Authorities investigating the recent 2008 plane crash of Spanair flight 5022 discovered that there is a probability that the central computer system that’s used to monitor technical issues with the plane was infected with malware.

The plane, a McDonnell Douglass MD-82,  held 172 passengers and crew, crashed upon takeoff rolling to the right and split into two, exploding almost immediately.  154 people died and only 18 survived the crash, which was Spain’s deadliest in 25 years.

According to a preliminary report by the U.S. National Transportation Safety Board, the aircraft took off with its flaps and slats retracted, and there was no alarm that notified of the issues because the central computer system that typically delivers the power and message to the take-off warning system had failed.  In addition, there were two smaller earlier events that  also were not reported by the system.  In short, built-in safeguards that would have prevented the crash, failed to do so.

Head researcher, Jamz Yaneeza for Trend Micro indicated that malware on the infected computer system was a type of Trojan horse.  While there are a number of ways the malware could have entered the computers system, the most likely scenario is it was transferred via a USB stick.  This type of transfer of malicious code is not new to the transportation, or hi-tech industry, as the International Space Station was also infected in this manner in 2008.  Another possibility is that the infection occurred through a remote VPN connection.

A complete report is due in December of 2010 regarding the full investigation.  Researchers have indicated that a preliminary investigation indicates that it does not appear that the malware was specifically intended for the planes computer systems.

However, what this does bring to light is the bridging of the gap between two distinct types of risk management that historically have been on either end of the ravine.  Conventional risk management such as employee health and safety, transportation safety, process safety, and environmental protection are typically managed by a “risk manager” at most larger organizations while the cyber security is managed by a “technical officer” (or similar designation).

As technology develops, and cyber criminals begin to expand their operations, directed attacks towards this type of exposure can and should be expected, especially with regards to extortion and blackmail.  This incident is a classic example where the health and safety of employees, the public, owned materials and vehicles, company image and network security were all adversely impacted.

In this case, it’s likely that malware was not the direct cause for the flaps to be at the dangerous 0 degree angle, but they were a contributing factor to the crash occurring since the computer systems did not respond and communicate accordingly as they should have when alarming on the  problem.  It is certainly possible in the future that we’ll see more customized malicious attempts to hijack planes, vehicles and even automated equipment run by computers in an attempt to create harm or havoc for financial or terrorist gain.

UPDATE:

New information is now surfacing 3 days after this initial story ran at MSNBC and TechNewsDaily.  Apparently the internal Spanair Report that reported many of these issues and came to some of the determinations outlined in this blog may not have been entirely accurate according to security experts around the web.  So while the accuracy of this initial report is still up in the air, the overall message and threat of malware and cyber security concerns with integrated systems is still valid.  As technology develops, so too will the criminals and malicious entities that take advantage of it.