January 22, 2022

News

News Network

Aviation Cybersecurity: FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks

12 min read
<div>Modern airplanes are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers in ways that were not previously feasible (see fig. 1). As a result, if avionics systems are not properly protected, they could be at risk of a variety of potential cyberattacks. Vulnerabilities could occur due to (1) not applying modifications (patches) to commercial software, (2) insecure supply chains, (3) malicious software uploads, (4) outdated systems on legacy airplanes, and (5) flight data spoofing. To date, extensive cybersecurity controls have been implemented and there have not been any reports of successful cyberattacks on an airplane's avionics systems. However, the increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety. Figure 1: Key Systems Connections to Commercial Airplanes The Federal Aviation Administration (FAA) has established a process for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers (see fig. 2). While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program. Specifically, FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes. Figure 2: Federal Aviation Administration's Certification Process for Commercial Transport Airplanes GAO has previously identified key practices for interagency collaboration that can be used to assess interagency coordination. FAA coordinates with other federal agencies, such as the Departments of Defense (DOD) and Homeland Security (DHS), and with industry to address aviation cybersecurity issues. For example, FAA co-chairs the Aviation Cyber Initiative, a tri-agency forum with DOD and DHS to address cyber risks across the aviation ecosystem. However, FAA's internal coordination activities do not fully reflect GAO's key collaboration practices. FAA has not established a tracking mechanism for monitoring progress on cybersecurity issues that are raised in coordination meetings, and its oversight coordination activities are not supported by dedicated resources within the agency's budget. Until FAA establishes a tracking mechanism for cybersecurity issues, it may be unable to ensure that all issues are appropriately addressed and resolved. Further, until it conducts an avionics cybersecurity risk assessment, it will not be able to effectively prioritize and dedicate resources to ensure that avionics cybersecurity risks are addressed in its oversight program. Avionics systems, which provide weather information, positioning data, and communications, are critical to the safe operation of an airplane. FAA is responsible for overseeing the safety of commercial aviation, including avionics systems. The growing connectivity between airplanes and these systems may present increasing opportunities for cyberattacks on commercial airplanes. GAO was asked to review the FAA's oversight of avionics cybersecurity issues. The objectives of this review were to (1) describe key cybersecurity risks to avionics systems and their potential effects, (2) determine the extent to which FAA oversees the implementation of cybersecurity controls that address identified risks in avionics systems, and (3) assess the extent to which FAA coordinates internally and with other government and industry entities to identify and address cybersecurity risks to avionics systems. To do so, GAO reviewed information on key cybersecurity risks to avionics systems, as reported by major industry representatives as well as key elements of an effective oversight program, and compared FAA's process for overseeing the implementation of cybersecurity controls in avionics systems with these program elements. GAO also reviewed agency documentation and interviewed agency and industry representatives to assess FAA's coordination efforts to address the identified risks. GAO is making six recommendations to FAA to strengthen its avionics cybersecurity oversight program: GAO recommends that FAA conduct a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks. Based on the assessment of avionics cybersecurity risks, GAO recommends that FAA identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. review and consider the extent to which oversight resources should be committed to avionics cybersecurity. FAA concurred with five out of six GAO recommendations. FAA did not concur with the recommendation to consider revising its policies and procedures for periodic independent testing. GAO clarified this recommendation to emphasize that FAA safely conduct such testing as part of its ongoing monitoring of airplane safety. For more information, contact Nick Marinos at (202) 512-9342 or MarinosN@gao.gov, or Heather Krause at (202) 512-2834 or KrauseH@gao.gov.</div>

What GAO Found

Modern airplanes are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers in ways that were not previously feasible (see fig. 1). As a result, if avionics systems are not properly protected, they could be at risk of a variety of potential cyberattacks. Vulnerabilities could occur due to (1) not applying modifications (patches) to commercial software, (2) insecure supply chains, (3) malicious software uploads, (4) outdated systems on legacy airplanes, and (5) flight data spoofing. To date, extensive cybersecurity controls have been implemented and there have not been any reports of successful cyberattacks on an airplane’s avionics systems. However, the increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety.

Figure 1: Key Systems Connections to Commercial Airplanes

The Federal Aviation Administration (FAA) has established a process for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers (see fig. 2). While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program.

