Aviation Cybersecurity: FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks
Fast Facts
Modern commercial airplanes use avionics systems and networks to share data—for GPS, weather, and communications—with pilots, maintenance crews, other aircraft, and air traffic controllers. Protection from cyberattacks is critical to safety.
Airplane manufacturers have cybersecurity controls in place and there haven't been reports of successful cyberattacks on commercial airplane IT systems to date. But evolving cyber threats and increasing connectivity between airplanes and other systems could put future flight safety at risk if the FAA doesn't prioritize oversight.
We recommended that the FAA strengthen cybersecurity oversight for airplanes.
Highlights
What GAO Found
Modern airplanes are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers in ways that were not previously feasible (see fig. 1). As a result, if avionics systems are not properly protected, they could be at risk of a variety of potential cyberattacks. Vulnerabilities could occur due to (1) not applying modifications (patches) to commercial software, (2) insecure supply chains, (3) malicious software uploads, (4) outdated systems on legacy airplanes, and (5) flight data spoofing. To date, extensive cybersecurity controls have been implemented and there have not been any reports of successful cyberattacks on an airplane's avionics systems. However, the increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety.
Figure 1: Key Systems Connections to Commercial Airplanes
The Federal Aviation Administration (FAA) has established a process for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers (see fig. 2). While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program.
Specifically, FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.
Figure 2: Federal Aviation Administration's Certification Process for Commercial Transport Airplanes
GAO has previously identified key practices for interagency collaboration that can be used to assess interagency coordination. FAA coordinates with other federal agencies, such as the Departments of Defense (DOD) and Homeland Security (DHS), and with industry to address aviation cybersecurity issues. For example, FAA co-chairs the Aviation Cyber Initiative, a tri-agency forum with DOD and DHS to address cyber risks across the aviation ecosystem. However, FAA's internal coordination activities do not fully reflect GAO's key collaboration practices. FAA has not established a tracking mechanism for monitoring progress on cybersecurity issues that are raised in coordination meetings, and its oversight coordination activities are not supported by dedicated resources within the agency's budget. Until FAA establishes a tracking mechanism for cybersecurity issues, it may be unable to ensure that all issues are appropriately addressed and resolved. Further, until it conducts an avionics cybersecurity risk assessment, it will not be able to effectively prioritize and dedicate resources to ensure that avionics cybersecurity risks are addressed in its oversight program.
Why GAO Did This Study
Avionics systems, which provide weather information, positioning data, and communications, are critical to the safe operation of an airplane. FAA is responsible for overseeing the safety of commercial aviation, including avionics systems. The growing connectivity between airplanes and these systems may present increasing opportunities for cyberattacks on commercial airplanes.
GAO was asked to review the FAA's oversight of avionics cybersecurity issues. The objectives of this review were to (1) describe key cybersecurity risks to avionics systems and their potential effects, (2) determine the extent to which FAA oversees the implementation of cybersecurity controls that address identified risks in avionics systems, and (3) assess the extent to which FAA coordinates internally and with other government and industry entities to identify and address cybersecurity risks to avionics systems.
To do so, GAO reviewed information on key cybersecurity risks to avionics systems, as reported by major industry representatives as well as key elements of an effective oversight program, and compared FAA's process for overseeing the implementation of cybersecurity controls in avionics systems with these program elements. GAO also reviewed agency documentation and interviewed agency and industry representatives to assess FAA's coordination efforts to address the identified risks.
Recommendations
GAO is making six recommendations to FAA to strengthen its avionics cybersecurity oversight program:
- GAO recommends that FAA conduct a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks.
Based on the assessment of avionics cybersecurity risks, GAO recommends that FAA
identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs.
develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing.
review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing.
ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders.
review and consider the extent to which oversight resources should be committed to avionics cybersecurity.
FAA concurred with five out of six GAO recommendations. FAA did not concur with the recommendation to consider revising its policies and procedures for periodic independent testing. GAO clarified this recommendation to emphasize that FAA safely conduct such testing as part of its ongoing monitoring of airplane safety.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Federal Aviation Administration | The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1) |
FAA agreed with our recommendation. Specifically, FAA conducted a risk assessment of avionics systems cybersecurity and identified cybersecurity-related risks for its oversight program. In addition, FAA developed a plan that includes how it will address those risks.
|
| Federal Aviation Administration | The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2) |
FAA agreed with our recommendation. FAA has identified staff and training needs relative to avionics cybersecurity. In addition, FAA developed required training courses for engineers, designees, and staff with oversight responsibilities. Further, FAA has a process to regularly review and update staffing and training needs as aviation standards, regulations, and policies evolve.
|
| Federal Aviation Administration | The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3) | FAA agreed with our recommendation. In October 2024, FAA provided an update for addressing this recommendation. Specifically, FAA issued new policy and guidance for aircraft systems information security protection that establishes requirements for cybersecurity protections of current and new aircraft designs and identifies industry standards that may be used as a means of compliance for those requirements and includes the need for test plans. For example, this would include analyzing and mitigating vulnerabilities and establishing procedures for continued airworthiness necessary to maintain cybersecurity protections. By establishing these new requirements and procedures, including the...
|
| Federal Aviation Administration | The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4) |
FAA did not concur with this recommendation. In its November 2023 response to GAO, FAA met the intent of this recommendation. Specifically, FAA reviewed and considered its existing policy and procedures and believes it has sufficient controls in place to monitor the deployed fleet, and also a process in place to address and correct cybersecurity safety issues. In addition, FAA stated that any type of independent testing conducted on in-service fleets could result in potential corruption of airplane systems, jeopardizing safety rather than detecting cybersecurity safety issues.
|
| Federal Aviation Administration | The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5) |
FAA agreed with our recommendation. In November 2023, FAA provided an updated policy that includes a mechanism to appropriately track and resolve safety issues, including those related to avionics cybersecurity, when coordinating among internal stakeholders.
|
| Federal Aviation Administration | The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6) |
FAA agreed with our recommendation. In November 2023, FAA provided its updated policy that includes a process to allocate oversight resources (such as staffing, training, policy, and guidance) related to avionics cybersecurity.
|