Could Hackers Breach Aviation Safety?

Many aspects of our daily lives are becoming more and more computerized. Whether it’s our automobiles, watches, or refrigerators, the increased connectivity with the internet offers various features to make life more convenient. That same trend is also taking place on modern commercial airplanes. From the control tower to the cockpit to the cabin, increasing computerization and connectivity also opens the door to more opportunities for cyberattacks. With the number of flights that typically occur every minute of every day, proper cybersecurity is a matter of safety for passengers.

Lufthansa, Boeing 747, Retired
Modern commercial airplanes use avionics systems and networks to share data—for the weather, GPS, and communications. Photo: Getty Images

The United States Government Accountability Office, or US GAO, recently published a report on aviation cybersecurity, raising awareness of vulnerabilities and the importance of proper oversight. Released on October 9th, the report highlights several areas of aviation that regulators, airlines, and other stakeholders need to be aware of.

Where vulnerabilities could occur

The US GAO highlights notes that various networks and systems on modern aircraft share data with a fair number of players. They include:

  • Pilots
  • Passengers
  • Maintenance crews
  • Other aircraft
  • Air-traffic controllers
British Airways, Boeing 787, Athens
In the recent past, we’ve already seen how systems failures at airports and air traffic control centers have led to mass groundings and cancelations of flights. Photo: British Airways

These avionics systems must be adequately protected as they could be at risk of various potential cyberattacks.

Potential vulnerabilities include:

  • Not applying modifications (patches) to commercial software
  • Insecure supply chains
  • Malicious software uploads
  • Outdated systems on legacy airplanes
  • Flight data spoofing
US GAO Cybersecurity
The critical systems connections to commercial airplanes. Photo: United States Government Accountability Office

According to the US GAO, extensive cybersecurity controls have been implemented to date, and there have not been any reports of successful cyberattacks on an airplane’s avionics systems. It adds, however, that increasing connections between aircraft and other systems could lead to increased risks for future flight safety – especially as cybercriminals continue to evolve in their operations and tactics.

Why and how civil aviation regulators must strengthen security

The report by the Government Accountability Office primarily serves as a warning for the United States Federal Aviation Administration (FAA), which is responsible for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers.

IFE Ports
Inflight entertainment systems are just one example of a system vulnerable to cyber-attacks. Photo: Chris Loh/Simple Flying

“While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program.” -US GAO

There are four areas the US GAO says the FAA must examine:

  • An oversight program is needed to determine the priority of avionics cybersecurity risks
  • The creation of an avionics cybersecurity training program
  • Issuing guidance for independent cybersecurity testing
  • The inclusion of periodic testing as part of its monitoring process
easyJet was recently a victim of a cyberattack in which the personal data of up to nine million customers was exposed. Photo: easyJet

“Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.” -US GAO

Are you at all worried about cybersecurity in aviation? Let us know your thoughts on the issue by leaving a comment.