On April 14, the Government Accountability Office (“GAO”) issued a report highlighting cybersecurity challenges as the Federal Aviation Administration (“FAA”) transitions to the Next Generation Air Transportation System (“NextGen”) and making recommendations to protect air travel from cyber threats.  NextGen is a modernization effort to transform the current ground-based air traffic control system into a system that uses satellite-based surveillance and navigation.  Given that NextGen uses IP-networking technologies, as well as digital and Internet-based computer networking technologies, air traffic control and aircraft avionics used to operate the aircraft are more susceptible to cybersecurity risks.

The GAO recommends that the FAA design and implement more effective cybersecurity controls.  The new information systems for NextGen are designed to interoperate with other systems, creating greater ease of access for pernicious actors and the ability for damage to spread to other systems.  While the FAA has been developing “common controls” to operate on an enterprise-level across subsystems, the GAO recommends that the FAA develop threat modeling, a cybersecurity best practice, and continuous monitoring efforts to ensure that it is funneling resources to the parts of the systems most likely to be compromised. 

The GAO also recommends that the FAA better protect aircraft avionics, used to guide and operate the aircraft, to prevent hackers from gaining access to IP networking systems and compromising the avionics.  For example, passengers in the cabin increasingly can access the Internet through wireless broadband systems, but the firewalls that protect avionics systems in the cockpit from intrusion by cabin users are vulnerable to hacking or circumvention like any other software.  Additional security controls should be implemented onboard to strengthen the system.  The GAO recommends that the FAA develop new regulations requiring cybersecurity assurance in certifying the airworthiness of new aircraft and aviation equipment.  The FAA’s current aircraft airworthiness certification does not include assurance that cybersecurity has been addressed because historically aircraft avionics systems were isolated within the aircraft and not considered vulnerable to cybersecurity threats.

Please click here for a copy of the GAO Report, Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen.