The Federal Aviation Administration (FAA) needs to take further action to spur improvements in aircraft avionics systems in order to meet evolving cybersecurity threats and the trend toward increased connectivity between aircraft and systems, the Government Accountability Office said.
“If avionics systems are not properly protected, they could be at risk of a variety of potential cyberattacks,” the GAO report found.
According to the report, avionics vulnerabilities can stem from a variety of sources including: not applying modifications (patches) to commercial software; insecure supply chains; malicious software uploads; outdated systems on legacy airplanes; and flight data spoofing.
“The [FAA] has established a process for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers,” GAO wrote. “While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program.”
GAO made six recommendations to FAA to best strengthen its avionics cybersecurity oversight program, including:
- Conducting a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify cybersecurity risks, and developing a plan to address them;
- Identifying staffing and training needs for agency inspectors specific to avionics cybersecurity, and implementing training to address needs;
- Developing and implementing guidance for avionics cybersecurity testing on new airplane designs;
- Reviewing and possibly revising policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet, to include developing procedures for safely conducting independent testing;
- Ensuring cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders; and
- Reviewing and considering the extent to which oversight resources should be committed to cybersecurity.
FAA concurred with five out of six GAO recommendations, with the exception being the recommendation on revising policies and procedures for periodic independent testing.” GAO said it clarified that recommendation “to emphasize that FAA safely conduct such testing as part of its ongoing monitoring of airplane safety.”