Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks
GAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Multimedia:
-
PODCAST: Protecting Air Travel from Cyberthreats
Airplanes are equipped with systems that provide information about the weather, flight location, communications, and more. While these systems are critical to flight safety, they also present opportunities for cyberattacks on commercial airplanes. We talk with GAO experts Heather Krause and Nick Marinos about a new report on the cybersecurity issues facing avionics systems.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-9342
MarinosN@gao.gov
Heather Krause
(202) 512-2834
KrauseH@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Modern commercial airplanes use avionics systems and networks to share data—for GPS, weather, and communications—with pilots, maintenance crews, other aircraft, and air traffic controllers. Protection from cyberattacks is critical to safety.
Airplane manufacturers have cybersecurity controls in place and there haven't been reports of successful cyberattacks on commercial airplane IT systems to date. But evolving cyber threats and increasing connectivity between airplanes and other systems could put future flight safety at risk if the FAA doesn't prioritize oversight.
We recommended that the FAA strengthen cybersecurity oversight for airplanes.
Multimedia:
-
PODCAST: Protecting Air Travel from Cyberthreats
Airplanes are equipped with systems that provide information about the weather, flight location, communications, and more. While these systems are critical to flight safety, they also present opportunities for cyberattacks on commercial airplanes. We talk with GAO experts Heather Krause and Nick Marinos about a new report on the cybersecurity issues facing avionics systems.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-9342
MarinosN@gao.gov
Heather Krause
(202) 512-2834
KrauseH@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
Modern airplanes are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers in ways that were not previously feasible (see fig. 1). As a result, if avionics systems are not properly protected, they could be at risk of a variety of potential cyberattacks. Vulnerabilities could occur due to (1) not applying modifications (patches) to commercial software, (2) insecure supply chains, (3) malicious software uploads, (4) outdated systems on legacy airplanes, and (5) flight data spoofing. To date, extensive cybersecurity controls have been implemented and there have not been any reports of successful cyberattacks on an airplane's avionics systems. However, the increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety.
Figure 1: Key Systems Connections to Commercial Airplanes
The Federal Aviation Administration (FAA) has established a process for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers (see fig. 2). While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program.
Specifically, FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.
Figure 2: Federal Aviation Administration's Certification Process for Commercial Transport Airplanes
GAO has previously identified key practices for interagency collaboration that can be used to assess interagency coordination. FAA coordinates with other federal agencies, such as the Departments of Defense (DOD) and Homeland Security (DHS), and with industry to address aviation cybersecurity issues. For example, FAA co-chairs the Aviation Cyber Initiative, a tri-agency forum with DOD and DHS to address cyber risks across the aviation ecosystem. However, FAA's internal coordination activities do not fully reflect GAO's key collaboration practices. FAA has not established a tracking mechanism for monitoring progress on cybersecurity issues that are raised in coordination meetings, and its oversight coordination activities are not supported by dedicated resources within the agency's budget. Until FAA establishes a tracking mechanism for cybersecurity issues, it may be unable to ensure that all issues are appropriately addressed and resolved. Further, until it conducts an avionics cybersecurity risk assessment, it will not be able to effectively prioritize and dedicate resources to ensure that avionics cybersecurity risks are addressed in its oversight program.
Why GAO Did This Study
Avionics systems, which provide weather information, positioning data, and communications, are critical to the safe operation of an airplane. FAA is responsible for overseeing the safety of commercial aviation, including avionics systems. The growing connectivity between airplanes and these systems may present increasing opportunities for cyberattacks on commercial airplanes.
GAO was asked to review the FAA's oversight of avionics cybersecurity issues. The objectives of this review were to (1) describe key cybersecurity risks to avionics systems and their potential effects, (2) determine the extent to which FAA oversees the implementation of cybersecurity controls that address identified risks in avionics systems, and (3) assess the extent to which FAA coordinates internally and with other government and industry entities to identify and address cybersecurity risks to avionics systems.
To do so, GAO reviewed information on key cybersecurity risks to avionics systems, as reported by major industry representatives as well as key elements of an effective oversight program, and compared FAA's process for overseeing the implementation of cybersecurity controls in avionics systems with these program elements. GAO also reviewed agency documentation and interviewed agency and industry representatives to assess FAA's coordination efforts to address the identified risks.
What GAO Recommends
GAO is making six recommendations to FAA to strengthen its avionics cybersecurity oversight program:
- GAO recommends that FAA conduct a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks.
Based on the assessment of avionics cybersecurity risks, GAO recommends that FAA
identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs.
develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing.
review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing.
ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders.
review and consider the extent to which oversight resources should be committed to avionics cybersecurity.
FAA concurred with five out of six GAO recommendations. FAA did not concur with the recommendation to consider revising its policies and procedures for periodic independent testing. GAO clarified this recommendation to emphasize that FAA safely conduct such testing as part of its ongoing monitoring of airplane safety.
For more information, contact Nick Marinos at (202) 512-9342 or MarinosN@gao.gov, or Heather Krause at (202) 512-2834 or KrauseH@gao.gov.
Recommendations for Executive Action
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)
Agency Affected: Department of Transportation: Federal Aviation Administration
Explore the full database of GAO's Open Recommendations »
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Feb 11, 2020
-
Office of Congressional Workplace Rights:
Weaknesses in Cybersecurity Management and Oversight Need to Be AddressedGAO-20-199: Published: Feb 11, 2020. Publicly Released: Feb 11, 2020.
Looking for more? Browse all our products here