AASHTO Journal - GAO Report Highlights FAA Cybersecurity Gaps

A new Government Accounting Office report claims the Federal Aviation Administration “has not fully implemented key practices” that are necessary to carry out a risk-based cybersecurity oversight program for the U.S. aviation industry.

[Above photo by the FAA.]

The 55-page report states that modern aircraft are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers “in ways that were not previously feasible” and if those avionics systems are not protected properly, they could be at risk of a variety of potential cyberattacks.

Vulnerabilities cited by the GAO report include not applying modifications or “patches” to commercial aviation software; vulnerabilities within aviation supply chains; malicious software uploads; outdated systems on legacy airplanes; and flight data spoofing.

The GAO stressed that currently, there have been no reports of successful cyberattacks on an airplane’s avionics systems. However, the increasing connections between airplanes and other systems – combined with the evolving cyber threat landscape – could lead to increasing risks for future flight safety.

Key lapses in current FAA cybersecurity protocols highlighted in the GAO report include not assessing its oversight program to determine the priority of avionics cybersecurity risks; not developing an avionics cybersecurity training program; not issuing guidance for independent cybersecurity testing; and not including periodic testing as part of its monitoring process.

“Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes,” the report said.

Meanwhile, the FAA issued a final rule on October 15 modernizing the licensing requirements for commercial space transportation launches and reentries.

The FAA said its new rule consolidates four regulatory parts and applies a single set of licensing and safety regulations for all types of vehicle operations. It also provides flexibility for operators to meet safety requirements and improves efficiency by encouraging launch and reentry operators to suggest and implement design and operational solutions to meet the regulatory standards.

“This rule paves the way for an industry that is moving at lightning speed,” said Steve Dickson, FAA administrator, in a statement. “We are simplifying the licensing process and enabling industry to move forward in a safe manner.”