Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Internet Connectivity Could Expose Aircraft Systems to Cyberattacks: GAO

A report published on Tuesday by the Government Accountability Office (GAO) warns that the Federal Aviation Administration (FAA) faces some serious cybersecurity challenges due to its transition from legacy to next generation air transportation systems.

A report published on Tuesday by the Government Accountability Office (GAO) warns that the Federal Aviation Administration (FAA) faces some serious cybersecurity challenges due to its transition from legacy to next generation air transportation systems.

The three main areas of concern identified by GAO in its report are the protection of air-traffic control (ATC) systems, which the agency detailed in a previous report, securing aircraft avionics systems used for operating and guiding airplanes, and the clarification of roles and responsibilities among FAA offices when it comes to cybersecurity.

GAO pointed out in its report that IP connectivity and other modern communication technologies are increasingly used in aircraft systems. The fact that airplanes are connected to the Internet could pose a serious risk because unauthorized individuals might be able to gain access to avionics systems.

The FAA says roughly 36 percent of ATC systems are currently connected using IP and the percentage is expected to increase to 50-60 percent over the next five years. Legacy systems, which are difficult to access remotely, consist of old point-to-point, hardwired systems, most of which share information only within their wired configuration.

“According to MITRE and other experts, a hybrid system comprising both IP-connected and point-to-point subsystems increases the potential for the point-to-point systems to be compromised because of the increased connectivity to the system as a whole provided by the IP-connected systems,” GAO noted in its report.

The systems in the cockpit are protected with firewalls, but experts interviewed by GAO pointed out that such protection mechanisms can be plagued by vulnerabilities that could allow hackers to bypass them.

“The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin,” GAO said. “FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems.”

Advertisement. Scroll to continue reading.

Experts interviewed by GAO noted that Internet connectivity in the cabin provides a direct link between the aircraft and the outside world. This could potentially be exploited by a malicious actor to access onboard information systems by planting a piece of malware on a website visited by passengers.

On the other hand, airplane manufacturers say such a scenario is unlikely due to the isolation of in-flight entertainment (IFE) systems.

“IFE systems on commercial airplanes are isolated from flight and navigation systems. While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” Boeing representatives told SecurityWeek.

Airbus provided the following statement to SecurityWeek: “We in partnership with our suppliers are constantly assessing and revisiting the system architecture of our products with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don’t discuss design details or safeguards publicly, as such discussion might be counterproductive to security.”

GAO noted in its report that the FAA’s Office of Safety currently certifies new interconnected systems and has started reviewing rules for certifying the IT security of all new systems as part of the aircraft certification process.

The FAA is currently in the process of designing and deploying an approach to protect its information systems enterprise-wide. Experts believe this approach is appropriate, but they recommend other measures to further enhance cybersecurity, including the development of an enterprise-level holistic threat model, and the implementation of a holistic continuous-monitoring program.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...

Application Security

Malware hunters at Microsoft are calling attention to a nasty macOS malware family that has evolved quickly from a basic information-gathering trojan to a...

Application Security

Cybersecurity powerhouse Palo Alto Networks on Thursday announced plans to spend $195 million in cash to acquire Israeli startup Cider Security, a deal that...