Specifically, FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.

Figure 2: Federal Aviation Administration’s Certification Process for Commercial Transport Airplanes

\vdifs02FR_DataTorabiTDesktophighlight cert.jpg

GAO has previously identified key practices for interagency collaboration that can be used to assess interagency coordination. FAA coordinates with other federal agencies, such as the Departments of Defense (DOD) and Homeland Security (DHS), and with industry to address aviation cybersecurity issues. For example, FAA co-chairs the Aviation Cyber Initiative, a tri-agency forum with DOD and DHS to address cyber risks across the aviation ecosystem. However, FAA’s internal coordination activities do not fully reflect GAO’s key collaboration practices. FAA has not established a tracking mechanism for monitoring progress on cybersecurity issues that are raised in coordination meetings, and its oversight coordination activities are not supported by dedicated resources within the agency’s budget. Until FAA establishes a tracking mechanism for cybersecurity issues, it may be unable to ensure that all issues are appropriately addressed and resolved. Further, until it conducts an avionics cybersecurity risk assessment, it will not be able to effectively prioritize and dedicate resources to ensure that avionics cybersecurity risks are addressed in its oversight program.

Why GAO Did This Study

Avionics systems, which provide weather information, positioning data, and communications, are critical to the safe operation of an airplane. FAA is responsible for overseeing the safety of commercial aviation, including avionics systems. The growing connectivity between airplanes and these systems may present increasing opportunities for cyberattacks on commercial airplanes.

GAO was asked to review the FAA’s oversight of avionics cybersecurity issues. The objectives of this review were to (1) describe key cybersecurity risks to avionics systems and their potential effects, (2) determine the extent to which FAA oversees the implementation of cybersecurity controls that address identified risks in avionics systems, and (3) assess the extent to which FAA coordinates internally and with other government and industry entities to identify and address cybersecurity risks to avionics systems.

To do so, GAO reviewed information on key cybersecurity risks to avionics systems, as reported by major industry representatives as well as key elements of an effective oversight program, and compared FAA’s process for overseeing the implementation of cybersecurity controls in avionics systems with these program elements. GAO also reviewed agency documentation and interviewed agency and industry representatives to assess FAA’s coordination efforts to address the identified risks.

What GAO Recommends

GAO is making six recommendations to FAA to strengthen its avionics cybersecurity oversight program:

  • GAO recommends that FAA conduct a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks.

Based on the assessment of avionics cybersecurity risks, GAO recommends that FAA

identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs.

develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing.

review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing.

ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders.

review and consider the extent to which oversight resources should be committed to avionics cybersecurity.

FAA concurred with five out of six GAO recommendations. FAA did not concur with the recommendation to consider revising its policies and procedures for periodic independent testing. GAO clarified this recommendation to emphasize that FAA safely conduct such testing as part of its ongoing monitoring of airplane safety.

For more information, contact Nick Marinos at (202) 512-9342 or MarinosN@gao.gov, or Heather Krause at (202) 512-2834 or KrauseH@gao.gov.

