The Threat Surface with Dr Krishna Sampigethaya [S2Ep23]
When hackers take control of the real world
In early 2009, Iran’s secret program to build nuclear weapons suffered a series of mysterious failures. Centrifuge machines used to purify uranium suddenly spun out of control and tore themselves apart. More than a thousand machines were destroyed, and Iran’s pursuit of the bomb was seriously delayed. It turned out that the machines had been sabotaged by a computer virus called Stuxnet that had been developed by Israel and the United States.
The attack demonstrated that hackers can not only take control of computer systems, but also reach through those systems to create physical effects in the real world. Today there’s a whole subspeciality of the cyber security field called “cyber physical” devoted to stuydying this kind of attack, and I’m fortunate to have with me today one of the leading lights, Dr Krishna Sampigethaya, a professor at Embry Riddle Aeronatical University, who will talk to us about its relevance to aviation and specifically to MH370. I ask him whether, in his view, MH370 could have been the victim of a cyber-physical attack.
During our discussion, Dr Sampigethaya mentions a recent incident in which a flight crew’s response to a collision-avoidance warning caused injuries in the back of the plane. You can read more about that here. In this particular case, the event was triggered not by a cyber attack but by an actual conflict between two planes, but it shows how the action of a networked device can result in harm to humans even when the equipment in question is not itself considered critical.
Dr Sampigethaya also mentions the RTCA, originally founded as the Radio Technical Commission for Aeronautics, which works with the FAA to provide technical certification for new technologies, including automation, networking, and, naturally, cybersecurity.
The paper produced by Micro Systems Automation Group for the FAA in 2014, “Investigate Security Vulnerabilities for a Representative Aircraft,” can be found here. Figure 3 is on page 12. The document offers an eye-opening survey of the cyber vulnerabilities of the US civil aviation fleet, though it focuses on broad principles such as software verification rather than specific vulnerabilities. Worth noting is that the aircraft with by far the greatest number of vulnerabilities is the 777.
My interview with Ken Munro of Pen Test Partners was feature in Episode 22 of Season 1, “The Hacking of MH370.”
The Aviation ISAC is a group that describes itself as “an international membership community of airframers, airlines, airports, satellite manufacturers, aviation services, and their supply chains. Our staff and member companies collaborate in real-time to prevent, detect, respond to, and remediate cyber risk through threat intelligence sharing and best practices.” The group’s annual meeting in September feaured such cybersecurity luminaries as Chris Krebs and Ken Munro.
Finally, as I mention in the introduction, the Kickstarter to buy, modify, and set adrift a real 777 flaperon was not successful, and ended yesterday. It was worth a shot! I'd like to thank everyone who supported the effort, and reassure everyone that the remaining part of the project, to gather Lepas barnacle data from global drifters, will continue apace.
@jeffwise : 1 question I wanted to ask for a long time:
In case MH370 is found in the SIO, would you then dismiss your Northern theory entirely ?
Or would you entertain the possibility that the debris field on the sea floor as well as the black boxes have been planted there (given your belief that the debris found on the coastlines may/must have been planted as well) ?
Count me as skeptical of the feasibility, but to be honest, your hijacking theory appears more sophisticated than throwing into the ocean the parts of a dismantled B777 and manipulate the CVR/FDR.
Dear Jeff
Relevant Points Identified
1. Cyber-Physical Attack Possibility: The text raises the idea that MH370 could have been subject to a cyber-physical attack, using the example of Stuxnet—a virus that inflicted real-world damage to Iran’s nuclear centrifuges through digital manipulation. This establishes a potential parallel for aviation systems.
2. Discussion with Cybersecurity Expert: Dr. Krishna Sampigethaya, a professor in cybersecurity at Embry-Riddle Aeronautical University, was consulted. While he referenced cybersecurity in aviation, no specific evidence links his expertise or statements to cyber-physical vulnerabilities in MH370.
3. Injury Incident Involving Collision-Avoidance Systems: Dr. Sampigethaya mentions an event where crew responses to a collision-avoidance warning led to passenger injuries. This is noted to illustrate potential human response risks, even without cyber interference.
4. Aviation ISAC (Information Sharing and Analysis Center): This group is mentioned as fostering collaboration in real-time threat intelligence and best practices among aviation industry players to manage cyber risks. However, no evidence links this group’s work to MH370.
5. Vulnerabilities in Aircraft (Especially the Boeing 777): A 2014 paper by the Micro Systems Automation Group for the FAA purportedly discusses security vulnerabilities in the US civil aviation fleet, with the Boeing 777 mentioned as having the highest vulnerability count. No specific vulnerabilities relevant to MH370 are cited.
6. Miscellaneous Events and Attempts at MH370 Research: The mention of a Kickstarter project to buy and modify a 777 flaperon for research highlights experimental attempts but doesn’t provide substantial information or findings.
Analysis and Critique
• Speculative Links without Concrete Evidence: Although cyber vulnerabilities and the potential for cyber-physical attacks are theoretically relevant, the provided text lacks specific evidence or mechanisms that could have affected MH370. The Stuxnet example shows the potential impact of cyber-attacks in other fields but does not establish direct or even indirect causality related to MH370.
• Ambiguous Expert Consultation: Dr. Sampigethaya’s insights on general cybersecurity concerns in aviation do not correlate directly to MH370’s disappearance or Boeing 777 vulnerabilities in a manner that adds factual grounding. His reference to collision-avoidance issues highlights pilot responses but lacks relevance to cyber-attack scenarios.
• Lack of Empirical Data from ISAC and FAA Reports: Although the FAA report notes vulnerabilities, there’s no elaboration on which specific cybersecurity risks the Boeing 777 faces or how they could feasibly lead to the circumstances of MH370. The involvement of ISAC underscores industry efforts to address cybersecurity but offers no actionable insights or findings relevant to MH370.
• Irrelevant or Unsubstantiated Speculations: The Kickstarter initiative, while intriguing, appears unrelated to any substantial forensic investigation or fact-finding on MH370. Such side projects, though possibly well-meaning, do not substitute for data-driven analysis or validated forensic methodologies.
It’s pure speculation and just adds to confusion in the Disappearance. I honestly don’t believe this is the cause of MH370 Disappearance.
Thank You Ed Skerritt