Watchdog: FAA needs to do more to address aircraft cybersecurity
- By Mark Rockwell
- Oct 12, 2020
The Federal Aviation Administration has to tighten up its oversight of cybersecurity for advanced, networked aviation control systems that are being installed in commercial aircraft because of looming threats, according to a government watchdog report.
Global positioning, weather, and communications systems and other advancing IT onboard new aircraft that share data with pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers have opened a new frontier for cyberattack, said a Government Accountability Office report released on Oct. 9.
Auditors said that while aircraft and avionics makers have put extensive measures in place to foil cyberattacks, the aviation regulator has to prioritize and fully implement its own risk-based cybersecurity oversight program. The GAO said the FAA has worked on coordinating aviation ecosystem cybersecurity with the Departments of Defense and Homeland Security and the aviation industry on the Aviation Cyber Initiative. However, said the GAO, the FAA hasn't done enough internally to assess and manage the growing risks.
Even though there have been no reported successful cyberattacks on aircraft avionics, said the report, the potential for altered cockpit data, misused flight data or even disruption of flight operations looms over networked avionics IT systems.
The list of potential cyber bad guys is a familiar one, according to the GAO. Nation/state hackers, terrorist groups and insiders all could steal, alter or actively use data from avionics systems to wreak havoc if it's not properly protected, said the study.
The GAO recommended specific actions the FAA should take to help avoid those potential consequences, including conducting a risk assessment of avionics systems' vulnerabilities to prioritize oversight plans and improving training for FAA inspectors on avionic cybersecurity. Additionally, FAA should assess the cybersecurity risks of avionics systems in aircraft already in use, including independent testing of those systems.
The Department of Transportation, FAA's parent agency, agreed with all of the GAO's recommendations, except independent testing of avionics systems onboard aircraft already in use.
A letter from Keith Washington, DOT deputy assistant secretary for administration, pushed back warning GAO that testing on in-service fleet aircraft could "result in potential corruption of airplane systems, jeopardizing safety, rather than detecting cybersecurity safety issues."
"Should a cybersecurity safety issue occur, or be deemed likely to occur, on particular airplane models, or any portion of the current fleet, the FAA has processes in place to address and correct the safety issue," said Washington.
The GAO said it understood the FAA's concern, but that testing the systems in "isolated 'sandbox' environments" would minimize the impact.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.