Watchdog: FAA needs to do more to address aircraft cybersecurity

The Federal Aviation Administration has to tighten up its oversight of cybersecurity for advanced, networked aviation control systems that are being installed in commercial aircraft because of looming threats, according to a government watchdog report.

Global positioning, weather, and communications systems and other advancing IT onboard new aircraft that share data with pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers have opened a new frontier for cyberattack, said a Government Accountability Office report released on Oct. 9.

Auditors said that while aircraft and avionics makers have put extensive measures in place to foil cyberattacks, the aviation regulator has to prioritize and fully implement its own risk-based cybersecurity oversight program. The GAO said the FAA has worked on coordinating aviation ecosystem cybersecurity with the Departments of Defense and Homeland Security and the aviation industry on the Aviation Cyber Initiative. However, said the GAO, the FAA hasn't done enough internally to assess and manage the growing risks.

Even though there have been no reported successful cyberattacks on aircraft avionics, said the report, the potential for altered cockpit data, misused flight data or even disruption of flight operations looms over networked avionics IT systems.

The list of potential cyber bad guys is a familiar one, according to the GAO. Nation/state hackers, terrorist groups and insiders all could steal, alter or actively use data from avionics systems to wreak havoc if it's not properly protected, said the study.

The GAO recommended specific actions the FAA should take to help avoid those potential consequences, including conducting a risk assessment of avionics systems' vulnerabilities to prioritize oversight plans and improving training for FAA inspectors on avionic cybersecurity. Additionally, FAA should assess the cybersecurity risks of avionics systems in aircraft already in use, including independent testing of those systems.

The Department of Transportation, FAA's parent agency, agreed with all of the GAO's recommendations, except independent testing of avionics systems onboard aircraft already in use.

A letter from Keith Washington, DOT deputy assistant secretary for administration, pushed back warning GAO that testing on in-service fleet aircraft could "result in potential corruption of airplane systems, jeopardizing safety, rather than detecting cybersecurity safety issues."

"Should a cybersecurity safety issue occur, or be deemed likely to occur, on particular airplane models, or any portion of the current fleet, the FAA has processes in place to address and correct the safety issue," said Washington.

The GAO said it understood the FAA's concern, but that testing the systems in "isolated 'sandbox' environments" would minimize the impact.