From the Government Accountability Office: Aviation Cyber Security Capabilities Lacking
Cyber security has become a mounting concern for the aviation industry – and rightfully so. Most recently, a study conducted by the GAO identified several critical risks in the Federal Aviation Administration’s cyber program.
In an industry where the safety of millions every day hinges on connected systems and long distance communication channels, securing those systems against malicious actors is an issue with risks that go far beyond potential financial losses or damage to brand reputation.
Last week, the U.S. General Accountability Office published the results of a study that it conducted on the Federal Aviation Administration’s current cyber security capabilities as the FAA transitions to the Next Generation Air Transportation System. Ultimately, the GAO’s report identified three key areas in which the FAA needed to improve: protecting air-traffic control (ATC) information systems, protecting the avionics that aircraft rely on for communication and navigation, and improving the FAA’s organizational structure for cyber security.
While the GAO acknowledged some progress the FAA has made towards improving cyber security, the report also identified several weaknesses that could enable attackers to gain unauthorized access to or even take control of aircraft systems. Among the top weaknesses identified is the FAA’s current lack of a cyber security threat model. Without such a model, the FAA will continue to be at a disadvantage for identifying and detecting cyber threats as well as creating effective cyber security strategies.
The report also named the interconnectedness of modern aircraft as a significant security vulnerability. While many contemporary avionics systems rely on Internet connectivity, those connections can also serve as an entry point for malicious actors seeking to access navigation or control systems. What’s more, the FAA Aviation Safety (AVS) organization – that is, the organization tasked with reviewing and certifying new information systems for aircraft – is not currently a part of the FAA’s Cyber Security Steering Committee. As a result, there is a strong potential for a lack of organizational alignment around key cyber security strategies and policies, particularly regarding the security of aircraft information systems.
Finally, the GAO study found a few shortcomings in the FAA’s adoption of NIST recommendations. For one, the GAO highlighted their slowness in implementing NIST’s risk management recommendations in their acquisition of the NextGen system. Additionally, the report drew concern to the fact that the NextGen Surveillance and Broadcast Services System has still not adopted the most recent changes to NIST security requirements, including improvements to their intrusion detection capabilities. Those standards – which were updated in April 2013 – are required to be implemented within a year by the Office of Management and Budget. Failing to implement these NIST requirements means that NextGen and/or SBSS systems could still be vulnerable to exploitation until updated.
Of course, the risk of any of these weaknesses being exploited is significant. If an attacker were successful in compromising air traffic control systems or avionics, they could potentially alter flight routes, interfere with communication between aircraft, or even override operation of a plane. In response to these risks, the GAO has offered the FAA three recommendations for improving its cyber security capabilities: “1) assess developing a cybersecurity threat model, 2) include AVS as a full member of the (Cyber Security Steering) Committee, and 3) develop a plan to implement NIST revisions within OMB's time frames.”
Ultimately, the FAA issues identified by the GAO go beyond your run-of-the-mill security risks; if exploited by the wrong parties, they could turn into matters of life and death for millions of air travelers. As aviation security issues continue to gain more attention, we can only hope that the industry – including aviation government agencies, aircraft manufacturers, and airlines themselves – makes cyber security a priority.