The Federal Aviation Administration has not taken adequate steps to address the increasing risk of cyberattacks against commercial aircraft avionics, says a new report from the US Government Accountability Office (GAO).

“The increasing connections between airplanes and other systems, combined with the evolving cyber-threat landscape, could lead to increasing risks for future flight safety,” says the report, released 9 October.

It cites the “increasing connections between airplanes and other systems”, and says cybersecurity risks “are not specifically addressed in FAA’s standing regulations”.

United Airlines Boeing 737

Source: United Airlines

The Federal Bureau of Investigation said in 2015 that they found evidence hacker Chris Roberts had tampered with a United Airlines’ Boeing 737’s in-flight entertainment system. Roberts had claimed he had hacked into jets flight management computers.

The GAO report recommends the FAA develop avionics cybersecurity training, issue cybersecurity testing guidance and “include periodic testing as part of its monitoring process”.

“Until FAA strengthens its oversight programme, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes,” GAO says.

The FAA did not respond to a request for comment.

However, the FAA Reauthorization Act of 2018 required the agency to consider revising regulations to address avionics cybersecurity concerns, and to require avionics be protected against hacking via jets’ in-flight entertainment systems.

In August 2020, FAA officials said their agency was “in the process of determining timeframes to address the provisions”, according to the GAO report.

The agency has also agreed to work with the US Department of Defense to find means to “mitigate ADS-B-related security risks”, and is part of a joint-agency government effort intended to address cybersecurity, GAO says.

The GAO report lays out means by which avionics can be vulnerable to hacking. Those include failure to upload software patches, vulnerability introduced by “insecure” suppliers and “outdated systems on legacy airplanes”. Systems also face threat from “spoofing”, which involves sending messages disguised as legitimate to avionics.

Attacks could come from individual criminals, terrorists, hostile nations or insiders, such as airline and airport employees, GAO says.

There have “not been any reports of successful cyberattacks on an aircraft’s avionics systems”, the report adds.

However, in recent years several hackers have raised concern about cybersecurity. In 2013, at a conference in Amsterdam, an expert named Hugo Teso demonstrated a process he said would enable him to access an aircraft’s flight management system (FMS) via interfaces to the jet’s automatic dependent surveillance-broadcast system and the ACARS communication system.

The GAO report notes that ADS-B data is “unencrypted and unauthenticated”.

Also, a hacker named Chris Roberts claimed in 2015 that he had hacked into a commercial aircraft’s FMS while in flight, and then commanded the thrust computer into climb mode.