The Federal Aviation Administration (FAA) lacks “key practices that are necessary to carry out a risk-based cybersecurity oversight program” with regards to avionics, according to the Government Accountability Office (GAO).
“While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program” — GAO report
On Friday, the GAO issued its assessment of the FAA’s cybersecurity efforts and found that while airplane and avionics manufacturers “have undertaken extensive measures” to thwart cyberattacks, the FAA is lacking a comprehensive, risk-based avionics cybersecurity oversight program.
Specifically, the GAO found that the FAA has not:
- Assessed its oversight program to determine the priority of avionics cybersecurity risks
- Developed an avionics cybersecurity training program
- Issued guidance for independent cybersecurity testing
- Included periodic testing as part of its monitoring process
The good news is that “to date, there have been no reports of successful cyberattacks on an airplane’s avionics systems.”
However, without a comprehensive cybersecurity oversight system in place, “the evolving cyber threat landscape, combined with the increasing use of internal networks on airplanes and the increasing connections between airplanes and external sources, could lead to increasing risks for future flight safety.”The threats facing the aviation system are numerous and diverse — from outdated legacy systems that are vulnerable to malware to the “growing connectivity between airplane networks and systems and various other systems via the Internet,” and the ever-present risk of insider threats and supply chain insecurity.
The 55-page report gives a full list of vulnerabilities to avionics, and here we have highlighted the main bullet points:
- Commercial Software May Not Always Be Updated Promptly to Correct Flaws
- Vulnerabilities Could Be Introduced in the Supply Chain If