The Federal Aviation Administration (FAA) has agreed in part to improve its cybersecurity after a critical Government Accountability Office (GAO) report highlighted some key challenges which may be putting passenger safety at risk.
The 56-page report published this week points to three areas of weakness: protecting air traffic control (ATC) systems; protecting ‘avionics’ used to guide and control aircraft; and clarifying security roles in FAA offices.
Although the FAA has taken steps to improve cybersecurity in ATC systems, the GAO pointed out that “significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.”
Specifically, the FAA hasn’t developed a cybersecurity threat model, which could help identify threats to its systems and be used “as a basis for aligning cybersecurity efforts and limited resources.”
The GAO report also warned that the increasingly internet-connected nature of modern aircraft could expose them to the risk of security incidents if hackers gain unauthorized remote access to avionics systems.
The GAO claimed that although the FAA had created a dedicated Cyber Security Steering Committee, its own Office of Safety (AVS) was not represented.
Finally, GAO said the Surveillance and Broadcast Services Subsystem (SBSS), which enables satellite guidance of planes, hasn’t yet adopted changes made to security controls brought in by NIST back in April 2013, including intrusion detection improvements.
For its part, the FAA has apparently agreed to develop a cybersecurity threat model, and implement the NIST revisions, but claimed that the AVS is already sufficiently involved in cybersecurity efforts and doesn’t need a seat on the steering committee.
Malwarebytes malware intelligence analyst, Jovi Umawing, argued that although on-board firewalls could theoretically be bypassed by hackers, aircraft systems are always built with safety in mind.
“These systems, which we deem life- or safety-critical, have redundancies in place to lessen the chances of tragic outcomes should they be compromised,” she added.
“As the GAO report does not clearly elaborate if this new threat via cabin Wi-Fi takes into account such systems, we can’t know for sure if an attack like this would be successful.”
However, passengers connecting to the internet on board should treat the network as they would free public Wi-Fi.
“That means avoiding logging into websites containing lots of sensitive information like online banking or social media accounts,” she cautioned.
“Airplane Wi-Fi may be password protected but that doesn’t mean there isn’t someone logged onto the network sniffing around for packets and looking to take advantage of travelers’ trust in the system.”