Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Watchdog Urges More Action to Protect Planes From Hackers

Federal regulators have not taken adequate steps to protect computer systems on airliners from hackers, a government watchdog agency reported on Friday.

The agency said the Federal Aviation Administration has not developed a training program for cybersecurity or test airplane computer systems that could be vulnerable to attack.

Federal regulators have not taken adequate steps to protect computer systems on airliners from hackers, a government watchdog agency reported on Friday.

The agency said the Federal Aviation Administration has not developed a training program for cybersecurity or test airplane computer systems that could be vulnerable to attack.

The Government Accountability Office said that without improvements, “FAA may not be able to ensure sufficient oversight to guard against evolving avionics cybersecurity risks.”

The GAO recommends that FAA conduct a risk assessment of security of avionics systems and train inspectors to judge security of avionics systems. It said FAA should also enact guidance that includes independent testing of cybersecurity on new airplane designs.

The GAO report focused on the vulnerability of systems on planes that automatically transmit data to air traffic controllers, airline maintenance crews and others on the ground. Advanced networks carry data used to track planes, tell pilots about weather ahead, and handle secure communication between pilots and people on the ground.

The auditors said the ever-growing use of technology and increasingly complex systems have created “new opportunities for persons with malicious intentions to target commercial transport airplanes.” They said, however, that aircraft manufacturers have built in safeguards, and there have been no reports of successful hacker attacks.

Manufacturer representatives told GAO they realize cybersecurity threats are growing, and they are trying to involve security experts in testing their planes. Airbus officials told GAO they have allowed security agencies in France, Germany and the United Kingdom to conduct cyber-penetration tests. Boeing Co. told the auditors they have also allowed third-party testing during airplane certification after the FAA requested the step.

The FAA said it agreed with most of the watchdog agency’s recommendations. It said it has addressing cybersecurity risks to planes since 2005 using standards that were created with the help of the aviation industry.

Senators including Susan Collins, R-Maine, and Jack Reed, D-R.I., asked GAO to conduct the study, which was done between April 2019 and this month.

Related: Proposed Cyber AIR Act Would Force Cybersecurity Standards for Aircraft

Related: Aircraft Parts Maker ASCO Severely Hit by Ransomware

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.