The US Government Accountability Office (GOA) has urged the Federal Aviation Administration to take action to better protect modern commercial airplanes from cyber-risks.
In a post on its website, the GOA wrote: “Modern airplanes are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft and air-traffic controllers in ways that were not previously feasible.
“To date, extensive cybersecurity controls have been implemented and there have not been any reports of successful cyber-attacks on an airplane’s avionics systems. However, the increasing connections between airplanes and other systems, combined with the evolving cyber-threat landscape, could lead to increasing risks for future flight safety.”
The agency warned that if avionics systems are not properly protected, they could be at risk to a variety of potential cyber-attacks, with vulnerabilities occurring due to factors such as poor patch management, insecure supply chains and outdated systems.
The GOA has therefore set out a six-piece cybersecurity recommendation guide to executive action.
Commenting on the news, Tim Mackey, principal security strategist at the Synopsys CyRC, said: “Aircraft, like passenger cars, have seen an increase in computerization with software controls becoming an integral component of modern flight systems. As with vehicle systems, aircraft have a long lifespan – meaning that the software used in flight operations, both onboard aircraft and as part of flight activities, will be in use for far longer than that found in consumer situations.”
Properly managing cybersecurity with long lifecycle products requires anticipating future risks when building threat models, he added.
“For example, in recent years the concept of a software supply chain vulnerability has become front of mind as the growth of open source software usage grew. Such attacks can target not only open source software, but the commercial software built using compromised components. Detecting such attacks is challenging in part due to the potential for an attacker to mask their malicious code within a fix for an independent, but legitimate software bug. While the primary goal of such an attack might be financial, were a component compromised in this manner to be used in flight operations, it could offer an opportunity for another malicious group to target an airline or airline operations. This is an example of how attackers define the rules of their attacks and use the opportunities available to them and is also an example of the types of threats highlighted by the GAO.”