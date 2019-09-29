By Robert McMillan and Dustin Volz

Persistent concerns that planes could be targeted in cyberattacks are prompting U.S. officials to re-energize efforts to identify airliners' vulnerability to hacking.

The revived program, led by the Department of Homeland Security and involving the Pentagon and Transportation Department, aims to identify cybersecurity risks in aviation and, more broadly, improve U.S. cyber resilience in a critical area of public infrastructure, a DHS official said. DHS is offering few details on the program but says it will involve some limited testing of actual aircraft.

Transportation and national-security officials remain concerned that aviation is a preferred target for terrorists and that cyberattacks could provide a new avenue to threaten planes and passengers.

The new U.S. program is trying to ensure that hackers can't exploit potential vulnerabilities in electronic systems of both new and old model airliners. The scrutiny comes in the wake of cyberattacks that, in recent years, have attempted to disrupt such critical internet-connected sectors as energy grids and electoral systems.

The U.S. Air Force separately plans to take a bigger role in examining the security of systems used in commercial aviation; many of the systems are also used by the military. "If we don't probe first, our adversaries will," Will Roper, the service's assistant secretary for acquisition, technology, and logistics said in an interview with The Wall Street Journal. "We've been a little complacent in not trying to attack all of the parts of the airplane."

Cyberattacks against airlines, so far, principally have targeted weaknesses in IT systems rather than aircraft. British Airways is facing a $230 million fine in the U.K. after about a half-million passenger records were accessed during a 2018 cyberattack. Air Canada and Hong Kong's Cathay Pacific also reported data hacks last year.

"There are many risks in aviation beyond looking at the aircraft," said Jeffrey Troy, president of the Aviation Information Sharing and Analysis Center, a nonprofit industry organization focused on cybersecurity. "It's very important to be looking at the whole ecosystem and identifying key points where a digital system, if it were to malfunction, could cause a bad day for a lot of people."

The Air Force operates more than 5,300 planes -- including converted airliners such as the Boeing 747, the model used as Air Force One when carrying the president. The service has used internal teams to probe its systems and look for potential weaknesses adversaries could exploit. Mr. Roper said he wants the Air Force to look with more urgency for cybersecurity weaknesses.

The Air Force sent 28 people to Defcon, the annual hacking convention, in Las Vegas earlier this year to participate in its first-ever dedicated "hacking village," where researchers could try to find vulnerabilities in aviation systems. The Air Force also supplied some equipment, including a flight simulator, to help the hackers, security researchers and IT professionals better understand the nuts and bolts of aviation.

Organizers of the hacking village see it as a first step toward building trust between the aviation industry and outside researchers. Mr. Roper says he plans an even bigger presence at next year's gathering.

That outreach marks a shift for aviation security, which has long been the purview of a close-knit group of trusted insiders. Security companies typically have been brought in by airplane and avionics system manufacturers to provide independent security assessments, with the results mostly kept secret.

Stefan Savage, a computer science professor at the University of California San Diego, said it is important to have more outside scrutiny of aviation cybersecurity because manufacturers aren't always willing to own up to security problems, especially when fixing them would be costly.

"Beyond trusting Boeing, who's the backstop?" he said. Mr. Savage is on a team of researchers who assembled a test bed containing many of the systems found on a Boeing 737 to carry out security testing.

But handling the sensitive information such tests can highlight is tricky. An earlier Department of Homeland Security effort, called the Avionics Cybersecurity Initiative, was cut short last year amid a disagreement with Boeing Co. over the testing methodology and plans to publicly release some findings.

DHS said as part of that initiative it had acquired a used Boeing 757 airliner in 2016 and spent more than $10 million to identify potential cybersecurity vulnerabilities. Program administrators had planned to run 15 cybersecurity tests on the approximately 30-year-old jet. But the plane hasn't been touched in more than a year because of the disagreement over the some of the program's early findings.

The program's manager, Rob Hickey, a former Air Force pilot, described some of the findings at a November 2017 aeronautics cybersecurity conference, saying testers were able to access some of the airplane's systems using radio frequency communications, according to a report in the trade publication Avionics International.

Boeing, which disputed some of the findings, felt blindsided by Mr. Hickey's disclosure, according to current and former DHS officials, and testing of the plane's systems was put on hold.

"We had some disagreements about some of the specific tests. We had to work through those," one official familiar with the program said. "There were valid points on both sides."

Mr. Hickey said in an emailed statement he hopes the DHS resumes the testing protocol that his team developed "for the good of all -- especially the flying public."

Boeing said it supports the reconstituted cybersecurity initiative and may participate at next year's Defcon conference. "We need to bridge the gap between the hacking community and the industry," a Boeing official said.

