Airplane manufacturers have cybersecurity controls in place and there haven't been reports of successful cyberattacks on commercial airplane IT systems to date. But evolving cyber threats and increasing connectivity between airplanes and other systems could put future flight safety at risk if the FAA doesn't prioritize oversight, according to the Government Accountability Office (GAO).
An agency report found the growing connectivity between airplanes and modern avionics systems may present increasing opportunities for cyberattacks. It noted six cybersecurity recommendations for avionics systems to securely interact with commercial airplanes.
GAO’s recommendations to FAA included the following:
- Conduct a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks.
- Identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs.
- Develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing.
- Review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing.
- Ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders.
- Review and consider the extent to which oversight resources should be committed to avionics cybersecurity.
Tim Wade, technical director of the CTO Team at Vectra, said given the real risk to human life and the importance of air travel, it’s encouraging that GAO now agrees that technology has evolved to the point where previously unconsidered attack vectors are possible and relevant, highlighting that security has become an ongoing – not just a point-in-time – activity.
“Unfortunately, policy recommendations alone won’t be adequate to address these risks,” Wade said. “They must be accompanied by both the commitment to implement a competent technical mapping between objectives and outcomes that account for modern adversarial tradecraft, and actual penalties for failures.”