News Network

  • Secretary Blinken’s Meeting with Romanian Foreign Minister Aurescu
    In Crime Control and Security News
    Office of the [Read More…]
  • Justice Department Finds State of Iowa Unnecessarily Segregates People with Intellectual/Developmental Disabilities in State Resource Centers
    In Crime News
    The U.S. Department of Justice’s Civil Rights Division announced today that it has concluded an investigation into whether the State of Iowa subjects residents of Glenwood and Woodward Resource Centers, two state-run institutions for individuals with intellectual/developmental disabilities (IDD) in Glenwood and Woodward, Iowa, respectively, to unnecessary institutionalization in violation of Title II of the Americans with Disabilities Act (ADA). 
    [Read More…]
  • The United States Welcomes the Breakthrough To Restore Gulf and Arab Unity
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Joint Statement on the Signing of the U.S.-Taliban Agreement
    In Crime News
    Office of the [Read More…]
  • Global Entry for Citizens of Argentina
    In Travel
    How to Apply for Global [Read More…]
  • National Health Care Fraud and Opioid Takedown Results in Charges Against 345 Defendants Responsible for More than $6 Billion in Alleged Fraud Losses
    In Crime News
    Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division, Assistant Director Calvin Shivers of the FBI’s Criminal Investigative Division, Deputy Inspector General Gary Cantrell of the Department of Health and Human Services Office of Inspector General (HHS-OIG) and Assistant Administrator Tim McDermott of the Drug Enforcement Administration (DEA) today announced a historic nationwide enforcement action involving 345 charged defendants across 51 federal districts, including more than 100 doctors, nurses and other licensed medical professionals. 
    [Read More…]
  • Defense Budget: Opportunities Exist to Improve DOD’s Management of Defense Spending
    In U.S GAO News
    GAO's previous work has shown that a number of opportunities exist for the Department of Defense (DOD) to strengthen management of defense spending, which would help the department address the challenges it faces, especially in a constrained budget environment. These opportunities include: Improving budgeting execution of funds. DOD does not fully obligate the funds appropriated to it and can improve both its budgeting for and its use of the resources that are provided to it. For example, GAO found that DOD has left billions of dollars in appropriated amounts unspent over the past 10 fiscal years. Better estimating annual budget requirements and obligating appropriations provided by Congress within the period of availability established by Congress would help DOD minimize these cases of under-execution. More clearly determining future resource requirements related to overseas contingency operations. DOD and Congress need a clearer determination of DOD's future resource requirements, in particular how and whether to incorporate enduring Overseas Contingency Operations (OCO) costs—costs that will endure beyond ongoing contingency operations—into DOD's base budget. These costs could total tens of billions of dollars a year. However, few details exist as to what makes up these enduring costs or how they were derived, raising questions about how much should be included as future requirements. Reducing improper payments. Addressing improper payments—payments that should not have been made or were made in an incorrect amount—is an area where better financial management could save DOD billions of dollars. In its fiscal year 2020 agency financial report, DOD estimated that it paid about $11.4 billion in improper payments, or about 1.7 percent of all payments it made that year. DOD has taken steps to reduce improper payments in some areas, but DOD's estimates of its improper payments in other areas indicate more remains to be done. Sustaining and refining department-wide business reform efforts. DOD must transform its overall business operations so that it can more efficiently and effectively use its resources. In recent years, DOD reported notable achievements from its most recent department-wide business reform efforts, including $37 billion in savings from fiscal years 2017 to 2021 as a result of these efforts. However, GAO previously found that while DOD's reported savings were largely reflected in its budget materials, the analyses underlying these estimates were not always well documented and the savings were not always the result of business reform. Moreover, uncertainty about the leadership structure at DOD for overseeing and reforming business operations, including the recent elimination of the Chief Management Officer position, calls into question whether efforts to fundamentally transform how the department does business can be realized and sustained. GAO has previously highlighted the importance of DOD providing clear department-wide guidance on roles, responsibilities, authorities, and resources for business reform efforts will be necessary for DOD to make progress in these efforts. Decisions by DOD and Congress regarding long-term defense needs will have a meaningful impact on the nation's fiscal future. As the single largest category of discretionary spending, defense spending is likely to play a large role in any discussion of future federal spending. GAO and others have found that DOD faces challenges that are likely to put pressure on its budget moving forward. DOD is the only major federal agency that has been unable to receive a clean audit opinion on its financial statements. This testimony provides information on how DOD can better manage defense spending, specifically related to its ability to (1) accurately estimate its budgetary requirements and execute its appropriated funds, (2) determine resource requirements related to overseas contingency operations, (3) reduce improper payments, and (4) sustain and refine department-wide reform efforts. For this testimony, GAO reviewed and summarized its recent work on DOD budget and financial management issues and departmental reform efforts. In prior work on which this testimony is based, GAO made recommendations that DOD take steps to better estimate its annual budget requirements and future fiscal needs for OCO, reduce improper payments, and refine and formalize its departmental reform efforts. DOD generally concurred with these recommendations and is working toward implementing them. For more information, contact Elizabeth A. Field at (202) 512-2775 or fielde1@gao.gov.
