It turns out the FBI and the airlines frown on passengers hacking the onboard avionics networks on passenger jets. Who knew?
In case you missed it, security researcher Chris Roberts created a heap of trouble for himself last week when he tweeted while on a flight about whether he could access the aircraft’s avionics systems via an onboard network.
Roberts told media outlets that he meant no harm but was calling attention to an issue that he feels is being ignored by the aviation industry.
There is a raging debate about Roberts’ decision to publish his tweet and the extent of IT security issues on aircraft.
But wherever you stand on those questions, his action is shining a badly needed spotlight on the inadequacy of firewalls to protect modern applications.
Roberts’ airline incident occurred when a US government report was released indicating that some aircraft “have Wi-Fi passenger networks that use the same network as the avionics systems of the plane,” according to a Wired story on the report.
The Government Accountability Office’s report on aviation cyber-security for Congress says:
“Firewalls protect avionics systems located in the cockpit from intrusion by cabin-system users, such as passengers who use in-flight entertainment services onboard. Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.”
This of course is deeply troubling but should be a surprise to no one in IT security.
Firewalls fail. Time and again. Spectacularly.
In every major data breach of note in the past couple of years, firewalls failed to keep out attackers. Target, Sony, Home Depot, Anthem and countless other data breaches happened because a rigid, perimeter-based security architecture based solely on firewalls is obsolete.
What’s so maddening is that it does not have to be this way. Cryptographic segmentation of sensitive networked applications is easily deployable today. I know of thousands of instances where crypto-segmentation is in production deployment in enterprises, protecting sensitive applications even when firewalls fail. A recent Trend Advisor white paper we published gives details on the approach.
Likewise, a recent Gartner report analyzing the cyber-attack on Sony strongly advises enterprises to improve application segmentation on internal networks. Forrester Research also has been advocating a “Zero Trust” model architecture for years, built on the assumption that attackers ultimately will find their way into an enterprise’s “trusted” zones.
Of course, there are a lot of vendors in the IT security market with a vested interest in maintaining the firewall status quo.
But I know many managers in enterprise info security and IT management feel great frustration when they are forced to deploy less-than-adequate security products. They face extremely expensive options such as “air gapping” or massive overbuilding of network architectures for better traffic segregation or for marginally improved filtering and inspection.
Yet these same IT and security managers are held accountable for the inevitable hack that breaches the firewalls.
Thankfully, the recent high-profile data breaches mean there is more attention being paid to IT security issues by C-suite decision-makers. Perhaps the GAO report and Roberts’ airline incident can further highlight the need to evolve the security architecture to catch up with modern applications and user behavior.
In any event, word comes that Roberts was denied boarding on a flight this weekend thanks to the continuing fallout of his Tweet. Roberts found another airline willing to bring him to San Francisco for the annual RSA conference on IT security, where he will deliver a presentation about the evolving risks of the modern IT environment.
Modernizing the enterprise security architecture to keep pace with new networked applications and their users is a serious issue that is only now starting to get the attention it deserves.
This week Certes Networks will demonstrate the new generation of its CryptoFlow Solutions at Booth S2816 (south hall) at RSA 2015.