Cybersecurity experts are deeply concerned that the U.S. aviation industry is not doing enough to protect itself against attacks on its highly interconnected avionics systems.
Consider that airplanes use avionics networks that share data across a range of applications. This includes GPS, weather, and communications sent between pilots, maintenance crews, air traffic controllers, other aircraft, aviation manufacturers, and more. Each of these players indeed handles their basic cybersecurity requirements. However, the Federal Aviation Administration (FAA) is responsible for overseeing all of the above. The FAA is the ultimate source of ensuring aviation safety.
But when separate players are juggling multiple systems like that described above, the situation is rife with the potential to form gaps. Think of it as the proverbial “when the left-hand does not know what the right hand is doing” kind of situation.
The bottom line is that the aviation industry must strive to stay ahead of numerous vulnerabilities, and the overall system is only as strong as its weakest link.
In this day of unprecedented financial stress bearing down on the aviation sector due to the effect of the COVID-19 pandemic, opportunistic attackers may find increased opportunities to strike.
That’s why the Government Accounting Office (GAO) recently raised alarms when it issued a report that showed how individual aircraft carry several computer systems that are vulnerable to hacking. The GAO study found that airlines have not installed nearly enough security to protect the personal computer systems on each aircraft.
The GAO also found that the Federal Aviation Administration has not created a tracking mechanism that can monitor cybersecurity issues as they come up in coordination meetings.
It must be noted that the FAA has not dropped the ball completely. It has set forth a strategic plan for the year 2019 through 2022. This plan has adopted a cybersecurity framework developed by the National Institute Standards of Technology (NIST.) NIST is an arm of the U.S. Department of Commerce.
The FAA has also conducted risk assessments for its operations and mission-related systems. This includes the many air traffic control systems owned by the FAA. Even so, the GAO reported scolded the FAA for not conducting a risk assessment to set out priorities in terms of potential cybersecurity attacks to avionics systems.