Last month, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) decided to end the Aviation Cyber Initiative’s (ACI) computer vulnerability testing of a Boeing 757-200 at the Federal Aviation Administration (FAA) William J. Hughes Technical Center in Atlantic City, Avionics International and sister publication, Defense Daily, have learned.
DHS’ Science and Technology (S&T) division had acquired the aircraft in 2016, and the FAA accepted the plane at its Atlantic City center in September of that year.
CISA did not respond when asked to comment on why the agency had decided to end the cyber vulnerability testing of the 757-200 and whether there are any agency plans to conduct cyber vulnerability testing on other aircraft.
CISA said that the overall ACI effort continues, however.
“CISA and its partners at the FAA and the Department of Defense remain engaged in the Aviation Cyber Initiative, which is working to reduce cybersecurity risk and increase resilience in the aviation ecosystem,” Scott McConnell, a CISA spokesman, wrote in an email. “This includes expanding its Community of Interest to include additional public and private sector partners, forming new working groups to assess and mitigate various aspects of the aviation ecosystem, and implementing cybersecurity training at airports across the country in the near future.”
One government source said that “broader resilience efforts equal what CISA normally does, which is community engagement. That means nothing will get done, but a bunch of talking.”
The DHS Science and Technology (S&T) Directorate’s budget request for fiscal year 2021 has no funding for aviation cyber security, as opposed to $2.5 million appropriated by Congress last year and nearly $4.8 million appropriated in fiscal 2019. The ACI effort used to be managed by S&T before it was transferred to CISA.
The decline in spending on the ACI effort coincides with a steep drop in cyber security research and development spending by S&T the past two years. In FY ’19, S&T spent $71.3 million on cyber security research. In FY ’20 that amount fell to $29.5 million and in FY ’21 the directorate is seeking $24.1 million for cyber research.
An industry source said that there are likely a “myriad of reasons” for the DHS decision to end the ACI testing of the 757-200, including a “lack of interest, lack of a sponsor within DHS, and lack of money.” The source said that DHS/CISA officials likely did not want to sponsor the ongoing testing of the 757-200, given the software problems that Boeing [BA] has had with the grounded 737 MAX airliner.
Whatever the case, it was likely that any future DHS cyber vulnerability testing of airliners would have to involve significant avionics upgrades to the 757-200 or testing a more modern, next generation airliner. DHS reported in April, 2017 that it bought the 757-200 to adhere to budget constraints and save costs, as the airliner had reached the end of its service life and was equipped with some older technologies not widely in service. Long-term testing of the 757-200 would require the newer technologies widely in service, the department said at the time
In November 2017, Defense Daily reported that the ground testing of the 757-200 in Atlantic City in a non-laboratory environment had shown that remote hacking of commercial airliners was possible.
DHS later fired Robert Hickey, the program manager of the testing effort, in a dispute with Boeing and the agency over the public release of the testing findings. According to documents obtained by Motherboard through a Freedom of Information Act request, the Pacific Northwest National Laboratory was involved in the testing effort and was responsible for attempting to hack the 757-200’s Wi-Fi and In-Flight Entertainment (IFE) systems, while the Massachusetts Institute of Technology’s Lincoln Labs was responsible for the external radio frequency (RF) attack vector.
In June of 2018, DHS S&T and CISA “decided to pause the Boeing 757 assessment segment of the ACI to review and validate requirements,” CISA said in October last year. “In January 2019, both agencies determined to resume planning for future assessments. The assessments on this aircraft is only one small part of the broader ACI strategy.”
The end of the 757-200 cyber vulnerability testing program comes as the airline and business aircraft industry absorb losses due to the COVID-19 pandemic. Airline passenger revenues this year look to be $252 billion less than last year, according to the International Air Transport Association, and more than 8,500 passenger aircraft have been placed into storage so far, about one-third of the global passenger fleet.
On the business aviation front, Bombardier Aviation has suspended aircraft production, and Textron Aviation [TXT] announced the upcoming furloughs of thousands of workers, while General Electric [GE] Aviation is cutting 10 percent of its workers, furloughing half of its repair personnel for three months, and shifting some production to needed medical equipment, such as ventilators, to combat COVID-19, according to the National Business Aviation Association.
Calvin Biesecker contributed reporting for this article.