Connect with us

Hi, what are you looking for?



Proposed Cyber AIR Act Would Force Cybersecurity Standards for Aircraft

“Cyber AIR” Act Would Direct FAA to Establish Cybersecurity Standards for Aircraft

Senator Edward Markey (D-Mass.), Thursday, introduced a proposed new Cyber AIR Act as amendments to the FAA Reauthorization Bill currently being debated by the Senate. His bill follows his own investigation into the security practices of airlines and aircraft manufacturers.

“Cyber AIR” Act Would Direct FAA to Establish Cybersecurity Standards for Aircraft

Senator Edward Markey (D-Mass.), Thursday, introduced a proposed new Cyber AIR Act as amendments to the FAA Reauthorization Bill currently being debated by the Senate. His bill follows his own investigation into the security practices of airlines and aircraft manufacturers.

The bill focuses on three areas. Firstly it instructs the aviation industry to disclose cyber incidents to the FAA, and the FAA to report annually to Congress. There is no specified time limit for the industry’s disclosures; however, if this was done rapidly the system could allow the FAA to operate as a threat intelligence distribution hub for the whole aviation industry. 

Cyber AIR Act Furthermore, if the FAA were to require the disclosures to be signed off by the CEOs, it would force boardrooms to take responsibility for their own security. This would help to bring cyber security to the top of the company rather than, as it is sometimes currently described, ‘being a desk in the corner of the IT department.’

Secondly, it seeks to impose a required cyber security framework on the aviation industry. This is possibly the weakest area of the bill. Business is already beset by security frameworks, and adding another one increases both confusion and complexity. 

Most large companies already follow either (sometimes both) the NIST framework or the ISO 27000 guidelines. NIST is preferred by US companies, while ISO is often selected by those companies with an international presence. It would make sense for aviation-specific requirements to be added as a section to the existing frameworks rather than develop a new one that might not align with others.

Thirdly, the bill also requires a report on cyber security risks emanating from the use of consumer devices in flight. This report should “ensure the development of effective methods for preventing foreseeable cyberattacks,” and require the implementation of all necessary “technical and operational security measures.”

The bill (PDF) has already won the support of the Association of Flight Attendants-CWA. “We promised to Never Forget our heroes or the lessons of September 11, 2001,” said Sara Nelson, president of the Association of Flight Attendants-CWA. “This drives our action as first responders to maintain the safety and security of aviation. Senator Markey has a consistent record of standing with us to keep our promise. We commend him for introducing this legislation to assess potential threats and vulnerabilities of expanded communications onboard commercial aircrafts.”

Advertisement. Scroll to continue reading.

Meanwhile, Markey has used Twitter to explain his reasoning. “My investigation shows airlines may experience frequent attempted infiltrations, but there’s no requirement to report successful attempts,” he wrote. “Terrorists will try to exploit loopholes in the transport system,” he added. “My bill would help improve cybersecurity safety for aircraft.”

Hackers have been identified as a possible threat to the airline industry. Last April, security researcher Chris Roberts was questioned by the FBI and banned from boarding a plane after he posted a message on Twitter about hacking into an aircraft’s systems.

In 2015, the Government Accountability Office (GAO) published a report detailing the challenges faced by the Federal Aviation Administration (FAA) as it transitions to next generation air transportation systems. The report warns that Internet connectivity could expose aircraft to cyberattacks.

While security experts have often warned about the vulnerabilities affecting aircraft systems, airplane manufacturers say it’s not an easy task to hack the most critical and essential functions.

Boeing has pointed out that in-flight entertainment (IFE) systems are isolated from flight and navigation systems.

“IFE systems on commercial airplanes are isolated from flight and navigation systems. While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” Boeing told SecurityWeek in April 2015.

Airbus also told SecurityWeek last year: “We in partnership with our suppliers are constantly assessing and revisiting the system architecture of our products with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don’t discuss design details or safeguards publicly, as such discussion might be counterproductive to security.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.