Transportation and Security: Planes, Trains, Automobiles and Software Glitches

Spring has rained down on the aviation industry with a couple of rough storms. On the heels of multiple airlines having to delay nearly 800 flights due to an unidentified glitch in software from third-party vendor Aerodata, an initial investigation report on the crash of Ethiopian Airlines that left 50 people dead indicated that the anti-stalling software—not the pilots—might have caused the plane to go down, according to MIT Technology Review.

These recent software issues highlight the myriad ways in which our everyday lives are integrated with technology, even our everyday transportation. While the use of automation in new technologies offers efficiency and convenience, when planes, trains and automobiles go digital, software glitches and vulnerabilities pose concerning cybersecurity risks.

Consumers have adapted to the daily experiences of software issues in laptops and smartphones, but more and more, the transportation industry is mirroring those same glitches, yet with greater risks.

A Challenge of Access

The complexities of today’s digital world mandate that the transportation industry starting thinking differently about software and security. What traditionally have been consumer-focused technology issues are now impacting major airlines, the auto industry, trucking—even traffic signals in smart cities.

“Autonomous vehicles are going in that direction, as they are beginning to realize that software changes the functionality or potential impact to safety or security,” said Deral Heiland, research lead and internet of things (IoT) expert at Rapid7.

More automation requires more review, yet it’s not uncommon for some industries to implement technology that hasn’t been through good testing. Security comes down to process, which includes a process for software patches and upgrades and the ability to identify vulnerabilities so that organizations can take quick action.

“We need to define solid methods and methodologies in support of technology,” said Heiland. “When we think about autonomous cars and transportation as a whole, we need to have a process for when to patch, how to patch and how to identify vulnerabilities, but a lot of times it’s catch-as-catch-can in many industries.”

Increasingly, security researchers play a really big role in vulnerability disclosure. While attitudes about working with researchers have started to shift, the barrier to entry in the transportation industry is an obstacle. “It’s one thing to buy an IoT device and tinker with it, but to spend $70,000 to $80,000 on an autonomous car to then take it apart isn’t something that most people can afford to do,” said Heiland.

Even though researchers play a big role in a lot of industries, they are not able to be as hands on in the aviation industry, in part because avionics systems are so complex.

“The millions of lines of code involved in avionics systems, if not regularly tested for vulnerabilities, can pose a severe security threat. That’s easier said than done when considering that the complexity of these systems often lowers the testability of software—leaving behind many vulnerabilities that could potentially be exploited,” wrote Nitha Rachel Suresh, cybersecurity consultant at Synopsys.

Yet, obstacles that prevent researchers from gaining access to technologies across the transportation industry make it all the more difficult to detect issues before they happen. During the life cycle of any given aircraft, autonomous car or connected fleet or trucks, there will be multiple phases of overhaul and updates. “Consequently, the associated software must also undergo changes. Unless this job is carried out with extreme caution, there is a great deal of potential for security bugs to creep in to the software,” Suresh continued.

Where to Go Now?

It’s downright annoying to be stuck in traffic or an airport, but evidence suggests that software glitches and vulnerabilities can leave consumers stranded, trapped in a subway station or worse.

“How many times have we seen airline outages because of an issue in the ticketing systems? We are seeing the same problems in transportation that we have long seen with desktops,” said Heiland.

As adoption of IoT capabilities continues to grow, our world is becoming more interconnected, with more automation and software controlling data flow at a scale far greater than we are used to. The more these applications and devices communicate with each other, the greater the likelihood of breakdowns and failures.

The implications, however, become more concerning as technology pervades more than our desktops. There’s a distinct difference between not being able to enter data into a spreadsheet and the risk to human safety. If all else fails, we can follow the advice of Vatsal G. Thakkar, who in his editorial in The New York Times paid homage to the stick shift, praising the manual transmission as a fun alternative to risks in connected cars.

Featured eBook
The Second Wave of IT Security: How Today’s Leaders See the Future

The Second Wave of IT Security: How Today’s Leaders See the Future

As network security issues grew in the 1970s, and the 1980s brought the widespread use of the internet, the IT security profession expanded to address the malicious threats and innocent user mistakes of highly connected users and machines. Today, the security industry is experiencing what could be called a renaissance of sorts. Security professionals are ... Read More
Security Boulevard
Kacy Zurkus

Kacy Zurkus

Kacy Zurkus is a cybersecurity and InfoSec freelance writer who has contributed to several publications including Medium, CSO Online, The Parallax, InfoSec Magazine and K12 Tech Decisions. She covers a variety of security and risk topics. She has also self-published a memoir, "Finding My Way Home: A Memoir about Life, Love, and Family" under the pseudonym "C.K. O'Neil." Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 56 posts and counting.See all posts by kacy-zurkus