Cyber security standards and best practices don’t appear to be widely adopted by airports and given pervasive cyber threats Congress should consider directing the adoption of these standards across the aviation industry, an airport executive told a House panel on Thursday.
Citing a 2015 survey, Michael Stephens, executive vice president for Information Technology and General Counsel at Tampa International Airport in Florida, said that only 34 percent of respondents “indicated that they had implemented a national cyber security standard or framework.” The survey was done by the Airport Cooperative Research Program, which is industry led and sponsored by the Federal Aviation Administration.
Rep. John Katko (R-N.Y.), chairman of the House Homeland Security Committee’s Subcommittee on Transportation and Protective Security, told Stephens the results of the survey are “frightening.” He raised concerns that a successful cyber attack against planes and trains could “weaponize” these systems.
In prepared remarks, Stephens said, “I believe that we are at a point in the growing threat environment where voluntary compliance is no longer adequate. I believe strong consideration should be given by Congress and by regulatory agencies such as the FAA and the Transportation Security Administration, which have primary responsibility for oversight and regulation of aviation operational safety and security respectively, to mandate the adoption and implementation of uniform minimum cyber security standards and frameworks.”
Jeffrey Troy, the executive director of the Aviation Information Sharing and Analysis Center, and Christopher Porter, chief intelligence strategist with the cyber security company FireEye [FEYE], agreed with Stephens. All three testified before a joint hearing of Katko’s subcommittee and the Subcommittee on Cybersecurity and Infrastructure Protection on cyber security threats facing the U.S. aviation sector.
A spokesman for the Association of American Airport Executives, which represents the interests of U.S. airports in Washington, D.C., told Defense Daily that the association hasn’t taken a “formal position” on the need for mandatory minimum cyber security standards for airports.
Rep. Bonnie Watson Coleman (D-N.J.), the ranking member on the Transportation and Protective Security panel, pointed out that while TSA requires airports and airlines to have security programs in place to protect against attacks, “TSA does not require those programs to include any cyber security measures.”
Rep. John Ratcliffe (R-Texas), chairman of the cyber security panel, in his opening remarks cited a 2016 study by the information solutions company SITA that showed 91 percent of airlines were “planning to invest in cyber programs over the next three years, up from only 41 percent in 2013.”
From time to time concerns have arisen over potential cyber security threats to commercial aircraft in flight. Last fall, an official with the Department of Homeland Security’s Science and Technology Directorate said that tests by the agency on a Boeing [BA] 757 passenger plane that the agency had purchased for testing purposes demonstrated that the aircraft could be remotely hacked. DHS fired the individual for discussing the test program publicly.
A DHS spokesman told Defense Daily last November that the comments about the S&T test program hacking efforts “lack important context, including an artificial testing environment and risk reduction measures already in place.” The spokesman added that “The aviation industry, including manufacturers and airline, has invested heavily in cybersecurity and built robust testing and maintenance procedures to manage risks.”
Troy, in response to questions at the hearing, said that so far in all incidents where claims have been made that aircraft have been hacked, there has been no “credible threat” to any aircraft and that there hasn’t been an impact to flight safety. The Aviation ISAC facilitates the sharing of security information across the aviation sector.
Stephens mentioned that various navigational aids, including global positioning satellites and air traffic control systems, are a potential pathway for cyber attacks against aircraft. Troy noted that aircraft are designed with redundant safety mechanisms to ward off threats.
Porter said the greatest threats to the aviation industry are from espionage and reputational damage. He said that the aviation sector is “one of the most targeted for cyber attack.”
Since former U.S. President Barack Obama and his Chinese counterpart XI Jinping in 2015 signed an agreement to refrain from using cyber espionage to steal industrial secrets from one another, Porter said China has abided by that as far as the commercial sector goes. But, he warned, “because aviation research and development is so closely tied to national defense, this particular sector of the American economy never stopped being targeted.”
The aviation sector’s reputation, and its businesses, suffer from various other threats such as cyber theft of airline tickets and customer data, attacks against operational systems such as websites and reservation systems, Porter said.
Watson Coleman said that she is working with colleagues on a bill requiring TSA to direct airlines and airports have “baseline” cyber security measures in place.
Porter, Troy and Stephens all agreed that improved information sharing will help mitigate cyber threats to the aviation sector, noting the need for the government to provide threat information on a timelier basis and with more context.