The Department of Homeland Security decided last month to end cyber testing of its Boeing 757-200 under the tri-agency Aviation Cyber Initiative. Pictured here is a United Airlines’ 757-200 at Glasgow Airport in 2014. The first 757-200 rolled off the Boeing assembly line in 1982, and Boeing delivered its last 757 in 2005.
Last month, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) decided to end the Aviation Cyber Initiative’s (ACI) computer vulnerability testing of a Boeing 757-200 at the Federal Aviation Administration (FAA) William J. Hughes Technical Center in Atlantic City, Avionics International and sister publication, Defense Daily, have learned. DHS’ Science and Technology (S&T) division had acquired the aircraft in 2016, and the FAA accepted the plane at its Atlantic City center in September of that year.
CISA did not respond when asked to comment on why the agency had decided to end the cyber vulnerability testing of the 757-200 and whether there are any agency plans to conduct cyber vulnerability testing on other aircraft.
CISA said that the overall ACI effort continues, however.
“CISA and its partners at the FAA and the Department of Defense remain engaged in the Aviation Cyber Initiative, which is working to reduce cybersecurity risk and increase resilience in the aviation ecosystem,” Scott McConnell, a CISA spokesman, wrote in an email. “This includes expanding its Community of Interest to include additional public and private sector partners, forming new working groups to assess and mitigate various aspects of the aviation ecosystem, and implementing cybersecurity training at airports across the country in the near future.”
One government source said that “broader resilience efforts equal what CISA normally does, which is community engagement. That means nothing will get done, but a bunch of talking.”
DHS’ S&T budget request for fiscal 2021 has no funding for aviation cybersecurity, as opposed to $2.5 million appropriated by Congress last year and nearly $4.8 million appropriated in fiscal 2019.
An industry source said that there are likely a “myriad of reasons” for the DHS decision to end the ACI testing of the 757-200, including a “lack of interest, lack of a sponsor within DHS, and lack of money.” The source said that DHS/CISA officials likely did not want to sponsor the ongoing testing of the 757-200, given the software problems that Boeing has had with its 737 MAX airliner, which global aviation authorities grounded in March last year after two fatal crashes.
Whatever the causes behind DHS’ determination to end the cyber vulnerability testing of the 757-200, it was likely that any future DHS cyber vulnerability testing of airliners would have to involve significant avionics upgrades to the 757-200 or testing a more modern, next generation airliner. DHS reported in April, 2017 that it bought the 757-200 to adhere to budget constraints and save costs, as the airliner had reached the end of its service life and was equipped with some older technologies not widely in service. Long-term testing of the 757-200 would require the buy of newer technologies widely in service, the department said at the time
In November, 2017, Defense Daily reported that the ground testing of the 757-200 in Atlantic City in a non-laboratory environment had shown that remote hacking of commercial airliners was possible.
DHS later fired Robert Hickey, the program manager of the testing effort, in a dispute with Boeing and the agency over the public release of the testing findings. According to documents obtained by Motherboard through a Freedom of Information Act request, the Pacific Northwest National Laboratory (PNNL) was involved in the testing effort and was responsible for attempting to hack the 757-200’s Wi-Fi and In-Flight Entertainment (IFE) systems, while Massachusetts Institute of Technology’s Lincoln Labs was responsible for the external radio frequency (RF) attack vector.
In June of 2018, DHS S&T and CISA “decided to pause the Boeing 757 assessment segment of the ACI to review and validate requirements,” CISA said in October last year. “In January 2019, both agencies determined to resume planning for future assessments. The assessments on this aircraft is only one small part of the broader ACI strategy.”
The end of the 757-200 cyber vulnerability testing program comes as the airline and business aircraft industry absorb losses due to the COVID-19 pandemic. Airline passenger revenues this year look to be $252 billion less than last year, according to the International Air Transport Association, and more than 8,500 passenger aircraft have been placed into storage so far, about 1/3 of the global passenger fleet.
On the business aviation front, Bombardier Aviation has suspended aircraft production, and Textron Aviation announced the upcoming furloughs of thousands of workers, while GE Aviation is to cut 10 percent of its workers, furlough half of its repair personnel for three months, and shift some production to needed medical equipment, such as ventilators, to combat COVID-19, according to the National Business Aviation Association.
Defense Daily’s Calvin Biesecker Contributed Reporting for This Article