A United States watchdog is warning that NextGen avionics could render the cockpit vulnerable to cyber attack.
A new report by the nation’s Government Accountability Office (GAO) reckons that because modern aircraft are increasingly connected to the Internet, this interconnectedness could allow a terrorist to hack into flight-critical avionics systems from the back of the cabin.
Read More On Cyber Attacks
“Aircraft information systems consist of avionics systems used for flight and in-flight entertainment. Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack,” it noted.
However, according to the FAA itself and several experts the GAO consulted, firewalls which should now protect flight-critical avionics systems from intrusion by passengers using in-flight entertainment could be hacked just like any other software and circumvented as they basically share the same physical wiring harness or router and use the same networking platform.
“According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” it warned.
“the internet must be considered a direct link between the aircraft and the outside world”
Attacks could be waged via onboard wireless broadband systems where a virus or malware embedded maliciously in the websites operating those systems could provide a terrorist with an opportunity.
It found that even a pilot’s personal smart phone and tablet could pose a risk of a system being compromised because these devices have the capability to transmit information to aircraft avionics systems.
More worryingly, the rules governing the FAA’s aircraft-airworthiness certification do not currently include safeguards to protect against cyber security. The FAA does however issue rules with limited scope, called Special Conditions, to aircraft manufacturers where interconnectivity could present cyber security risks.
The GAO said that the aviation agency views these conditions as an integral part of the certification process, with which to address the risks associated with the increased connectivity among aircraft cockpit and cabin systems such as the Boeing 787 and Airbus A350.
FAA officials told the GAO that it would support bringing together all the research supporting cyber security-related Special Conditions to support new rules which would offer more certainty for it as a certification organisation.
Another principal cyber security challenge is protecting air traffic control information systems.
A January report by the Government Accountability Office watchdog noted that even though the aviation agency has taken steps to protect its ATC systems from cyber-based threats, significant security-control weaknesses still threaten the safe and uninterrupted operation of the national airspace system.
While the FAA has agreed to address these weaknesses, the GAO found that, nevertheless, the FAA will continue to be challenged in protecting ATC systems because it has yet to develop a cyber security threat model.
One solution would be to conduct modeling to identify potential threats to information systems, and as a basis for aligning cyber security efforts and limited resources.
“While the FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so.”
Without such a model, the watchdog said it feared that the FAA may not be allocating resources properly to guard against the most significant cyber security threats.
Read: Moving Targets James Careless assesses the huge challenge of developing a cyber security strategy for European air traffic management