Transportation and Security: Planes, Trains, Automobiles and Software Glitches - Security Boulevard

Transportation and Security: Planes, Trains, Automobiles and Software Glitches

Spring has rained down on the aviation industry with a couple of rough storms. On the heels of multiple airlines having to delay nearly 800 flights due to an unidentified glitch in software from third-party vendor Aerodata, an initial investigation report on the crash of Ethiopian Airlines that left 50 people dead indicated that the anti-stalling software—not the pilots—might have caused the plane to go down, according to MIT Technology Review.

These recent software issues highlight the myriad ways in which our everyday lives are integrated with technology, even our everyday transportation. While the use of automation in new technologies offers efficiency and convenience, when planes, trains and automobiles go digital, software glitches and vulnerabilities pose concerning cybersecurity risks.

Consumers have adapted to the daily experiences of software issues in laptops and smartphones, but more and more, the transportation industry is mirroring those same glitches, yet with greater risks.

A Challenge of Access

The complexities of today’s digital world mandate that the transportation industry starting thinking differently about software and security. What traditionally have been consumer-focused technology issues are now impacting major airlines, the auto industry, trucking—even traffic signals in smart cities.

“Autonomous vehicles are going in that direction, as they are beginning to realize that software changes the functionality or potential impact to safety or security,” said Deral Heiland, research lead and internet of things (IoT) expert at Rapid7.

More automation requires more review, yet it’s not uncommon for some industries to implement technology that hasn’t been through good testing. Security comes down to process, which includes a process for software patches and upgrades and the ability to identify vulnerabilities so that organizations can take quick action.

“We need to define solid methods and methodologies in support of technology,” said Heiland. “When we think about autonomous cars and transportation as a whole, we need to have a process for when to patch, how to patch and how to identify vulnerabilities, but a lot of times it’s catch-as-catch-can in many industries.”

Increasingly, security researchers play a really big role in vulnerability disclosure. While attitudes about working with researchers have started to shift, the barrier to entry in the transportation industry is an obstacle. “It’s one thing to buy an IoT device and tinker with it, but to spend $70,000 to $80,000 on an autonomous car to then take it apart isn’t something that most people can afford to do,” said Heiland.

Even though researchers play a big role in a lot of industries, they are not able to be as hands on in the aviation industry, in part because avionics systems are so complex.

“The millions of lines of code involved in avionics systems, if not regularly tested for vulnerabilities, can pose a severe security threat. That’s easier said than done when considering that the complexity of these systems often lowers the testability of software—leaving behind many vulnerabilities that could potentially be exploited,” wrote Nitha Rachel Suresh, cybersecurity consultant at Synopsys.

Yet, obstacles that prevent researchers from gaining access to technologies across the transportation industry make it all the more difficult to detect issues before they happen. During the life cycle of any given aircraft, autonomous car or connected fleet or trucks, there will be multiple phases of overhaul and updates. “Consequently, the associated software must also undergo changes. Unless this job is carried out with extreme caution, there is a great deal of potential for security bugs to creep in to the software,” Suresh continued.

Where to Go Now?

It’s downright annoying to be stuck in traffic or an airport, but evidence suggests that software glitches and vulnerabilities can leave consumers stranded, trapped in a subway station or worse.

“How many times have we seen airline outages because of an issue in the ticketing systems? We are seeing the same problems in transportation that we have long seen with desktops,” said Heiland.

As adoption of IoT capabilities continues to grow, our world is becoming more interconnected, with more automation and software controlling data flow at a scale far greater than we are used to. The more these applications and devices communicate with each other, the greater the likelihood of breakdowns and failures.

The implications, however, become more concerning as technology pervades more than our desktops. There’s a distinct difference between not being able to enter data into a spreadsheet and the risk to human safety. If all else fails, we can follow the advice of Vatsal G. Thakkar, who in his editorial in The New York Times paid homage to the stick shift, praising the manual transmission as a fun alternative to risks in connected cars.

Kacy Zurkus

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 61 posts and counting.See all posts by kacy-zurkus