Aircraft Are Highly Vulnerable to Cyber Attack: Ky

Europe's top aviation safety chief has warned that hackers could maliciously infiltrate an aircraft's critical systems.

Speaking to French aviation journalists on Thursday, Patrick Ky, executive director of the European Aviation Safety Agency, said a consultant hired by the Cologne-based agency managed to exploit vulnerabilities in the ACARS (Aircraft Communications Addressing and Reporting System) used to transmit messages between aircraft and ground stations.

Ky said it took the expert who was a professional pilot five minutes to crack ACARS and a couple of days to access the aircraft control system on the ground.

"For security reasons, I will not tell you how he did it, but I let you judge if the risk is high or low," Ky was quoted in the Les Echos article.

The article cites research conducted by the International Civil Aviation Organisation last year that reckoned that because aircraft navigation and other control systems are effectively separated from non-critical systems such as entertainment, that the risk of hacking critical systems was low.

Experts reject this and warn that because ACARS uses a proprietary encoding/decoding scheme that has been in use since 1978 -- when aircraft equipment was not designed with cybersecurity in mind -- it is vulnerable to attack.

Ky spoke of the need for protecting the next generation of air traffic management systems such as the Single European Sky ATM Research -- or SESAR -- programme which will rely heavily on satellite-based communications, navigation and surveillance systems.

"Tomorrow, with the introduction of SESAR and the possibility for the air traffic control to directly give instructions to the aircraft control system, this risk will be multiplied," Ky said. "We need to start by putting in place a structure for alerting airlines to cyber attacks."

The next major update of the SESAR deployment programme is due to be finalised by October 2016 and industry chiefs in charge of the rollout have acknowledged the importance of cyber security and are demanding that technologies will be vetted for cyber resilience through a new risk analysis process.