As the telemetry data from the aircraft and ground radar logs have emerged, it has become increasingly certain that the plane was deliberately diverted from its course. There are three possibilities:
- The plane was diverted by the pilots.
- The plane was diverted after some form of forcible takeover.
- The plane was diverted by another party not on the plane at all.
At this point, most attention is focused on the first two possibilities, with diversion by one or both pilots the most likely explanation. Whoever diverted the plane certainly knew a lot about flying one.
But unlikely as it may sound, the third option — that someone not even on the plane is responsible — is actually a possibility. And so the term “SCADA” is likely to be heard in the coming days.
What is SCADA?
SCADA comes from the process control industry, and refers to one particular configuration of a digital control system. In a chemical plants there is typically a master computer receiving data from, and sending instructions to, a network of local control systems. Since I left that industry thirty years ago, the master computer has come to be called the Supervisory Control And Data Acquisition (SCADA) system.
When security vendors started to look for ways to sell product to the process control industry, the SCADA system was the only machine in a typical process control system that looked sufficiently like a PC to be able to run the existing products. This is of course nonsense, from a security point of view — every ‘local controller’ is also a computer, and vulnerable to attack, just as a printer or a telephone exchange is also a computer from a security point of view. But even if a billion dollars of marketing money is completely wrong, it can establish a name in a vocabulary. So now the term ‘SCADA security’ means security of an embedded control system, regardless of whether it is a SCADA architecture or not.
The 777 is a fly-by-wire aircraft. Every signal from the flight deck makes its way to the control surfaces through a communications network that runs the length of the plane. From time to time, security researchers have demonstrated, or at least claimed to demonstrate, that these networks — the planes engines and controls — are vulnerable to hackers.
When seat back entertainment systems were introduced, many airlines wanted to show passengers a ‘moving map’ of the position of the aircraft. The simplest way to provide a moving map is to read the position information passing over the communications network. In effect bridging the air-gap between the control and entertainment networks. This has led to claims that the system can be hacked ‘from an Android phone in the passenger cabin’.
The last claim has since been debunked. Or at least the purported demonstration has been shown to have been made on a system designed to simulate the control system rather than the flight certified system. But there are other ways in which an airplane control system might conceivably be compromised. The control systems software could conceivably be replaced by ground maintenance crews, effectively giving an attacker the ability to divert the plane on a pre-programmed course.
According to our current understanding of hacker capabilities, such an attack would be beyond the known capabilities of any private hacker group. SCADA attacks are still comparatively rare. It would be rather surprising if a group of criminals working on SCADA systems would choose to make a mult-systems attack on a civil aircraft potentially causing hundreds of deaths. But unpleasant surprises have occurred before.
Another possibility is that an attack might originate from a government cyber-engagement program.
In 2010, the US launched the STUXNET attack on an Iranian civil nuclear facility. In the years since the discovery of STUXNET, other governments have been scrambling to establish similar capabilities. Unlike weapons for conventional warfare, cyberweapons are easily pilfered by the designers. In some programs this type of pilfering is even encouraged.
In the past, Hollywood movies used to explore scenarios in which mad government scientists researching germ warfare use the bugs for their own evil purposes. Such a scenario might even have occurred. In cyber, this type of scenario is played out every day: Criminals pay money for cyber attacks.
Just as the optimistic scenario has become plausible, due to the lack of candor from the Malaysian authorities, a variant of the SCADA attack has become plausible, although unlikely. In this scenario, the motive for the attack is extortion, and a group of cyber-pirates are threatening to pull another plane out of the air unless their financial demands are met.
Whether this scenario turns out to be accurate or not, it is another reminder that the security of SCADA systems requires urgent attention. In particular, aircraft control systems will need to be designed so that they are ‘tamper evident,’ and future telemetry systems will be designed so that they continue to provide position updates and cannot be disabled.
With modern encryption and communication systems a plane could report telemetry and cockpit voice conversations on a continuous basis. We could have known that the plane had been diverted, and why, immediately, rather than having speculation continue over a week later.