All modern airplanes use what is known as avionics systems and networks for the purpose of sharing a wide range of data, including GPS, weather, and communications. This information is shared with pilots, maintenance crews, other airplanes, and air traffic controllers.
In an interview at our own SecureWorld Cincinnati conference, Deneen DeFiore, former VP & CISO at GE Aviation and current CISO at United Airlines, discussed the importance of cybersecurity and aviation.
"Planes are actually flying networks, if you think about it. And there's a digital supply chain behind this whole thing that makes this ecosystem thrive. We still have engines that are in service and flying perfectly well that are 50 plus years old. So we're talking about lifelong longevity and how we keep up with cyber threats with an installed base as well as the newer technologies that are coming on board here. You can't just consider the initial load of software, or load or launch of the product, but you have to incorporate methods of security that provide that long term support, secure support and flexibility along that lifecycle."
If this information is compromised through a cyberattack, those on board the plane will have their safety put at risk and the corporation or airport's reputation could be damaged.
New GAO aviation cybersecurity report
Evolving cyber threats and increasing connectivity between systems has the potential to put future flight safety at risk if the Federal Aviation Administration (FAA) fails to manage these threats properly.
The U.S. Government Accountability Office (GAO) recently released a report detailing practices the FAA should use to strengthen its oversight of cybersecurity risks.
Here is what the GAO says is missing in aviation cybersecurity:
"Specifically, FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes."
The GAO lists five ways that vulnerabilities could arise:
1. "Not applying modifications (patches) to commercial software,
2. Insecure supply chains,
3. Malicious software uploads,
4. Outdated systems on legacy airplanes,
5. Flight data spoofing."
Aside from the GAO's list of vulnerabilities, the FAA has established a process for all U.S. commercial airplanes to address these vulnerabilities. The graphic below represents the FAA's Certification Process for Commercial Transport Airplanes.
Even though the FAA recognizes cybersecurity as a risk to safety for commercial airplanes, they have not implemented all of the key steps necessary to conduct a risk-based cybersecurity oversight program.
6 recommendations from GAO for FAA
The GAO was asked to review the FAA's oversight of avionics cybersecurity issues for three reasons: detailing risks to avionics systems and their potential effects; analyzing the implementation of cybersecurity controls and how they address risks; and determining the extent to which the FAA communicates internally, with the government, and with other organizations about the risks to avionics systems.
With this purpose in mind, the GAO came up with six recommendations for the FAA to improve its avionics cybersecurity program:
- "GAO recommends that FAA conduct a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks.
- Identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs.
- Develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing.
- Review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing.
- Ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders.
- Review and consider the extent to which oversight resources should be committed to avionics cybersecurity."
It is worth noting that the FAA concurred with five out of the six GAO recommendations. They did not agree with the recommendation to "review and consider revising its policies and procedures" for periodic independent testing. The GAO clarified this recommendation to emphasize that the FAA safely conduct such testing as part of its ongoing monitoring of airplane safety.
For more information on this topic, read the GAO Aviation Cybersecurity Report.