The increasing interconnectedness of “modern aircraft … to the Internet” presents the potential for “unauthorized remote access to aircraft avionics systems,” according to a new Government Accountability Office (GAO) audit report on the Federal Aviation Administration’s (FAA) need for a more comprehensive approach to addressing cybersecurity vulnerabilities as the agency transitions to NextGen.
The FAA’s NextGen program, as GAO explained, “is a modernization effort 
begun in 2004 by FAA to transform the nation’s ground-based Air Traffic Control (ATC) system into a system that uses satellite-based navigation and other advanced technology. This effort is a multiyear, incremental transformation that will introduce new technologies and leverage existing technologies to affect every part of the NAS. These new technologies will use an Internet Protocol (IP) based network to communicate.
But, according to FAA and experts GAO interviewed, modern communications technologies, including IP connectivity, that are increasingly used in aircraft systems are also “creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems.”
“Aircraft information systems consist of avionics systems used for flight and in-flight entertainment. Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack. However, according to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them,” GAO stated in its audit report released this week.
Continuing, GAO said, “Firewalls protect avionics systems located in the cockpit from intrusion by cabin system users, such as passengers who use in-flight entertainment services onboard,” but “Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented. The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.”
Not surprisingly, GAO said, “An FAA official said that additional security controls implemented onboard could strengthen the system.”
“While it’s true that firewalls could potentially be bypassed by those with ill intent, we have to remember that aircraft systems are built with safety in mind. These systems, which we deem life- or safety-critical, have redundancies in place to lessen the chances of tragic outcomes should they be compromised,” said Jovi Umawing, malware intelligence analyst for Malwarebytes Labs, the research arm of the anti-malware company. But, he added, because “the GAO report does not clearly elaborate if this new threat via cabin Wi-Fi takes into account such systems, we can’t know for sure if an attack like this would be successful.”
“This doesn’t mean that vulnerabilities found in Wi-Fi and aviation systems shouldn’t be taken seriously,” Umawing said. “Travelers must still adhere to safe computing practices and treat the plane Wi-Fi in the same way they would free public Wi-Fi in a coffee shop. That means avoiding logging into websites that contain lots of sensitive information like online banking or social media accounts. Airplane Wi-Fi may be password protected, but that doesn’t mean there isn’t someone logged onto the network sniffing around for packets and looking to take advantage of travelers’ trust in the system.”
As part of the aircraft certification process, GAO said the FAA’s Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.
Still, GAO said, “FAA officials and experts we interviewed said that modern aircraft are … increasingly connected to the Internet, which also uses IP networking technology and can potentially provide an attacker with remote access to aircraft information systems. According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors.”
GAO said, “FAA officials and cybersecurity and aviation experts we spoke to said that increasingly passengers in the cabin can access the Internet via onboard wireless broadband systems. One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines.”
According to five cybersecurity experts GAO interviewed, “the threat of malicious activity by trusted insiders also grows with the ease of access to avionics systems afforded by IP connectivity if proper controls, such as role-based access, are not in place. For example, the presence of personal smart phones and tablets in the cockpit increases the risk of a system’s being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems.”
Continuing, GAO reported that the “FAA’s Office of Safety (AVS) is responsible for certifying the airworthiness of new aircraft and aviation equipment, including software components for avionics systems,” but that “FAA’s aircraft-airworthiness certification does not currently include assurance that cybersecurity is addressed.”
According to FAA officials and the Radio Technical Commission for Aeronautics (RTCA), GAO stated, “FAA currently issues rules with limited scope, called Special Conditions, to aircraft manufacturers when aircraft employ new technologies where IP interconnectivity could present cybersecurity risks. FAA views Special Conditions as an integral part of the certification process, which gives the manufacturer approval to design and manufacture the aircraft, engine, or propeller with additional capabilities not referred to in FAA regulations.”
“For example,” GAO pointed out, “FAA issued Special Conditions to address the increased connectivity among aircraft cockpit and cabin systems for the Boeing 787 and Airbus A350 to provide systems cybersecurity and computer network protection from unauthorized external and internal access.”
FAA officials also told GAO auditors that “research supporting cybersecurity-related Special Conditions could be aggregated and used to support portions of a new rule, and industry experts we spoke with said they would support the certainty rulemaking would bring” with regard to protecting modern aircraft interconnectivity from hacking.
Similarly, Homeland Security Today reported in its Dec./Jan. issue that drones also are vulnerable to hacking, including by terrorists.
In its audit, GAO further reported that the “FAA has taken steps to protect its ATC systems from cyber-based threats; however, significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system. FAA has agreed to address these weaknesses. Nevertheless, FAA will continue to be challenged in protecting ATC systems because it has not developed a cybersecurity threat model.”
National Institute of Standards and Technology (NIST) guidance, as well as experts GAO consulted, “recommend such modeling to identify potential threats to information systems, and as a basis for aligning cybersecurity efforts and limited resources.”
But, “While FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so,” GAO determined. And, “Without such a model, FAA may not be allocating resources properly to guard against the most significant cybersecurity threats,” GAO concluded.