    [Read More…]
  • Newly Reprocessed Images of Europa Show ‘Chaos Terrain’ in Crisp Detail
    In Space
    Work is ongoing to [Read More…]
  • President Saied’s Announcement of Reforms in Tunisia
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Foreign Operations: Key Issues for Congressional Oversight
    In U.S GAO News
    The Department of State (State) and the U.S. Agency for International Development (USAID) implement a broad range of U.S. government activities and programs overseas, including the conduct of diplomacy, development and security assistance, and efforts to combat terrorism and narcotics trafficking, among others. The President has requested approximately $55.7 billion for State and USAID in fiscal year 2012, an increase of nearly 8 percent over fiscal year 2010 funding levels. This testimony discusses four cross-cutting areas of U.S. foreign policy as implemented by State and USAID: (1) investments in key partner nations, (2) building the capacity of U.S. agencies to advance foreign policy priorities, (3) contractor oversight and accountability, and (4) strategic planning and performance measurement. This statement is based on GAO's extensive body of work on foreign operations issues, including fieldwork in Iraq, Afghanistan, Pakistan, Mexico, and numerous other locations .Since 2002, the United States has invested over $130 billion in security, economic, and governance assistance to Iraq, Afghanistan, and Pakistan. Although the administration has requested additional funding in fiscal year 2012 to assist Iraq's security forces, opportunities exist for cost-sharing given the Iraqi government's continuing budget surpluses and unexpended security budgets. Regarding Afghanistan and Pakistan, the United States has placed an increased focus on providing funding directly to the Afghan government and Pakistani organizations. This course of action involves considerable risk given the limited capacity of some prospective recipients--particularly the Afghan government--to manage and implement U.S.-funded programs, thereby highlighting the need for agency controls and safeguards over these funds. According to the 2010 Quadrennial Diplomacy and Development Review, State and USAID are engaged in efforts to build and support a workforce that is well-matched to the foreign affairs challenges of the twenty-first century. Accomplishing this objective is critical given that GAO's work has consistently found limitations in the ability of State and USAID to ensure that they are deploying the right people to the right places at the right time. For example, State has faced persistent staffing and foreign language gaps that put the department's diplomatic readiness at risk. Similarly, GAO found that State has experienced difficulties hiring and training staff to operate and maintain its new, more sophisticated embassy compounds. State has taken some actions in response to GAO's findings. For example, in 2010, the department introduced a new pilot program to expand its cadre of Chinese speakers. State also noted in 2010 that it planned to hire additional facilities managers at embassies and consulates. State and USAID rely extensively on contractors in Iraq and Afghanistan to support their direct-hire personnel, implement reconstruction efforts, and address workforce shortfalls such as insufficient numbers of trained agency personnel and the frequent rotations of staff posted to these countries. Robust management and oversight of contractor operations are essential in these challenging environments. However, GAO has found oversight to be inadequate at times, thus raising questions about the agencies' ability to ensure accountability for multibillion-dollar investments. GAO's reviews of international affairs programs have repeatedly found weaknesses in agencies' strategic planning and performance measurement efforts. For example, GAO reported that State significantly expanded its Bureau of Diplomatic Security without the benefit of strategic planning to ensure that the bureau's missions and activities address the department's priority needs. Such a review is vital given that the bureau will assume full responsibility for securing all diplomatic personnel and facilities in Iraq starting in October 2011 as the U.S. military completes its drawdown. GAO also reported that State generally lacked outcome-based measures for the M?rida Initiative--a $1.5 billion effort to provide law enforcement support to Mexico--thereby making it difficult to determine the initiative's effectiveness. GAO has made a variety of recommendations to State and USAID to help improve their foreign operations programs. In particular, GAO has recommended that agencies improve planning and performance measurement of their programs and take steps to enhance accountability of U.S. aid. State and USAID have efforts under way to implement some of these recommendations.
    [Read More…]
  • Monaco National Day
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Bolivia Travel Advisory
    In Travel
    Do not travel to Bolivia [Read More…]
  • Secretary Antony J. Blinken At the Launch of the U.S.-Germany Dialogue on Holocaust Issues with German Foreign Minister Heiko Maas
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • New Jersey Man Indicted for Tax Evasion and Not Filing Tax Returns
    In Crime News
    A federal grand jury in Newark, New Jersey, returned an indictment on April 1, 2021, charging a Springfield man with tax evasion and willful failure to file individual income tax returns.
