Aviation Cybersecurity: FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks

GAO-21-86 Published: Oct 09, 2020. Publicly Released: Oct 09, 2020.
Jump To:
Fast Facts

Modern commercial airplanes use avionics systems and networks to share data—for GPS, weather, and communications—with pilots, maintenance crews, other aircraft, and air traffic controllers. Protection from cyberattacks is critical to safety.

Airplane manufacturers have cybersecurity controls in place and there haven't been reports of successful cyberattacks on commercial airplane IT systems to date. But evolving cyber threats and increasing connectivity between airplanes and other systems could put future flight safety at risk if the FAA doesn't prioritize oversight.

We recommended that the FAA strengthen cybersecurity oversight for airplanes.

A graphic showing a commercial airplane's systems and networks.

Highlights

What GAO Found

Modern airplanes are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers in ways that were not previously feasible (see fig. 1). As a result, if avionics systems are not properly protected, they could be at risk of a variety of potential cyberattacks. Vulnerabilities could occur due to (1) not applying modifications (patches) to commercial software, (2) insecure supply chains, (3) malicious software uploads, (4) outdated systems on legacy airplanes, and (5) flight data spoofing. To date, extensive cybersecurity controls have been implemented and there have not been any reports of successful cyberattacks on an airplane's avionics systems. However, the increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety.

Figure 1: Key Systems Connections to Commercial Airplanes

Figure 1: Key Systems Connections to Commercial Airplanes

The Federal Aviation Administration (FAA) has established a process for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers (see fig. 2). While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program.

Specifically, FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.

Figure 2: Federal Aviation Administration's Certification Process for Commercial Transport Airplanes

\\vdifs02\FR_Data\TorabiT\Desktop\highlight cert.jpg

GAO has previously identified key practices for interagency collaboration that can be used to assess interagency coordination. FAA coordinates with other federal agencies, such as the Departments of Defense (DOD) and Homeland Security (DHS), and with industry to address aviation cybersecurity issues. For example, FAA co-chairs the Aviation Cyber Initiative, a tri-agency forum with DOD and DHS to address cyber risks across the aviation ecosystem. However, FAA's internal coordination activities do not fully reflect GAO's key collaboration practices. FAA has not established a tracking mechanism for monitoring progress on cybersecurity issues that are raised in coordination meetings, and its oversight coordination activities are not supported by dedicated resources within the agency's budget. Until FAA establishes a tracking mechanism for cybersecurity issues, it may be unable to ensure that all issues are appropriately addressed and resolved. Further, until it conducts an avionics cybersecurity risk assessment, it will not be able to effectively prioritize and dedicate resources to ensure that avionics cybersecurity risks are addressed in its oversight program.

Why GAO Did This Study

Avionics systems, which provide weather information, positioning data, and communications, are critical to the safe operation of an airplane. FAA is responsible for overseeing the safety of commercial aviation, including avionics systems. The growing connectivity between airplanes and these systems may present increasing opportunities for cyberattacks on commercial airplanes.

GAO was asked to review the FAA's oversight of avionics cybersecurity issues. The objectives of this review were to (1) describe key cybersecurity risks to avionics systems and their potential effects, (2) determine the extent to which FAA oversees the implementation of cybersecurity controls that address identified risks in avionics systems, and (3) assess the extent to which FAA coordinates internally and with other government and industry entities to identify and address cybersecurity risks to avionics systems.

To do so, GAO reviewed information on key cybersecurity risks to avionics systems, as reported by major industry representatives as well as key elements of an effective oversight program, and compared FAA's process for overseeing the implementation of cybersecurity controls in avionics systems with these program elements. GAO also reviewed agency documentation and interviewed agency and industry representatives to assess FAA's coordination efforts to address the identified risks.

Recommendations

GAO is making six recommendations to FAA to strengthen its avionics cybersecurity oversight program:

  • GAO recommends that FAA conduct a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks.

Based on the assessment of avionics cybersecurity risks, GAO recommends that FAA

identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs.

develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing.

review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing.

ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders.

review and consider the extent to which oversight resources should be committed to avionics cybersecurity.

FAA concurred with five out of six GAO recommendations. FAA did not concur with the recommendation to consider revising its policies and procedures for periodic independent testing. GAO clarified this recommendation to emphasize that FAA safely conduct such testing as part of its ongoing monitoring of airplane safety.

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)
Closed – Implemented
FAA agreed with our recommendation. Specifically, FAA conducted a risk assessment of avionics systems cybersecurity and identified cybersecurity-related risks for its oversight program. In addition, FAA developed a plan that includes how it will address those risks.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)
Open
In May 2023, FAA provided an update for addressing this recommendation. Specifically, FAA stated they are continuing to work on identification of staffing and training needs relative to avionics cybersecurity. However, FAA still needs to provide evidence of risk assessment outcomes and identify how they determined staffing and training needs specific to avionics cybersecurity. We will continue to communicate with FAA and monitor its actions in response to this recommendation.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)
Open
In May 2023, FAA provided an update for addressing this recommendation. Specifically, FAA continues to work on new policy and guidance for aircraft systems information security protection. For example, FAA plans to release relevant policy and guidance that meet the intent of the recommendation but has not provided a timeframe for publication. Further, FAA still needs to provide evidence of risk assessment outcomes that identify where FAA reviewed policies and guidance and determined it needed new or updated policy and guidance for avionics cybersecurity testing of new airplane designs that include independent testing. We will continue to communicate with FAA and monitor its actions in response to this recommendation.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)
Open
FAA did not concur with this recommendation. In its April 2021 response to GAO, FAA stated that it reviewed its existing policy and guidance and believes it has sufficient controls in place to monitor the deployed fleet, and they have a process in place to address and correct cybersecurity safety issues. In addition, FAA stated that any type of independent testing conducted on in-service fleets could result in potential corruption of airplane systems, jeopardizing safety rather than detecting cybersecurity safety issues. As of May 2023, FAA has taken no further action. We continue to believe that our recommendation is valid and emphasize that FAA safely conduct testing as part of its ongoing monitoring of airplane safety. We will continue to communicate with FAA and monitor its actions in response to this recommendation.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)
Open
In May 2023, FAA provided an update for addressing this recommendation. Specifically, FAA stated that they are working on developing policy to track and address cybersecurity safety issues by utilizing the methodology that is used to track and address all other safety issues. However, FAA still needs to provide evidence that it has developed a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. We will continue to communicate with FAA and monitor its actions in response to this recommendation.
Federal Aviation Administration The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)
Open
In May 2023, FAA provided an update for addressing this recommendation. Specifically, FAA identified staff that could provide partial support to cybersecurity oversight. In addition, FAA stated that they are working on updating their process to improve oversight resource allocation to staffing, training, policy, and guidance prioritized by risk. However, FAA still needs to provide evidence of risk assessment outcomes that identify where FAA reviewed its existing oversight resources and considered the extent to which resources should be committed to avionics cybersecurity. We will continue to communicate with FAA and monitor its actions in response to this recommendation.
See All 6 Recommendations

Full Report

Highlights Page (2 pages)
Full Report (55 pages)
Accessible PDF (63 pages)
GAO Contacts
Office of Public Affairs
Topics
Information Security
AviationAviation safetyAviation securityAvionicsBest practicesCritical infrastructureCritical infrastructure vulnerabilitiesCybersecurityCyberspace threatsRisk assessment