\begin{tabular}{l||l} Case Study 71 & The Aircraft Communications Addressing and Reporting System (ACARS) \\ \hline \end{tabular} On June 22, 2015, LOT, the state-owned Polish airline, had to ground at least 10 national and international flights because hackers breached the network at Warsaw's Chopin airport and intercepted the flight plans that pilots need before taking off. The grounding affected about 1,400 passengers and lasted over five hours before the problem was solved. A month earlier, United Airlines was reported to have experienced the same problem in the United States, and pilots reported bogus flight plans repeatedly popping up on the system. A consultant explained that the radio network that carried flight plans did not need authentication and was designed to trust the communications. A committee was then set up to develop a proposed standard for flight plan security. Fortunately, the flight plan did not control the plane, and a pilot had to accept and enter the plan. A strange result, such as heading to a distant city in the wrong direction, would not be entered or accepted. Even if the bogus plan were entered and accepted by the pilot, there was no danger of collision or crash because of the fraudulent plans. Any changes received to the plan while in flight had to be confirmed with air traffic controllers, who analyzed the new plan for safety. Alarms would also indicate a possible collision. Sources: Kim Zetter, "All Airlines Have the Security Hole That Grounded Polish Planes," Wired, June 22, 2015, http://www.wired.com/2015/06/airlines-security-hole-grounded-polish-planes/ (accessed August 25, 2015) and "Hackers Ground 1,400 Passengers at Warsaw in Attack on Airline's Computers," The Guardian, June 21, 2015, http://www.theguardian.com/business/2015/jun/21/hackers-1400-passengers-warsaw-lot (accessed June 26, 2015). Discussion Questions 1. In your opinion, which of the two aircraft breaches is more dangerous: the breach described here or the breach created by the hacker (described earlier in the chapter) who took control of a plane's throttle briefly through the entertainment system and then tweeted about it? Why? 2. What questions would you pose to the information security executive responsible for the flight plan system to ensure that this hack was no longer possible? What other plans would you put in place to build a defense in depth? 3. If password control is used to solve the ACARS weakness, what might hackers do next? And given your answer, what might managers do to guard against that