The UN's civil aviation body will recommend creating a cybersecurity task force at a meeting next week in Canada, as new technologies introduced into aviation systems are increasing the risk of cyberattacks.
The International Civil Aviation Organization (ICAO) said a task force is needed due to an increasing reliance on interconnected IT systems with operating systems such as Microsoft Windows and Linux, and protocols such as IPv6 and Avionics Full Duplex Switched Ethernet (AFDX), according to a working paper.
"Currently cyber security is a relatively minor issue in civil aviation, but this is changing," the ICAO said. "Although the adoption of new technology is an ongoing activity in civil aviation, the current pace and extent of new information technologies is notably increasing the risk from cyber attacks."
Earlier this year, Cyprus-based researcher Andrei Costin showed at the Black Hat security conference major problems in ADS-B (automatic dependent surveillance broadcast), a next-generation protocol used by air traffic control systems to track aircraft positions.
Costin, who also gave his presentation at the Power of Community (POC2012) security conference last week in Seoul, described weaknesses in the ADS-B protocol, which has been adopted so far in Australia and in busy flying areas in the US. It allows for more precise aircraft tracking, which allows more planes to fly closer together in the sky, carrying more passengers and bringing in more revenue.
Costin showed how it was possible to tamper with ADS-B tracking data for planes in the sky and also make planes that aren't flying appear to be in the sky to air traffic controllers. The equipment needed for such an attack costs as little as $1,500. The weaknesses in ADS-B have been known for years, but Costin showed a practical attack.
"Basically, we kind of helped the ICAO understand that there's a real problem and a real risk in this," Costin said.
But while an ICAO cybersecurity task force would be good development, it won't mean a fix for the ADS-B protocol, Costin said. Fixing ADS-B will be difficult and could cost billions of dollars, he said, an effort that has no business incentive and wouldn't bring in new revenue.
"Nobody will fix ADS-B for the next 50 years for sure unless there is a big attack," Costin said.
The ICAO cited Costin's research as well as other vulnerabilities, such as jamming of GPS signals, and malicious incidents, as justification for a cyber security task force. In one example, the ICAO said three software engineers were accused of sabotaging code in June 2011 at a new airport terminal, allegedly because they didn't get a pay increase from a subcontractor.
Three days later, check-in services failed at the terminal, with 50 flights delayed. Cyberattacks could have "an effect analogous with the recent Icelandic volcanic ash problems, shutting down air travel across parts of Europe for several days. In that case estimated costs run into the billions of dollars or euros," the ICAO said.
ICAO's 12th Air Navigation Conference is scheduled to run from November 19-30 in Montreal.