Security Experts:

Internet Connectivity Could Expose Aircraft Systems to Cyberattacks: GAO

A report published on Tuesday by the Government Accountability Office (GAO) warns that the Federal Aviation Administration (FAA) faces some serious cybersecurity challenges due to its transition from legacy to next generation air transportation systems.

The three main areas of concern identified by GAO in its report are the protection of air-traffic control (ATC) systems, which the agency detailed in a previous report, securing aircraft avionics systems used for operating and guiding airplanes, and the clarification of roles and responsibilities among FAA offices when it comes to cybersecurity.

GAO pointed out in its report that IP connectivity and other modern communication technologies are increasingly used in aircraft systems. The fact that airplanes are connected to the Internet could pose a serious risk because unauthorized individuals might be able to gain access to avionics systems.

The FAA says roughly 36 percent of ATC systems are currently connected using IP and the percentage is expected to increase to 50-60 percent over the next five years. Legacy systems, which are difficult to access remotely, consist of old point-to-point, hardwired systems, most of which share information only within their wired configuration.

“According to MITRE and other experts, a hybrid system comprising both IP-connected and point-to-point subsystems increases the potential for the point-to-point systems to be compromised because of the increased connectivity to the system as a whole provided by the IP-connected systems,” GAO noted in its report.

The systems in the cockpit are protected with firewalls, but experts interviewed by GAO pointed out that such protection mechanisms can be plagued by vulnerabilities that could allow hackers to bypass them.

“The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin,” GAO said. “FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems.”

Experts interviewed by GAO noted that Internet connectivity in the cabin provides a direct link between the aircraft and the outside world. This could potentially be exploited by a malicious actor to access onboard information systems by planting a piece of malware on a website visited by passengers.

On the other hand, airplane manufacturers say such a scenario is unlikely due to the isolation of in-flight entertainment (IFE) systems.

“IFE systems on commercial airplanes are isolated from flight and navigation systems. While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” Boeing representatives told SecurityWeek.

Airbus provided the following statement to SecurityWeek: “We in partnership with our suppliers are constantly assessing and revisiting the system architecture of our products with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don't discuss design details or safeguards publicly, as such discussion might be counterproductive to security.”

GAO noted in its report that the FAA’s Office of Safety currently certifies new interconnected systems and has started reviewing rules for certifying the IT security of all new systems as part of the aircraft certification process.

The FAA is currently in the process of designing and deploying an approach to protect its information systems enterprise-wide. Experts believe this approach is appropriate, but they recommend other measures to further enhance cybersecurity, including the development of an enterprise-level holistic threat model, and the implementation of a holistic continuous-monitoring program.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.