Incident Details

Incident: Vulnerability in Small Aircraft Networked Systems Allows for Hacking

Published Date: 2019-07-30

Postmortem Analysis
Timeline	1. The software failure incident happened in July 2019.
System	1. Small aircraft networked communications systems 2. CAN bus system 3. Electronic messages transmitted across a small plane’s network
Responsible Organization	1. The software failure incident was caused by a security vulnerability discovered by the cybersecurity firm Rapid7, as reported to the federal government [87859].
Impacted Organization	1. Small plane owners and operators [87859]
Software Causes	1. Vulnerability in modern flight systems to hacking due to unauthorized physical access to the aircraft [87859]
Non-software Causes	1. Lack of physical security measures to restrict unauthorized access to small planes [87859] 2. Vulnerabilities in networked communications systems used in aircraft [87859] 3. Inadequate cybersecurity policies and frameworks in the aviation industry [87859]
Impacts	1. The software failure incident in small planes could potentially allow attackers to manipulate engine readings, compass data, altitude, and other critical measurements, providing false information to the pilot, posing a significant safety risk [87859]. 2. The vulnerability in the CAN bus system, which functions as a small plane's central nervous system, could enable attackers to hijack instrument readings or even take control of the aircraft, highlighting a serious security concern [87859]. 3. The incident raised concerns about the need to improve security in networked operating systems in aviation to prevent potential cyber attacks that could disrupt aircraft systems [87859]. 4. The Federal Aviation Administration emphasized the importance of remaining vigilant about physical and cybersecurity aircraft procedures in light of the reported vulnerability, indicating a need for enhanced security measures [87859].
Preventions	1. Implementing stricter physical security measures to prevent unauthorized access to the aircraft, as recommended by the Department of Homeland Security [87859]. 2. Developing safeguards to address vulnerabilities in the aircraft's networked communication systems, similar to steps taken by the auto industry to address similar concerns [87859]. 3. Enhancing security in networked operating systems of aircraft to prevent potential exploitation of vulnerabilities [87859]. 4. Manufacturers reviewing how they implement open electronics systems like the CAN bus to limit a hacker's ability to perform attacks, as recommended by the DHS alert [87859].
Fixes	1. Implementing safeguards to restrict unauthorized physical access to aircraft until the industry develops specific safeguards to address the vulnerability [87859]. 2. Manufacturers reviewing how they implement open electronics systems like the CAN bus to limit a hacker's ability to perform attacks [87859]. 3. Enhancing physical and cybersecurity aircraft procedures to prevent unauthorized access and potential exploitation of vulnerabilities [87859].
References	1. Boston-based cybersecurity company (Rapid7) [Article 87859] 2. Department of Homeland Security (DHS) [Article 87859] 3. Aviation Information Sharing and Analysis Center [Article 87859] 4. Federal Aviation Administration (FAA) [Article 87859] 5. U.S. Department of Transportation's inspector general [Article 87859] 6. UN's body for aviation [Article 87859] 7. Pete Cooper, ex-Royal Air Force fast jet pilot and cyber operations officer [Article 87859] 8. Chris King, cybersecurity expert [Article 87859] 9. Beau Woods, cyber safety innovation fellow with the Atlantic Council [Article 87859]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	multiple_organization	(a) The software failure incident related to vulnerabilities in networked communications systems affecting small aircraft systems has not been reported to have happened again at the same organization or with its products and services [87859]. (b) The article mentions that the auto industry has already taken steps to address similar concerns after researchers exposed vulnerabilities in cars, indicating that similar incidents have occurred in the automotive industry [87859].
Phase (Design/Operation)	design, operation	(a) The article discusses a software failure incident related to the design phase. The vulnerability in small planes' modern flight systems was discovered by a cybersecurity company based in Boston and reported to the federal government. The cybersecurity firm, Rapid7, found that an attacker could potentially disrupt electronic messages transmitted across a small plane’s network by manipulating engine readings, compass data, altitude, and other readings to provide false measurements to the pilot. This vulnerability was due to the design of the aircraft systems, which are increasingly reliant on networked communications systems [87859]. (b) The article also mentions a software failure incident related to the operation phase. The DHS alert recommends that plane owners ensure they restrict unauthorized physical access to their aircraft until safeguards are developed to address the vulnerability. The vulnerability could be exploited by someone gaining access to a plane or bypassing airport security, emphasizing the importance of physical security controls mandated by law to prevent such attacks. The Federal Aviation Administration stated that while a scenario with unrestricted physical access is unlikely, the incident serves as a reminder to remain vigilant about physical and cybersecurity aircraft procedures, highlighting the operational aspect of preventing unauthorized access [87859].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident reported in the articles is primarily within the system. The vulnerability in the small planes' networked communications systems, specifically the CAN bus, was discovered by the cybersecurity firm Rapid7 [87859]. The flaw allowed for potential manipulation of engine readings, compass data, altitude, and other readings, which could provide false measurements to the pilot. This vulnerability was identified as originating from within the system of the small aircraft, highlighting an internal software failure issue. (b) outside_system: The software failure incident also involves contributing factors that originate from outside the system. The vulnerability was discovered by a Boston-based cybersecurity company and reported to the federal government, indicating an external source identifying the flaw [87859]. Additionally, the Department of Homeland Security independently confirmed the security flaw with outside partners and a national research laboratory, emphasizing the involvement of external entities in recognizing the software vulnerability.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident related to non-human actions in the articles is the vulnerability in small planes' modern flight systems that could be exploited by hackers if they gain physical access to the aircraft. The vulnerability was discovered by a cybersecurity company and reported to the federal government. The DHS alert highlighted that an attacker could potentially disrupt electronic messages transmitted across a small plane’s network by manipulating engine readings, compass data, altitude, and other readings to provide false measurements to the pilot. This vulnerability was not introduced by human actions but rather existed as a flaw in the system that could be exploited by external parties [87859]. (b) The software failure incident related to human actions in the articles involves the need to improve security in networked operating systems and physical security controls mandated by law to prevent potential hacks. The vulnerability disclosed by Rapid7 emphasized that an attacker could exploit the vulnerability with access to a plane or by bypassing airport security, indicating that human actions such as bypassing physical security controls could lead to system disruption. The article also mentions the importance of remaining vigilant about physical and cybersecurity aircraft procedures to prevent unauthorized access and potential disruptions caused by human actions [87859].