From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Protecting Air Travel from Cyberthreats 

Description: Airplanes are equipped with systems that provide
information about the weather, flight location, communications, and
more. While these systems are critical to flight safety, they also
present opportunities for cyberattacks on commercial airplanes. We talk
with GAO experts Heather Krause and Nick Marinos about a new report on
the cybersecurity issues facing avionics systems. 

Related GAO Work: GAO-21-86, Aviation Cybersecurity: FAA Should Fully
Implement Key Practices to Strengthen Its Oversight of Avionics Risks

Released: October 2020

[Intro Music]

[Nick Marinos:] While there haven't been any reported cyberattacks on an
airplane, the risks for such attacks grow because airplane systems are
going to continue to be more connected.

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report, your source for
news and information from the U.S. Government Accountability Office--I'm
Holly Hobbs. Airplanes are equipped with systems that provide
information about the weather, flight location, communication, and more.
While these systems are critical to flight safety, they also present
opportunities for cyberattacks on commercial airplanes. Today we talk
with 2 GAO experts about a new report about cybersecurity issues facing
avionics systems. Joining us are: 
- Nick Marinos, an expert on cybersecurity issues and a director in our
Information Technology and Cybersecurity team, and 
- Heather Krause, an expert on aviation safety and a director in our
Physical Infrastructure team
Thank you for joining us Heather and Nick!  

[Heather Krause:] Thank you!

[Nick Marinos:] Thanks a lot. 

[Holly Hobbs:] So Nick, what are the cybersecurity risks to airplanes?

[Nick Marinos:] So, avionics systems--if not properly protected--could
be vulnerable to a variety of potential cyberattacks. So, critical data
that may be used by systems within the airplanes cockpit could be
altered. It's possible that someone with authorized access could even
intentionally or unintentionally misuse flight data. It's possible that
commercial components within avionic systems may contain vulnerabilities
that enable cyberattacks.

[Holly Hobbs:] Where are these treats coming from?

[Nick Marinos:] Well, the reality is, it's from a bunch of different
sources including--nation states, cybercriminals, terrorists and insider
threats.

[Holly Hobbs:] And would these attacks occur when planes are on the
ground or during flights?

[Nick Marinos:] So, I think it's really important to emphasis that--to
date--there haven't been any reported cyberattacks on an operational
airplane. Having said that, these attacks could occur on the ground. So,
when an airplane is physically connected to other airport systems. And
attacks could come through systems and devises that may even be used by
maintenance crews. It's also important note though that FAA and airlines
are aware of these possibilities and so far they've been taking
actions--along with the manufactures--to prevent anyone from mounting a
successful cybersecurity attack either in flight or on the ground.

[Holly Hobbs:] And Heather, what's the federal role in protecting
flights from cyberattacks? 

[Heather Krause:] Several federal agencies play a role in identifying
and reducing cybersecurity risks. So, FAA is responsible for the safety
and oversight of the commercial aviation system. The DHS [Department of
Homeland Security] is also involved. They are responsible for
identifying cybersecurity vulnerabilities and coordinating actions to
mitigate cybersecurity risks across the federal government. DHS along
with DOD [Department of Defense] have responsibilities related to
airplanes cybersecurity research in coordination with FAA and aviation
stakeholders. So, it's important that these agencies really work
together and coordinate with industry and other stakeholders to ensure
that the aviation system is protected. 

[Holly Hobbs:] And Heather, when I think of air travel, I think of the
major airline companies--which are private companies, right? Don't they
also play a role in protecting travelers from these attacks?  

[Heather Krause:] Absolutely. In particular with the airlines, they're
responsible for adhering to guidance provided to them by the
manufacturer when the aircraft is purchased. And the guidance includes
instructions on how maintenance of the airplane's internal networks and
external connections, as well as a process for addressing and reporting
safety related cybersecurity incidents to FAA and to the manufacturer.
The airlines are also required to file an aircraft network security
program with the FAA.  That program helps to ensure that electronic
security protections are in place. And then the FAA inspectors are then
responsible for monitoring the airlines' adherence to this program.
However, we found that FAA does not require periodic testing of avionic
systems as a preventative measure to reduce cybersecurity risks. And we
feel that such testing could help FAA ensure that there are controls in
place to effectively mitigate the evolving cybersecurity risks for
avionics. 

[Music]   

[Holly Hobbs:] So, it sounds like avionics systems, which are meant to
promote safety on airplanes and other aircraft, can also be attractive
targets for cyberterrorists and other bad actors. But that FAA and other
stakeholders--like commercial airline companies--are working together to
protect flights from these risks. Heather, what additional steps could
FAA take to better protect airplanes from cyberattacks?

[Heather Krause:] A key action we identified for FAA is to conduct a
risk assessment of avionic systems cybersecurity. And then to develop a
plan to address those risks. Once that assessment is completed, it can
be used for FAA to develop the appropriate training programs for staff
overseeing avionic cybersecurity. Two, to develop and implement guidance
for avionic cybersecurity testing of new airplane designs. Third, it
could be used to consider revising procedures for monitoring the
effectiveness of avionic cybersecurity controls in deployed aircraft.
And finally, the assessment can help in terms of considering the extent
to which oversight resources should be committed to avionic
cybersecurity. 
 
[Holly Hobbs:] And Nick, last question. Bottom line, what should people
know about the threat of cyberattacks on airplanes?

[Nick Marinos:] While there haven't been any reported cyberattacks on an
airplane, the risks for such attacks grow because airplane systems are
going to continue to be more connected in the future than ever. And, as
Heather pointed out, we think it's very important for FAA and the
aviation industry to take steps to make sure these risk are mitigated in
the future. 

[Holly Hobbs:] That was GAO's Heather Krause and Nick Marinos talking
about their new report about aviation cybersecurity. Thank you for your
time, Team! 

[Heather Krause:] Thank you!

[Nick Marinos:] Thanks a lot, Holly. 

[Holly Hobbs:] And thank YOU for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts. And make sure you
leave a rating and review to let others know about the work we're doing.
For more from the congressional watchdog, the U.S. Government
Accountability Office, visit us at G-A-O dot gov.