMs were 'not connected to the Internet'.

The most serious on the US military came from a tainted flash drive in 2008 inserted into a military laptop in the Middle East which released malicious code that spread undetected in classified and unclassified systems.

It established "what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," Deputy Defence Secretary William Lynn said in August.

But the threat is even greater now, Paller says.

"One of the most virulent new vectors is smartphones -- especially Android-based (the Google operating system) smartphones," he said.

"People plug them into their computers, even computers not connected to the Internet, not for data transfer but to recharge the battery -- not knowing that behind the scenes their phones have been infected and are a carrier between the Internet and the better protected networks."

But in the skies there is still, ultimately, a human in charge: the pilot.

Hong Kong airline Cathay Pacific trains their pilots to face all eventualities they can think of, including a sudden collapse in the air traffic control system.

Blank screens could cause massive disruption but not necessarily disaster.

"Pilots are still trained to fly visually," a Cathay spokesman told AFP. "We also have communications with our aircraft and can keep them informed with what is going on."

Explore further: Napster co-founder to invest in allergy research

add to favorites email to friend print save as pdf

Related Stories

World's first 'cyber superweapon' attacks China

Sep 30, 2010

A computer virus dubbed the world's "first cyber superweapon" by experts and which may have been designed to attack Iran's nuclear facilities has found a new target -- China.

Hackers breach US air traffic control computers

May 08, 2009

Hackers broke into US air traffic control computers on several occasions over the past few years and increased reliance on Web applications and commercial software has made networks more vulnerable, according ...

Audit: Air traffic systems vulnerable to attack

May 06, 2009

(AP) -- The nation's air traffic control systems are vulnerable to cyber attacks, and support systems have been breached in recent months allowing hackers access to personnel records and network servers, according to a new ...

Recommended for you

Napster co-founder to invest in allergy research

Dec 17, 2014

(AP)—Napster co-founder Sean Parker missed most of his final year in high school and has ended up in the emergency room countless times because of his deadly allergy to nuts, shellfish and other foods.

LA mayor plans 7,000 police body cameras in 2015

Dec 16, 2014

Mayor Eric Garcetti announced a plan Tuesday to equip 7,000 Los Angeles police officers with on-body cameras by next summer, making LA's police department the nation's largest law enforcement agency to move ...

Merriam-Webster names 'culture' word of the year

Dec 15, 2014

A nation, a workplace, an ethnicity, a passion, an outsized personality. The people who comprise these things, who fawn or rail against them, are behind Merriam-Webster's 2014 word of the year: culture.

In Curiosity Hacked, children learn to make, not buy

Dec 14, 2014

With her right hand, my 8-year-old daughter, Kalian, presses the red-hot soldering iron against the circuit board. With her left hand, she guides a thin, tin wire until it's pressing against both the circuit board and the ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

gwrede
1 / 5 (1) Nov 03, 2010
Some ten years ago, I interviewed the head of the Nuclear Safety Authority of my home country. It turned out that their critical measuring and monitoring network was running Microsoft Windows! He became really quiet when I asked him how his office (and his own job!) would fare if the machines were down with virus while there was a nuclear fallout. Haven't checked since, but I sure hope they've upgraded to open systems.

Needless to say, this goes for thousands of other ultra-critical systems in our society.

Today, I'm getting increasingly uneasy as an airline passenger. The pilots don't have a real, physical steering stick anymore. Instead, they have a joystick plugged to some computer. Sure, there are Redundant Systems (meaning many more computers doing the same task than are needed). But, if someone made a Stuxnet version for Airbus airliners or the Boeing fleet, then we'd be in real trouble. (Where's James Bond when we really need him??)
trekgeek1
not rated yet Nov 03, 2010
The pilots don't have a real, physical steering stick anymore. Instead, they have a joystick plugged to some computer. Sure, there are Redundant Systems (meaning many more computers doing the same task than are needed).


Yes, but mechanical linkages can fail also. A cable snapping between the rudder and control stick is just as likely. Many control systems use different control logic written in different programming languages and different computers and circuit boards from different manufacturers. It's unlikely a single attack could target all those different systems. I think we are better off with these systems even with their flaws. Google the paper "respect the unstable". It explains this concept.
gwrede
1 / 5 (1) Nov 22, 2010
Many control systems use different control logic written in different programming languages and different computers and circuit boards from different manufacturers.
Yes. Except, a majority of them rely on the same C-libraries under the hood. So that would be the best target.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.