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident occurring due to hardware: The software failure incident reported in the article is related to a vulnerability in small planes' modern flight systems that could be exploited by gaining physical access to the aircraft. The vulnerability allows an attacker to disrupt electronic messages transmitted across the plane's network by attaching a small device to its wiring, affecting critical aircraft systems like engine readings, compass data, altitude, and other measurements [87859]. (b) The software failure incident occurring due to software: The software failure incident reported in the article is primarily due to contributing factors originating in software. The vulnerability in small planes' networked communications systems, specifically the CAN bus, allows attackers to manipulate data and potentially take control of the aircraft. The software vulnerability was discovered by a cybersecurity company and reported to the federal government, highlighting the need for manufacturers to review how they implement these open electronics systems to limit hackers' ability to exploit such vulnerabilities [87859].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident reported in the articles is malicious in nature. The Department of Homeland Security issued a security alert warning that modern flight systems in small planes are vulnerable to hacking if someone gains physical access to the aircraft. The vulnerability was discovered by a cybersecurity company and could allow an attacker to disrupt electronic messages transmitted across a small plane's network, manipulate engine readings, compass data, altitude, and other readings to provide false measurements to the pilot, and potentially take control of the plane [87859]. The alert emphasizes the need for physical security controls to prevent unauthorized access that could lead to malicious exploitation of the vulnerability [87859].
Intent (Poor/Accidental Decisions)	poor_decisions	[a] The software failure incident related to the vulnerability in small aircraft systems to hacking was primarily due to poor decisions made in the design and implementation of the networked communications systems. The vulnerability was discovered by a cybersecurity company and reported to the federal government, indicating that the initial design did not adequately consider potential security risks [87859]. Additionally, the article mentions that the CAN bus system, which functions as the central nervous system of small planes, was completely insecure and not designed to operate in an adversarial environment, highlighting a lack of foresight in ensuring the security of critical systems [87859]. [b] On the other hand, the software failure incident can also be attributed to accidental decisions or unintended consequences. The article mentions that the vulnerability was discovered by a cybersecurity company and reported to the federal government, indicating that the potential for hacking was not a deliberate choice but rather an unintended consequence of the system design [87859]. Furthermore, the article highlights that the auto industry had already taken steps to address similar concerns after vulnerabilities were exposed, suggesting that the aviation industry may have unintentionally overlooked the security implications of networked communications systems [87859].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident related to development incompetence is evident in the article as it discusses how a cybersecurity firm, Rapid7, discovered a vulnerability in small aircraft systems that could be exploited by attackers. The report highlights that the CAN bus system used in small planes is insecure and was not designed to operate in an adversarial environment, indicating a lack of professional competence in ensuring the security of these systems [87859]. (b) The software failure incident related to accidental factors is also present in the article. The vulnerability in small aircraft systems was not intentionally created but was discovered accidentally by the cybersecurity firm, Rapid7, during their research efforts. The article mentions that the vulnerability disclosure report was the result of nearly two years of work by Rapid7, indicating that the discovery was accidental rather than intentional [87859].
Duration	temporary	The software failure incident reported in the articles is more likely to be categorized as a temporary failure. This is because the vulnerability in the small planes' networked communications systems, specifically the CAN bus, was identified by the cybersecurity firm Rapid7 and reported to the federal government [87859]. The incident was not a permanent failure but rather a temporary one that could be addressed through the development of safeguards to mitigate the security flaw.
Behaviour	omission, value, other	(a) crash: The software failure incident in the article does not involve a crash where the system loses state and does not perform any of its intended functions [87859]. (b) omission: The vulnerability in the software could potentially lead to omission of performing intended functions, such as manipulating engine readings, compass data, altitude, and other readings to provide false measurements to the pilot [87859]. (c) timing: The software failure incident is not related to timing issues where the system performs its intended functions correctly but too late or too early [87859]. (d) value: The vulnerability in the software could lead to the system performing its intended functions incorrectly, such as providing false measurements to the pilot by manipulating various readings [87859]. (e) byzantine: The software failure incident does not involve the system behaving erroneously with inconsistent responses and interactions [87859]. (f) other: The software failure incident involves a potential security flaw where an attacker could disrupt electronic messages transmitted across a small plane's network, affecting aircraft systems [87859].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, network_communication, embedded_software	(a) sensor: The software failure incident related to the vulnerability in small planes' flight systems was due to the potential manipulation of engine readings, compass data, altitude, and other readings that could provide false measurements to the pilot. This manipulation could occur by disrupting electronic messages transmitted across the plane's network, potentially through attaching a small device to the wiring [87859]. (b) actuator: The articles did not specifically mention any failure related to actuator errors. (c) processing_unit: The vulnerability in the small planes' flight systems was not directly attributed to processing errors but rather to the potential manipulation of data transmitted across the network. (d) network_communication: The software failure incident was primarily related to vulnerabilities in networked communications systems within small planes. The attack vector involved disrupting electronic messages transmitted across the plane's network, which could lead to false measurements being provided to the pilot [87859]. (e) embedded_software: The vulnerability in the small planes' flight systems was related to the exploitation of open electronics systems known as the CAN bus, which functions as the central nervous system of the plane. Targeting the CAN bus could allow an attacker to hijack instrument readings or even take control of the plane. The CAN bus system was highlighted as completely insecure and lacking validation mechanisms to ensure the legitimacy of incoming commands [87859].
Communication	link_level	[87859] The software failure incident reported in the article is related to the communication layer of the cyber physical system that failed. The vulnerability identified by Rapid7 focused on the CAN bus system, which functions as a small plane's central nervous system. This system is vulnerable to attacks that could allow an attacker to manipulate engine readings, compass data, altitude, and other readings to provide false measurements to the pilot. The CAN bus system is a critical component of the aircraft's networked communications systems, and targeting it could potentially allow an attacker to hijack instrument readings or even take control of the plane. This indicates that the failure was at the link_level, involving factors introduced by the wired communication layer of the cyber physical system.
Application	TRUE	The software failure incident reported in the articles was related to the application layer of the cyber physical system. The vulnerability discovered by Rapid7 in small aircraft systems allowed for potential manipulation of engine readings, compass data, altitude, and other readings to provide false measurements to the pilot. This manipulation could occur by disrupting electronic messages transmitted across the small plane's network, which could be achieved by attaching a small device to the wiring of the aircraft [87859]. This type of manipulation aligns with the definition of a failure at the application layer, involving bugs, errors, and incorrect usage within the system.

