recommended reading

FAA Working on New Guidelines for Hack-Proof Planes


The Federal Aviation Administration has begun shaping cybersecurity regulations for airplane manufacturers, amid warnings that the criss-crossing of onboard networks poses risks to flight safety. 

Researchers have been invited to build upon an FAA-developed framework for testing a plane’s susceptibility to hacks, agency officials announced on a federal contracting site.

The new FAA initiative is geared toward informing federal policies for aircraft suppliers.

Over the past two years, verified network intrusions at FAA and airports worldwide, along with claims of in-flight hacks, have intensified public and government attention to aviation cybersecurity.  

The framework will be tested on an air-to-ground data communications network, called the Aircraft Communications Addressing and Reporting System, that airlines use to communicate with air traffic control, national aviation authorities and their own operations centers. 

The potentially 5-year study will weigh steps for spotting bugs in plane systems and reducing the chances those weaknesses will cause harm, as part of "FAA’s eventual development of aviation policies, regulation and training requirements to ensure the resilience of aircraft network systems from cyberattacks," a March 1 contracting notice states. 

An initial 9-month, $900,000 phase will flesh out the agency’s so-called safety risk-assessment framework and gauge whether it is practical to use.  

The framework consists of a vulnerability assessment, threat analysis, "asset valuation" and an overall risk assessment that measures the likelihood a cyberincident will occur and its impact on flight safety, FAA says.

If funding and time allow, other systems will be assessed and the framework will be refined. 

The initiative is part of larger research into avionics weaknesses across the U.S. national airspace system “to assist decision-making by the FAA’s Aviation Safety (AVS) organization to establish appropriate safety policies and regulations,” the agency says.

Separately, last June, an industry working group organized by FAA began developing cybersecurity standards for commercial aircraft, ranging in size from the largest commercial jetliners to small private planes, according to The Wall Street Journal.  

On June 21, 2015, operations were disrupted at Warsaw Chopin Airport by what LOT Polish Airlines described as a cyberattack on flight-planning computers, the Journal noted. Ten flights were canceled and others were grounded for several hours.

Stateside airports also have been targeted in recent years.

In 2013, a prolonged operation to spy on aviation systems at 75 U.S. airports was caught by the cooperation of government and industry, according to the Center for Internet Security, a nonprofit group that works closely with state and local governments. Systems at two unnamed airports were compromised by the attackers, who had sent targeted spear-phishing emails to aviation personnel.

Just last month, FAA said it needs urgent help to protect its systems from looming cyberthreats. 

"Due to evolving and potential cyber events, the FAA requires critical and immediate cybersecurity methodology support to protect FAA infrastructure from malicious activities," states a Feb. 9 presolicitation notice. At the time, an FAA spokeswoman said the notice refers to potential security incidents, adding the agency is not currently experiencing a network attack. 

The ramp-up in aviation cybersecurity precautions comes a year after attackers infected an FAA administrative computer network with a virus through an email.

Shortly afterward, auditors at the Government Accountability Office warned mission-critical air traffic control systems are susceptible to cyberattacks because the networks are closely intertwined with nonairspace systems. 

FAA officials say the new policymaking effort is a result of GAO’s finding that interconnected networks in future generations of aircraft aimed at enhancing safety could actually jeopardize safety.

"The increased connectivity, particularly to external networks and systems without sufficient security controls could introduce information security vulnerabilities, which, if exploited, might impact the safety of aircraft operations and continued airworthiness,” the announcement states. The specific systems that could present a problem include airline operation centers, airport gate links, flight information databases, and aircraft software uploads and maintenance.

Already, a commercial aircraft passenger claims to have forced a thrust management computer to climb by hacking into an in-flight entertainment system, according to an FBI affidavit. Chris Roberts, the flier and a security expert, told authorities last spring he has manipulated networks mid-flight on multiple occasions and, in that one instance, he caused a plane to briefly move sideways. 

(Image via /

Threatwatch Alert

Accidentally leaked credentials / Misplaced data / Stolen credentials

Internet-Connected Teddy Bears Don’t Keep Secrets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.