The Federal Aviation Administration is putting airlines, travelers and the United States at risk from cyber attacks, according to a rather damning report from the Government Accountability Office (GAO).
GAO highlighted a number of weaknesses in the FAA’s cyber defense of avionics systems, including a failure to test vulnerable systems, a lack of cybersecurity training, and not prioritizing cyber risks.
The FAA received $3 million in funding in fiscal year 2017 to develop and implement an integrated cyber testbed at the FAA Technical Center in Atlantic City, New Jersey, to address cybersecurity requirements for air traffic control and to identify and address cybersecurity risks in avionics systems. However, FAA officials told the recent GAO review that the cyber testbed does not test avionics systems for cyber vulnerabilities.
Terrorism’s big prize
Modern commercial airplanes use avionics systems and networks to share data—for GPS, weather, and communications, for example—with pilots, maintenance crews, other aircraft, and air traffic controllers. Airplane manufacturers have high-level cybersecurity controls in place for these systems, but the FAA is responsible for overseeing the safety of commercial aviation, including avionics systems. The growing connectivity between airplanes and these systems presents increasing opportunities for cyber attacks on commercial airplanes, and with attacks increasing in sophistication and number across all sectors, it is only a matter of time before hackers turn their attention to the big prize and attempt to create another 9/11.
Commercial aviation is in the unenviable position of juggling numerous vulnerabilities at a time when the industry faces unprecedented financial loss. A fact that will not be lost on individuals and groups who intend to cause harm. Currently, vulnerabilities could occur due to not applying modifications (patches) to commercial software, insecure supply chains, malicious software uploads, outdated systems on legacy airplanes, and flight data spoofing.
Identifying gaps
The FAA has established a process for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers. It has recognized avionics cybersecurity as a potential safety issue for modern commercial airplanes, but GAO’s review found it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program.
The watchdog found that the FAA has not assessed its oversight program to determine the priority of avionics cybersecurity risks, nor has it developed an avionics cybersecurity training program, issued guidance for independent cybersecurity testing, or included periodic testing as part of its monitoring process.
This is not to say that the FAA has completely turned its back on cybersecurity. Far from it. It undertakes numerous activity concerning the cybersecurity of ground-based systems, and coordinates with other federal agencies, such as the Departments of Defense (DOD) and Homeland Security (DHS), and with industry to address aviation cybersecurity issues. For example, FAA co-chairs the Aviation Cyber Initiative, a tri-agency forum with DOD and DHS to address cyber risks across the aviation ecosystem. And last month, cybersecurity experts from the FAA and the European Union Aviation Safety Agency (EASA) came together to discuss risk management and upcoming policy changes for stakeholders across the connected aircraft ecosystem.
However, GAO found that the FAA has not established a tracking mechanism for monitoring progress on cybersecurity issues that are raised in coordination meetings, and its oversight coordination activities are not supported by dedicated resources within the agency’s budget. And it is clear from GAO’s report that while work on ground-based cybersecurity is gathering pace, there are gaps in securing critical avionics systems.
According to the FAA’s Strategic Plan for fiscal years 2019 through 2022, the agency has adopted NIST’s Cybersecurity Framework to reduce aviation critical infrastructure risk. It has also performed risk assessments for its enterprise and mission-related systems, including its numerous air traffic control systems. However, GAO found that the FAA has not conducted an assessment of the risks to avionics systems to determine the relative priority of cybersecurity risks to avionics systems versus other safety concerns in its oversight program.
The NIST Cybersecurity Framework states that training is a “critical and indispensable component” of implementing a cybersecurity program. But GAO found the FAA does not currently have a staff training program specific to avionics cybersecurity and none of the agency’s certification staff are required to take cybersecurity training tailored to their oversight role. Industry stakeholders told GAO that the FAA lacks personnel with cybersecurity expertise and said the agency’s certification workforce needs additional cybersecurity skills to effectively oversee avionics cybersecurity.
During the review, FAA officials told GAO that they were concerned about potential software vulnerabilities in avionics systems because software that is not updated in a timely fashion may be vulnerable to cyber exploitation. And industry officials reported that software developers are often slow to issue a fix. For example, the officials stated that modifying one line of safety-critical flight software can take a year and cost around one million dollars due to the amount of testing and review that is generally required. Attacks on unpatched software vulnerabilities in non-aviation systems have caused billions of dollars in damage.
Airlines in the dark
Most airline officials GAO interviewed expressed concerns about the extent to which FAA’s certification process addresses avionics cybersecurity. The FAA does not require manufacturers to disclose to the airlines the extent of independent testing or the types of tests that were conducted. Airlines said they are therefore at a disadvantage in ensuring the cybersecurity of their airplanes because they do not know the extent of testing that has occurred or whether independent testing took place. For example, representatives from one airline told GAO that this lack of transparency hinders their ability to perform certain functions, such as comprehensive threat analysis, that would allow for thorough threat identification and mitigation.
All of the airline representatives GAO spoke with supported periodic, ongoing testing of avionics systems on their airplanes to ensure their airworthiness. In the absence of FAA guidance on this, representatives from one airline stated that they have formed a group with four other airlines to try to determine how to safely perform independent testing on their respective fleets.
The aviation industry boasts some of the best digital solutions, including those tasked with security, operational enhancement and passenger convenience. But such activities carried out by air carriers and airports could also pose vulnerabilities by facilitating the installation of malicious software in avionics systems. For example, malware could be installed on an electronic flight bag (EFB), which is an airline-owned and operated electronic device used by pilots and flight crews. Currently, EFBs can be standalone devices, such as a tablet, or integrated with systems such as the flight management system. Previously, these devices had no connectivity to other systems in the flight control domain when an airplane was in flight. However, vendors are developing EFBs with the capability to communicate instructions directly to flight management systems during a flight. Such EFBs, if connected to the airplane and infected with malware, could enable denial-of-service attacks or intrusion to other connected on-board systems, such as flight management systems.
Lessons to be learned
GAO said the FAA could learn lessons from EASA and the International Civil Aviation Organization (ICAO), both of which place a greater focus on the cybersecurity risks for avionic systems. ICAO is currently developing policies and procedures to reduce potential opportunities for cyber attack in a digitally connected aircraft environment – specifically, the processes for digital identity assurance for information that is exchanged between ground-to-ground systems and ground-to-air systems over different networks. The FAA told the watchdog that the agency is preparing internally for new rulemaking on avionics cybersecurity that would codify the use of commonly used Special Conditions in June 2021.
GAO’s report makes six recommendation to the FAA:
- Conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks.
- Identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs.
- Develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing.
- Review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing.
- Develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders.
- Review and consider the extent to which oversight resources should be committed to avionics cybersecurity.
The FAA concurred with five of the recommendations but did not agree with conducting independent testing in the deployed fleet. The FAA believes any type of testing conducted on the in-service fleet could result in potential corruption of airplane systems, jeopardizing safety rather than detecting cybersecurity safety issues.
No time for complacency
To date, there have not been any reports of successful cyber attacks on an airplane’s avionics systems, and manufacturers must be applauded for their due diligence and innovation. For example, onboard networked systems on new airplanes are segregated into several independent domains, and one-way buses control the direction of data flow and built-in, automatic switches control when systems are activated.
Hackers have however demonstrated their ability to hack into a commercial airplane’s satellite internet modem, which impacted passenger mobile devices connected to the in-flight Internet. Aircraft avionic systems will have the highest level of protection but hackers have proven they can keep pace with technology and systems defense in other applications, which should make the cybersecurity of critical avionics systems, and ultimately flight safety, a high priority for the FAA.
