The Government Accountability Office (GAO) of USA urged the federal aviation administration to take steps to enhance cybersecurity on modern commercial aircraft. In a post on its site, GAO stated that modern commercial airplanes are equipped with networks and systems shared data with pilots, passengers, maintenance crews, other aircraft and air traffic controllers, in ways not previously possible.
In addition, to date, extensive cyber security checks have been carried out and there have been no reports of successful cyber attacks in the aeronautical systems of an airplane. However, growing links between aircraft and other systems, combined with the evolving cyber-threat landscape, could lead to increased risks for the future. safety of flights.
The GAO has warned that if air defense systems are not properly protected, they could be at risk of a variety of possible cyber-attacks, including vulnerabilities due to factors such as the mismanagement of one patch, insecure supply chains and "outdated" systems. Thus, the GAO issued a semi-annual Cyber Security Guide.
Tim Mackey, Synopsys CyRC chief safety strategist, said that as with passenger vehicle systems, aircraft have a long lifespan, which means that the software used in flights, both on board and as part of flight activities , will be used for a much longer period of time than it is in consumer situations. Properly managing cybersecurity with long-life products requires anticipating future risks when building threat models, Mackey added.
Mackey cited the fact that, in recent years, cyberattacks can target more than just open source software. code, but also commercially software created by the use of infringed components. Detecting such attacks is a challenge because of an attacker's ability to hide malicious code in a patch for an independent but legitimate software bug.
According to Mackey, while the primary target of such an attack may be economic, a compromised component could pave the way for another malicious group to target airlines. This is an example of how attackers set the rules for their attacks and seize the opportunities they are given, and it is also an example of the types of threats identified by the GAO.