Cyber attack could paralyze air traffic

rails really,” Modder told AFP.

And we have multiple layers of contingency procedures and fall-back systems that can cut in when required to minimize risk of failure to the air traffic control system. For instance, we have four separate radar systems. They can all work independently. If one were to go down the others would still work.

Plus… The human element is also very much part of the system. The final decision to allow an aircraft to take-off or land is taken by a human, not a computer.

Ir Leung Ping-keung, the man in charge of the airport’s 50 technical systems, is certain that there is no risk from cyber attack. “It is a closed system,” he told AFP. “There is no connection between our systems and the Internet nor is there USB access.”

Yet computer security experts are not convinced.

Alan Paller, director of research at U.S.-based computer security organization the SANS Institute, says there is a fundamental weakness in the “not connected to the Internet” argument.

 

The average air traffic controller cannot email or surf the web from the control systems, he explained. “But when most managers say there is no connection to the Internet, they are unaware of maintenance connections,” he told AFP. “Behind the scenes there are almost always semi-direct connections through routers shared between the control system and business systems that can be exploited. Worms and attackers can find them easily.”

In January 2003, he said, the Bank of America reported that its ATMs had been disabled by an Internet worm — that was after the banks assured the world that their ATMs were “not connected to the Internet.”

The most serious cyber attack on the U.S. military came from a tainted flash drive in 2008 inserted into a military laptop in the Middle East which released malicious code that spread undetected in classified and unclassified systems.

It established “what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” Deputy Defence Secretary William Lynn said in August.

The threat is even greater now, Paller says. “One of the most virulent new vectors is smartphones — especially Android-based (the Google operating system) smartphones,” he said. “People plug them into their computers, even computers not connected to the Internet, not for data transfer but to recharge the battery — not knowing that behind the scenes their phones have been infected and are a carrier between the Internet and the better protected networks.”

In the skies, though, there is still, ultimately, a human in charge: the pilot. Hong Kong airline Cathay Pacific trains their pilots to face all eventualities they can think of, including a sudden collapse in the air traffic control system.

Blank screens could cause massive disruption but not necessarily disaster. “Pilots are still trained to fly visually,” a Cathay spokesman told AFP. “We also have communications with our aircraft and can keep them informed with what is going on.”