recommended reading

FAA Working on New Guidelines for Hack-Proof Planes


The Federal Aviation Administration has begun shaping cybersecurity regulations for airplane manufacturers, amid warnings that the criss-crossing of onboard networks poses risks to flight safety. 

Researchers have been invited to build upon an FAA-developed framework for testing a plane’s susceptibility to hacks, agency officials announced on a federal contracting site.

The new FAA initiative is geared toward informing federal policies for aircraft suppliers.

Over the past two years, verified network intrusions at FAA and airports worldwide, along with claims of in-flight hacks, have intensified public and government attention to aviation cybersecurity.  

The framework will be tested on an air-to-ground data communications network, called the Aircraft Communications Addressing and Reporting System, that airlines use to communicate with air traffic control, national aviation authorities and their own operations centers. 

The potentially 5-year study will weigh steps for spotting bugs in plane systems and reducing the chances those weaknesses will cause harm, as part of "FAA’s eventual development of aviation policies, regulation and training requirements to ensure the resilience of aircraft network systems from cyberattacks," a March 1 contracting notice states. 

An initial 9-month, $900,000 phase will flesh out the agency’s so-called safety risk-assessment framework and gauge whether it is practical to use.  

The framework consists of a vulnerability assessment, threat analysis, "asset valuation" and an overall risk assessment that measures the likelihood a cyberincident will occur and its impact on flight safety, FAA says.

If funding and time allow, other systems will be assessed and the framework will be refined. 

The initiative is part of larger research into avionics weaknesses across the U.S. national airspace system “to assist decision-making by the FAA’s Aviation Safety (AVS) organization to establish appropriate safety policies and regulations,” the agency says.

Separately, last June, an industry working group organized by FAA began developing cybersecurity standards for commercial aircraft, ranging in size from the largest commercial jetliners to small private planes, according to The Wall Street Journal.  

On June 21, 2015, operations were disrupted at Warsaw Chopin Airport by what LOT Polish Airlines described as a cyberattack on flight-planning computers, the Journal noted. Ten flights were canceled and others were grounded for several hours.

Stateside airports also have been targeted in recent years.

In 2013, a prolonged operation to spy on aviation systems at 75 U.S. airports was caught by the cooperation of government and industry, according to the Center for Internet Security, a nonprofit group that works closely with state and local governments. Systems at two unnamed airports were compromised by the attackers, who had sent targeted spear-phishing emails to aviation personnel.

Just last month, FAA said it needs urgent help to protect its systems from looming cyberthreats. 

"Due to evolving and potential cyber events, the FAA requires critical and immediate cybersecurity methodology support to protect FAA infrastructure from malicious activities," states a Feb. 9 presolicitation notice. At the time, an FAA spokeswoman said the notice refers to potential security incidents, adding the agency is not currently experiencing a network attack. 

The ramp-up in aviation cybersecurity precautions comes a year after attackers infected an FAA administrative computer network with a virus through an email.

Shortly afterward, auditors at the Government Accountability Office warned mission-critical air traffic control systems are susceptible to cyberattacks because the networks are closely intertwined with nonairspace systems. 

FAA officials say the new policymaking effort is a result of GAO’s finding that interconnected networks in future generations of aircraft aimed at enhancing safety could actually jeopardize safety.

"The increased connectivity, particularly to external networks and systems without sufficient security controls could introduce information security vulnerabilities, which, if exploited, might impact the safety of aircraft operations and continued airworthiness,” the announcement states. The specific systems that could present a problem include airline operation centers, airport gate links, flight information databases, and aircraft software uploads and maintenance.

Already, a commercial aircraft passenger claims to have forced a thrust management computer to climb by hacking into an in-flight entertainment system, according to an FBI affidavit. Chris Roberts, the flier and a security expert, told authorities last spring he has manipulated networks mid-flight on multiple occasions and, in that one instance, he caused a plane to briefly move sideways. 

(Image via /

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.