    [Read More…]
  • Former Acting Inspector General for the U.S. Department of Homeland Security Pleads Guilty to Scheme to Defraud the U.S. Government
    In Crime News
    A former Acting Inspector General for the U.S. Department of Homeland Security, Office of Inspector General (DHS-OIG) pleaded guilty today to federal charges stemming from the theft of proprietary software and sensitive databases from the U.S. government.
    [Read More…]
  • Military Personnel: DOD’s Transition Assistance Program at Small or Remote Installations
    In U.S GAO News
    What GAO Found The Transition Assistance Program (TAP) provides counseling, employment assistance, and information on federal veterans benefits, among other support, to transitioning servicemembers who are separating from the military. From fiscal years 2018 through 2020, seven of the nine selected small or remote installations exceeded, on average, DOD's TAP compliance target of 85 percent of separated servicemembers completing all TAP requirements. The information delivered during TAP and the components of the program are standard across all military installations, regardless of the size or location of the installation. Prior to the COVID-19 pandemic, only certain servicemembers were eligible to participate in TAP virtually, including those servicemembers in remote or geographically isolated locations. According to officials of the Military-Civilian Transition Office (MCTO), servicemembers who attended TAP sessions virtually prior to the pandemic received the same transition information as those who attended TAP sessions in person. At the start of the COVID-19 pandemic, all nine of the small or remote installations in GAO's review shifted to virtual delivery of TAP sessions for all servicemembers, according to officials at those installations. DOD monitors TAP across all installations, regardless of size or geographic location, through a standard form used by all four military services and by conducting course surveys. DOD officials told GAO that there are no additional monitoring activities or metrics specific to small or remote installations. Officials whom GAO interviewed—including those of the military services and at the nine selected small or remote installations—discussed common challenges with TAP delivery and participation, as well as ways they were mitigating these challenges where possible. For example, TAP officials at several remote installations stated there were limited local employment opportunities available to servicemembers post-separation. However, a few officials stated that they had built relationships with local employers to provide networking opportunities to servicemembers. Also, Army officials stated that they provide virtual career fairs that are available to all servicemembers regardless of location. The shift to fully virtual delivery of TAP support at the start of the pandemic also presented common challenges among the installations in GAO's review, including not having a live virtual option for the Department of Veterans Affairs (VA) benefits briefing and having caps on the number of servicemembers in virtual classes. An official at one installation said the installation was able to provide servicemembers access to informal VA information sessions with their local VA office to supplement the self-paced virtual VA briefing. Why GAO Did This Study Approximately 200,000 servicemembers each year leave the military and transition to civilian life. To help servicemembers with potential challenges they may face during this transition, such as finding and maintaining employment, DOD is mandated by law to require that eligible separating servicemembers participate in TAP. House Report 116-442, accompanying a bill for the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, directed GAO to review servicemember participation in formal Transition Assistance Programs at small and remote military installations in the United States. This report describes: (1) the extent to which active-duty servicemembers at selected small or remote military installations within the United States are receiving required transition services; (2) the extent to which DOD is monitoring TAP at small or remote military installations; and (3) challenges that exist in implementing TAP at selected small or remote military installations. GAO reviewed relevant laws and guidance documents, and analyzed data provided by the Military-Civilian Transition Office (MCTO) and the military services. GAO also interviewed officials from MCTO, the military services, and TAP staff at nine small or remote installations in the United States selected to achieve at least two installations for each military service and for variation in geographic location. GAO identified remote military installations as those 50 or more miles from a city of 50,000 people or more, and small installations as those with 350 or fewer projected servicemember separations for fiscal year 2021.
    [Read More…]
  • Guatemala Travel Advisory
    In Travel
    Do not travel to [Read More…]
  • Secretary Pompeo’s Call with Japanese Foreign Minister Motegi
    In Crime Control and Security News
    Office of the [Read More…]
  • Former Media Producer Indicted on Charges of Extortion and Obstruction of Justice
    In Crime News
    A federal grand jury in the District of Puerto Rico returned an indictment Tuesday charging a former media producer with extortion and obstruction of justice during a federal investigation in San Juan, Puerto Rico.
    [Read More…]
  • Northern Alabama Doctor and Practice Manager Convicted for Conspiring to Unlawfully Distribute Opioids
    In Crime News
    A Northern Alabama doctor and her husband, who also served as her practice manager, pleaded guilty today for their roles in unlawfully distributing opioids and other controlled substances while the doctor was absent from the clinic.
    [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.