Concerns deepen about cyber attack on Su 30, IAF starts inquiry
By ABHINANDAN MISHRA | New Delhi | 4 June, 2017
Indian Air Force has started a court of inquiry to investigate the crashing of one of its Sukhoi 30 fighters in Assam, amidst concerns that the aircraft’s flying was “interfered with from outside” while it was still airborne, and that this may have led to the pilots suffering “spatial disorientation”. The aircraft went down last week near the India-China border after taking off from the Tezpur airbase in Assam.
The Sukhoi-30 crashed on 23 May, but its wreckage was discovered three days later and the analysis of the aircraft’s equipment suggested that the two IAF officers, Squadron Leader D. Pankaj and Flight Lieutenant S. Achudev, who were flying the aircraft, were unable to “initiate the ejection process” when the aircraft was about to crash—a “lack of action” that hardly happens with trained fighter pilots.
This newspaper carried a report last week (Sukhoi likely downed by cyber weapons, 28 May) in which it pointed out that the crash may be the result of “cyber-interference with the onboard computers” in the cockpit. The report also said that it could be due to this interference that the pilots may have found it difficult to activate safety ejection mechanisms, once it became obvious that the aircraft was in serious trouble, as such mechanisms too could have been crippled by computer malfunctions induced from an outside source.
Even though India’s traditional defence establishment, including old school security analysts, has been wary of accepting the possibility of a cyber attack downing a combat aircraft, the issue has been and is being discussed seriously in the Western fronts for the last 8-9 years, with experts and CEOs of defence companies themselves raising concerns over cyber threats on military hardware.
The Federal Aviation Administration (FAA) of the United States in 2008, in its report, had stated that the Boeing’s 787 Dreamliner passenger jet may have had serious security vulnerabilities in its onboard computer networks that could allow passengers to access the plane’s control systems and make these vulnerable to hackers. Later, Boeing had stated that it had fixed the problem.
Similarly, in December 2013, Jeff Kohler, vice president of international business development for Boeing’s defence arm, stated that he was “very concerned” about the threats to flying software and the said aircraft were now in need of cyber protection. “From our commercial aircraft side we’re very concerned about it. As commercial aeroplanes become more and more digital and electronic, we have actually started to put cyber protection into the software of our aeroplanes,” Kohler had stated.
In 2013, a Spanish hacker, who is also a commercial flying pilot licence holder, had made a presentation in front of European Aviation Safety Agency (EASA), in which he proved beyond doubt that one did not need a computer to hijack a plane remotely and even a smart-phone equipped with an app could be enough to take over a plane’s steering system, causing the plane to crash.
In 2011, Pascal Andrei, chief product security officer at Airbus, while speaking at an event on cyber security organised by the International Air Transport Association (IATA), stated that “conventional security threats, such as bombs, disruptive passengers, smuggled baggage, and cargo are already being managed effectively, although these are constantly evolving. Now airlines must learn to manage cyber threats.”
Andrei, while giving the example of a scene that took place in a Hollywood movie, Die Hard 2—where the aircraft’s systems were fooled by cyber hackers into believing that it was flying 200 feet higher than it actually was, by interfering with the instrument landing system—stated that this was not a just a fictional scenario: “It is not just a matter of ensuring that the channels of data transmission are secure, but also of ensuring that the information transmitted through those channels is correct. Aircraft have to rely on external data coming into the aircraft. If that information is not correct, it could jeopardise the safety of the flight.”
Experts say that some Indian experts’ dismissal of the possibility of the Sukhoi-30 being brought down by a cyber attack was not unique, as even in the West it took some time for the traditional old school experts to start believing in such sabotage. Initially, they just could not understand how quickly cyber threats had evolved.
Raytheon, a major US based defence manufacturer and the largest producer of guided missiles, announced last year that it was working on a billion-dollars-project to provide commercial and military pilots with a cyber attack warning system. The two products it was working on included a software-only technology and a hardware-deployable module. The software was being developed with the objective to provide a quick and easy fix, while the hardware product was being designed to give operators a hard-wired solution capable of protecting critical aircraft systems from cyber attacks, in a situation where an attacker simulates the aircraft malfunctions so that a pilot loses trust in the functionality of the airplane.
According to experts, something similar probably took place with the Indian pilots, Squadron leader D. Pankaj and flight lieutenant S. Achudev, who were flying the ill fated Sukhoi-30.
In March 2014, a cyber attack on Russian communication systems had compromised India’s defence dealings with Russia, after it was revealed that most of the leaked documents were related to India’s dealings with Russia in relation to Sukhoi-30 MKI and the MiG-29. The documents that were stolen included correspondence between Russia’s United Aircraft Corporation (UAC), which makes the SU-30 and the Hindustan Aeronautics Limited (HAL), which manufactures the aircraft under licence in India.