Critical infrastructures and SCADA systems are vulnerable to various forms of cyber attacks. A recent research by a cyber security researcher has revealed that the Internet is full of unprotected systems that can be exploited easily.
At the national level, critical infrastructure protection in India is urgently needed. Indian government is trying its level best to spread cyber security awareness in India. Even cyber security awareness brochures in India have been mooted by Indian government. In the past as well India government has directed that telecom equipments must be certified by TEC in India before use.
Further, Indian government has also decided that a national critical information infrastructure protection centre (NCIPC) of India would be established. However, the NCIIPC of India has failed to materialise as on date.
Cyber security of Indian satellites and critical infrastructure, including airlines, is need of the hour. A crisis management plan (CMP) for preventing cyber attacks on the power utilities in India is also needed.
A cyber security researcher, Hugo Teso, has recently shown that it is possible to take control of aircraft flight systems and communications using an Android smartphone and some customised attack code. He spent three years developing the code, buying second-hand commercial flight system software and hardware online and finding vulnerabilities within it.
The attack can take full control of flight systems and the pilot’s displays. The compromised aircraft could even be controlled using a smartphone’s accelerometer to vary its course and speed by moving the handset about. The setup can be used to modify approximately everything related to the navigation of the plane
Teso has found vulnerabilities in the Automatic Dependent Surveillance-Broadcast (ADS-B) system that updates ground controllers on an aircraft’s position. There is no security mechanisms adopted in the ADS-B system at all and it could be used to passively eavesdrop on an aircraft’s communications and also actively interrupt broadcasts or feed in misinformation.
Even the Aircraft Communications Addressing and Reporting System (ACARS) is vulnerable to cyber attacks that is the communication relay used between pilots and ground controllers. He demonstrated that it is possible to use ACARS to redirect an aircraft’s navigation systems to different map coordinates.
He maintains that the ACARS has no security at all. The airplane has no means to know if the messages it receives are valid or not. So they accept them and you can use them to upload data to the airplane that triggers these vulnerabilities.
Teso was also able to use flaws in ACARS to insert code into a virtual aircraft’s Flight Management System. By running the code between the aircraft’s computer unit and the pilot’s display he was able to take control of what the aircrew would be seeing in the cockpit and change the direction, altitude, and speed of the compromised craft.
Of course, a manual override of the automatic systems would make all this mere annoyance rather than vulnerability. The Federal Aviation Administration and the European Aviation Safety Administration have both been informed and they are claimed to be working on fixing the issue.
We are not sure how much airplanes operating in India are vulnerable to this cyber attacks. But we must take precautions in this regard and check the planes for cyber threats and vulnerabilities.