Other Details

Category	Option	Rationale
Consequence	theoretical_consequence	(a) death: People lost their lives due to the software failure - There is no mention of people losing their lives due to the software failure incident reported in the articles [87859]. (b) harm: People were physically harmed due to the software failure - There is no mention of people being physically harmed due to the software failure incident reported in the articles [87859]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted due to the software failure incident reported in the articles [87859]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident reported in the articles [87859] did not mention any impact on people's material goods, money, or data. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone an activity due to the software failure incident reported in the articles [87859]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident reported in the articles [87859] primarily focuses on the vulnerability of small planes to hacking due to software issues, but there is no specific mention of non-human entities being impacted. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident reported in the articles [87859] highlights the potential consequences of a security flaw in small planes' systems, but there is no mention of any real observed consequences resulting from the specific incident discussed. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles [87859] discuss the potential consequences of a security flaw in small planes' systems, such as manipulating engine readings and other data, but there is no mention of these consequences actually occurring. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The articles [87859] do not mention any other specific consequences of the software failure incident beyond the potential vulnerabilities and risks discussed.
Domain	transportation	(a) The failed system in the article is related to the aviation industry, specifically affecting small planes and their electronic systems vulnerable to hacking [87859]. (h) The article mentions the need to improve security in networked operating systems in the aviation industry, highlighting the importance of physical and cybersecurity aircraft procedures [87859]. (l) The Department of Homeland Security issued a security alert regarding the vulnerability of small planes to hacking, emphasizing the importance of restricting unauthorized physical access to aircraft until safeguards are developed [87859].

Sources

US issues hacking security alert for small planes - The Associated Press - Published on: 2019-07-30
Article ID: 87859

Back to List