Did security expert Chris Roberts of Denver actually HACK INTO AND STEER AN AIRCRAFT from the inflight entertainment panel at his seat, as reported first by Wired?
Probably not. Though I did meet him at a conference of cybersecurity experts and he appeared to know his stuff. But it almost doesn’t matter, because the lessons we take away from it is the same. Here’s what I do know:
- I’ve seen ethical white-hat hackers (the good guys) penetrate mission-critical corporate networks through the unlikeliest of devices, including photocopiers, vending machines, surveillance cameras, thermostats and industrial control systems.
- In most of these cases, the breached organization vehemently (and incorrectly) assert that these devices were not connected to their “real” network. Further analysis shows that they were. Will the airlines claim the same?
- I’ve seen a driverless car hacked and started from a mobile phone.
- I’ve seen a pacemaker remotely accessed by a hacker and set to induce a deadly heart rate.
- I’ve seen home networks breached through a video game console, a baby monitor and a garage door opener.
Here’ s ultimately what matters: If it’s networked, it’s hackable.
The minute you hook a device to a network (whether that be the internet, an internal intranet, WiFi hotspots or any other network), it becomes hackable. Remote access is a wonderful tool of convenience and efficiency – it lets us work from other locations. But remote access also opens up digital doors to criminals who want to steal from other locations. In other words, the TV at your seat could be connected to the pilot’s controls.
Even if any security expert did execute the hack, we will likely never know. But that doesn’t lessen our responsibility to learn and apply something to our businesses (steps that many airlines are currently reviewing themselves):
- Compartmentalize your network. Don’t connect non-critical systems (in-flight entertainment, guest WiFi, thermostats, networked appliances) to mission critical data (flight controls, customer information, employee records, sensitive intellectual property). Instead, host them on separate networks with separate usernames, passwords and access controls.
- Implement User-Level Access. Only a very few authorized individuals should have access to the servers and computers that house your private information. Classify your data into Top Secret, Confidential, Internal and Public (if it’s good enough for James Bond, it’s good enough for you) and apply your user-level access settings to those classifications (e.g., only C-Level executives get Top Secret access.
- Firewall the bad guys out. A firewall that is configured to Default Deny will restrict all access by default and only allow a few legitimate users who appear on a “white-list” to access the most valuable information). This limits most hackers’ backdoor access (and is when they will turn to social engineering to gain access – another lesson for another time).
- Utilize communication encryption. Mobile access that is not encrypted (hidden from illegitimate users by scrambling the message) is like broadcasting your bank account number over the radio – everyone else is listening.
- Closely monitor intrusions. No matter what steps you take, if you organization is being targeted, eventually you will be breached. Therefore, the greatest security is resiliency: detecting the intrusion (a human being has to be watching the monitoring system to do this), expelling the intruder before real damage is done and leaning from and resolving your previous mistakes.
Finally, and most importantly, make sure that you train your humans on the proper usage of the previous 5 steps! This is actually where most security fails, as the WEAKEST LINK IN CYBER SECURITY IS HUMAN ARROGANCE, IGNORANCE AND INACTION.
Right now, you have a chance to keep a hacker from changing the course of your vessel, be it airplane or corporation. If you don’t have the personal knowhow or internal resources to get it done right, hire the right team to do it for you
John Sileo speaks internationally on cyber security and identity defense. He specializes in making security engaging, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Book him for your next conference on 800.258.8076.