United States Government Accountability Office Report to Congressional Requesters October 2020 AVIATION CYBERSECURITY FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks GAO-21-86 October 2020 AVIATION CYBERSECURITY FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks Highlights of GAO-21-86, a report to congressional requesters Why GAO Did This Study What GAO Found Avionics systems, which provide Modern airplanes are equipped with networks and systems that share data with weather information, positioning data, the pilots, passengers, maintenance crews, other aircraft, and air-traffic and communications, are critical to controllers in ways that were not previously feasible (see fig. 1). As a result, if the safe operation of an airplane. avionics systems are not properly protected, they could be at risk of a variety of FAA is responsible for overseeing the potential cyberattacks. Vulnerabilities could occur due to (1) not applying safety of commercial aviation, modifications (patches) to commercial software, (2) insecure supply chains, (3) including avionics systems. The malicious software uploads, (4) outdated systems on legacy airplanes, and (5) growing connectivity between flight data spoofing. To date, extensive cybersecurity controls have been airplanes and these systems may implemented and there have not been any reports of successful cyberattacks on present increasing opportunities for an airplane’s avionics systems. However, the increasing connections between cyberattacks on commercial airplanes. airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety. GAO was asked to review the FAA’s oversight of avionics cybersecurity Figure 1: Key Systems Connections to Commercial Airplanes issues. The objectives of this review were to (1) describe key cybersecurity risks to avionics systems and their potential effects, (2) determine the extent to which FAA oversees the implementation of cybersecurity controls that address identified risks in avionics systems, and (3) assess the extent to which FAA coordinates internally and with other government and industry entities to identify and address cybersecurity risks to avionics systems. To do so, GAO reviewed information on key cybersecurity risks to avionics systems, as reported by major industry representatives as well as key elements of an effective oversight program, and compared FAA’s process for overseeing the implementation of cybersecurity controls in avionics systems with these program elements. GAO also reviewed agency documentation and interviewed agency and industry representatives to assess FAA’s coordination efforts to address the The Federal Aviation Administration (FAA) has established a process for the identified risks. certification and oversight of all US commercial airplanes, including the operation of commercial air carriers (see fig. 2). While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has View GAO-21-86. For more information, contact Nick Marinos at (202) 512-9342 or not fully implemented key practices that are necessary to carry out a risk-based [email protected], or Heather Krause at cybersecurity oversight program. (202) 512-2834 or [email protected]. United States Government Accountability Office Specifically, FAA has not (1) assessed its oversight program to determine the What GAO Recommends priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or GAO is making six recommendations (4) included periodic testing as part of its monitoring process. Until FAA to FAA to strengthen its avionics strengthens its oversight program, based on assessed risks, it may not be able to cybersecurity oversight program: ensure it is providing sufficient oversight to guard against evolving cybersecurity • GAO recommends that FAA risks facing avionics systems in commercial airplanes. conduct a cybersecurity risk Figure 2: Federal Aviation Administration’s Certification Process for Commercial Transport assessment of avionics systems Airplanes cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks. Based on the assessment of avionics cybersecurity risks, GAO recommends that FAA • identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. • develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. • review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. • ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. • review and consider the extent to which oversight resources should be committed to avionics cybersecurity. GAO has previously identified key practices for interagency collaboration that can FAA concurred with five out of six be used to assess interagency coordination. FAA coordinates with other federal GAO recommendations. FAA did not concur with the agencies, such as the Departments of Defense (DOD) and Homeland Security recommendation to consider (DHS), and with industry to address aviation cybersecurity issues. For example, revising its policies and FAA co-chairs the Aviation Cyber Initiative, a tri-agency forum with DOD and procedures for periodic DHS to address cyber risks across the aviation ecosystem. However, FAA’s independent testing. GAO clarified internal coordination activities do not fully reflect GAO’s key collaboration this recommendation to practices. FAA has not established a tracking mechanism for monitoring progress emphasize that FAA safely on cybersecurity issues that are raised in coordination meetings, and its conduct such testing as part of its oversight coordination activities are not supported by dedicated resources within ongoing monitoring of airplane the agency’s budget. Until FAA establishes a tracking mechanism for safety. cybersecurity issues, it may be unable to ensure that all issues are appropriately addressed and resolved. Further, until it conducts an avionics cybersecurity risk assessment, it will not be able to effectively prioritize and dedicate resources to ensure that avionics cybersecurity risks are addressed in its oversight program. Contents Letter 1 Background 5 Increasing Cybersecurity Risks to Avionics Systems, If Unaddressed, Could Impact Flight Safety as Airplanes Become More Connected 19 FAA Has Not Fully Implemented Key Practices to Oversee Industry Mitigation of Avionics Cybersecurity Risks 26 FAA Has Taken Steps to Coordinate Cybersecurity Issues, but Has Not Focused on Avionics Cybersecurity Risks 35 Conclusions 42 Recommendations for Executive Action 43 Agency Comments and Our Evaluation 44 Appendix I Comments from the Department of Defense 46 Appendix II Comments from the Department of Transportation 47 Appendix III GAO Contacts and Staff Acknowledgments 49 Figures Figure 1: Key Systems Connections to Commercial Airplanes 6 Figure 2: FAA’s Certification Process for Commercial Transport Airplanes 11 Figure 3: Examples of FAA’s External Coordinating Mechanisms for Aviation Cybersecurity Activities, Issues, Rulemaking, or Technical Advice 37 Page i GAO-21-86 Aviation Cybersecurity Abbreviations ACARS Aircraft Communications Addressing and Reporting System ACI Aviation Cyber Initiative ADS-B Automatic Dependent Surveillance-Broadcast AFDX Avionics Full-Duplex Switched Ethernet AFS Flight Standards Service AIR Aircraft Certification Service A-ISAC Aviation Information Sharing and Analysis Center ARINC Aeronautical Radio, Inc. ASH Security and Hazardous Material Safety ATC Air Traffic Control AVS Aviation Safety CFR Code of Federal Regulations CyberCAT Cyber Safety Commercial Aviation Team DHS Department of Homeland Security DOD Department of Defense EUROCAE European Organisation for Civil Aviation Equipment EASA European Aviation Safety Agency FAA Federal Aviation Administration ICAO International Civil Aviation Organization IFE in-flight entertainment ILS instrument landing system NextGen Next Generation Air Transportation System NIST National Institute of Standards and Technology NSAS National Strategy for Aviation Security RTCA Radio Technical Commission for Aeronautics TSA Transportation Security Administration This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii GAO-21-86 Aviation Cybersecurity Letter 441 G St. N.W. Washington, DC 20548 October 9, 2020 The Honorable Susan M. Collins Chairman The Honorable Jack Reed Ranking Member Subcommittee on Transportation, Housing and Urban Development, and Related Agencies Committee on Appropriations United States Senate The U.S. aviation industry—including passenger air carriers, cargo