April 13, 2015

DeFazio Reacts to GAO Report On FAA Exposure to Cyberattacks

Washington, D.C. – Today, Ranking Member of the Committee on Transportation and Infrastructure Peter DeFazio (D-OR) issued the following statement after the GAO issued three recommendations to protect the flying public against cyberattacks on our aviation system.

“This report exposed a real and serious threat—cyberattacks on an aircraft in flight. FAA must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi Fi system.  That’s a serious vulnerability, and FAA should work quickly to implement the GAO's latest recommendations as well as the 17 recommendations from the GAO’s previous report on aviation cybersecurity to ensure we continue to have the safest, most secure aviation system,” said DeFazio.

DeFazio was a co-requester on the report.

Unlike the previous generation of aircraft, new airplanes increasingly are equipped with networked flight control computers and avionics, as well as in-flight Wi Fi systems for passenger entertainment and productivity. When Wi Fi systems share routers or even the same internal wires with flight control computers and avionics, “a user could subvert the firewall and access the cockpit avionics system from the cabin,” the GAO found.  Moreover, the FAA “has not yet developed new regulations to certify cybersecurity assurance for avionics systems,” although the agency in 2013 began a process to identify the new certification requirements that would be necessary to prevent a cyberattack on an aircraft in flight.  That work is ongoing.  The GAO recommended that the FAA’s Office of Aviation Safety be more closely involved in an agency-wide effort to identify and correct cybersecurity vulnerabilities.

The GAO evaluated other aspects of the FAA’s cybersecurity preparedness, as well.  The GAO also found that

  • the FAA’s NextGen end state will revolve around Internet-based computing “in the cloud,” which increases the agency’s vulnerability to cyberattacks; and

  • the FAA’s management of security controls and oversight of major contractors could be improved.  For example, contractors working on two major NextGen systems (including one to replace radio voice communications between pilots and controllers with datalink communications) are not using the most recent version of Federal cybersecurity standards.

The report makes three recommendations that the FAA “1) assess the cost and time needed to develop a [cyber-]threat model, 2) include [the Office of Aviation Safety, which certifies new airplanes] on the Cyber Security Steering Committee [tasked to improve FAA’s cybersecurity], and 3) develop a plan to implement [Federal cybersecurity standards] revisions within OMB timeframes.”

Today’s report is the second GAO report in as many months on FAA efforts to shore up the cybersecurity of computer systems.  The first report, publicly released March 3, included 17 recommendations and identified 168 corrective actions that the FAA should implement to protect against the possibility of a cyberattack on the Nation’s air traffic control infrastructure.

Today’s report can be found here: https://www.gao.gov/products/GAO-15-370

The March 3rd report can be found here: https://www.gao.gov/products/GAO-15-221