“Cyber AIR” Act Would Direct FAA to Establish Cybersecurity Standards for Aircraft
Senator Edward Markey (D-Mass.), Thursday, introduced a proposed new Cyber AIR Act as amendments to the FAA Reauthorization Bill currently being debated by the Senate. His bill follows his own investigation into the security practices of airlines and aircraft manufacturers.
The bill focuses on three areas. Firstly it instructs the aviation industry to disclose cyber incidents to the FAA, and the FAA to report annually to Congress. There is no specified time limit for the industry’s disclosures; however, if this was done rapidly the system could allow the FAA to operate as a threat intelligence distribution hub for the whole aviation industry.
Secondly, it seeks to impose a required cyber security framework on the aviation industry. This is possibly the weakest area of the bill. Business is already beset by security frameworks, and adding another one increases both confusion and complexity.
Most large companies already follow either (sometimes both) the NIST framework or the ISO 27000 guidelines. NIST is preferred by US companies, while ISO is often selected by those companies with an international presence. It would make sense for aviation-specific requirements to be added as a section to the existing frameworks rather than develop a new one that might not align with others.
Thirdly, the bill also requires a report on cyber security risks emanating from the use of consumer devices in flight. This report should “ensure the development of effective methods for preventing foreseeable cyberattacks,” and require the implementation of all necessary “technical and operational security measures.”
The bill (PDF) has already won the support of the Association of Flight Attendants-CWA. “We promised to Never Forget our heroes or the lessons of September 11, 2001,” said Sara Nelson, president of the Association of Flight Attendants-CWA. “This drives our action as first responders to maintain the safety and security of aviation. Senator Markey has a consistent record of standing with us to keep our promise. We commend him for introducing this legislation to assess potential threats and vulnerabilities of expanded communications onboard commercial aircrafts.”
Meanwhile, Markey has used Twitter to explain his reasoning. “My investigation shows airlines may experience frequent attempted infiltrations, but there’s no requirement to report successful attempts,” he wrote. “Terrorists will try to exploit loopholes in the transport system,” he added. “My bill would help improve cybersecurity safety for aircraft.”
Hackers have been identified as a possible threat to the airline industry. Last April, security researcher Chris Roberts was questioned by the FBI and banned from boarding a plane after he posted a message on Twitter about hacking into an aircraft’s systems.
In 2015, the Government Accountability Office (GAO) published a report detailing the challenges faced by the Federal Aviation Administration (FAA) as it transitions to next generation air transportation systems. The report warns that Internet connectivity could expose aircraft to cyberattacks.
While security experts have often warned about the vulnerabilities affecting aircraft systems, airplane manufacturers say it’s not an easy task to hack the most critical and essential functions.
Boeing has pointed out that in-flight entertainment (IFE) systems are isolated from flight and navigation systems.
“IFE systems on commercial airplanes are isolated from flight and navigation systems. While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” Boeing told SecurityWeek in April 2015.
Airbus also told SecurityWeek last year: “We in partnership with our suppliers are constantly assessing and revisiting the system architecture of our products with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don’t discuss design details or safeguards publicly, as such discussion might be counterproductive to security.”