Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Internet Connectivity Could Expose Aircraft Systems to Cyberattacks: GAO

A report published on Tuesday by the Government Accountability Office (GAO) warns that the Federal Aviation Administration (FAA) faces some serious cybersecurity challenges due to its transition from legacy to next generation air transportation systems.

A report published on Tuesday by the Government Accountability Office (GAO) warns that the Federal Aviation Administration (FAA) faces some serious cybersecurity challenges due to its transition from legacy to next generation air transportation systems.

The three main areas of concern identified by GAO in its report are the protection of air-traffic control (ATC) systems, which the agency detailed in a previous report, securing aircraft avionics systems used for operating and guiding airplanes, and the clarification of roles and responsibilities among FAA offices when it comes to cybersecurity.

GAO pointed out in its report that IP connectivity and other modern communication technologies are increasingly used in aircraft systems. The fact that airplanes are connected to the Internet could pose a serious risk because unauthorized individuals might be able to gain access to avionics systems.

The FAA says roughly 36 percent of ATC systems are currently connected using IP and the percentage is expected to increase to 50-60 percent over the next five years. Legacy systems, which are difficult to access remotely, consist of old point-to-point, hardwired systems, most of which share information only within their wired configuration.

“According to MITRE and other experts, a hybrid system comprising both IP-connected and point-to-point subsystems increases the potential for the point-to-point systems to be compromised because of the increased connectivity to the system as a whole provided by the IP-connected systems,” GAO noted in its report.

The systems in the cockpit are protected with firewalls, but experts interviewed by GAO pointed out that such protection mechanisms can be plagued by vulnerabilities that could allow hackers to bypass them.

“The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin,” GAO said. “FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems.”

Experts interviewed by GAO noted that Internet connectivity in the cabin provides a direct link between the aircraft and the outside world. This could potentially be exploited by a malicious actor to access onboard information systems by planting a piece of malware on a website visited by passengers.

Advertisement. Scroll to continue reading.

On the other hand, airplane manufacturers say such a scenario is unlikely due to the isolation of in-flight entertainment (IFE) systems.

“IFE systems on commercial airplanes are isolated from flight and navigation systems. While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” Boeing representatives told SecurityWeek.

Airbus provided the following statement to SecurityWeek: “We in partnership with our suppliers are constantly assessing and revisiting the system architecture of our products with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don’t discuss design details or safeguards publicly, as such discussion might be counterproductive to security.”

GAO noted in its report that the FAA’s Office of Safety currently certifies new interconnected systems and has started reviewing rules for certifying the IT security of all new systems as part of the aircraft certification process.

The FAA is currently in the process of designing and deploying an approach to protect its information systems enterprise-wide. Experts believe this approach is appropriate, but they recommend other measures to further enhance cybersecurity, including the development of an enterprise-level holistic threat model, and the implementation of a holistic continuous-monitoring program.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Cisco's enterprise-facing Webex video conferencing and messaging utility monitors the microphone at all times, even when the user's microphone is muted in the software,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Application Security

Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...