Many aspects of our daily lives are becoming more and more computerized. Whether it’s our automobiles, watches, or refrigerators, the increased connectivity with the internet offers various features to make life more convenient. That same trend is also taking place on modern commercial airplanes. From the control tower to the cockpit to the cabin, increasing computerization and connectivity also opens the door to more opportunities for cyberattacks. With the number of flights that typically occur every minute of every day, proper cybersecurity is a matter of safety for passengers.
The United States Government Accountability Office, or US GAO, recently published a report on aviation cybersecurity, raising awareness of vulnerabilities and the importance of proper oversight. Released on October 9th, the report highlights several areas of aviation that regulators, airlines, and other stakeholders need to be aware of.
Where vulnerabilities could occur
The US GAO highlights notes that various networks and systems on modern aircraft share data with a fair number of players. They include:
- Maintenance crews
- Other aircraft
- Air-traffic controllers
These avionics systems must be adequately protected as they could be at risk of various potential cyberattacks.
Potential vulnerabilities include:
- Not applying modifications (patches) to commercial software
- Insecure supply chains
- Malicious software uploads
- Outdated systems on legacy airplanes
- Flight data spoofing
According to the US GAO, extensive cybersecurity controls have been implemented to date, and there have not been any reports of successful cyberattacks on an airplane’s avionics systems. It adds, however, that increasing connections between aircraft and other systems could lead to increased risks for future flight safety – especially as cybercriminals continue to evolve in their operations and tactics.
Why and how civil aviation regulators must strengthen security
The report by the Government Accountability Office primarily serves as a warning for the United States Federal Aviation Administration (FAA), which is responsible for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers.
“While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program.” -US GAO
There are four areas the US GAO says the FAA must examine:
- An oversight program is needed to determine the priority of avionics cybersecurity risks
- The creation of an avionics cybersecurity training program
- Issuing guidance for independent cybersecurity testing
- The inclusion of periodic testing as part of its monitoring process
“Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.” -US GAO
Are you at all worried about cybersecurity in aviation? Let us know your thoughts on the issue by leaving a comment.