There were a total of 74 new amendments to HR 636, the FAA authorization bill, offered in the Senate yesterday. Two of those were cybersecurity related, SA 3621 and SA 3627. They were actually the same amendment, but one was amending the base bill (SA 3627) and the other was amending the substitute language (SA 3621). SA 3621 was one of the 12 amendments that were adopted by the Senate yesterday.
Security Aircraft Avionics Systems
Both of these amendments yesterday were proposed by Sen. Nelson (D,FL) and had similar intent to his amendment SA 3474 that I described last week. They did, however, provide more specifics as to how that intent would be accomplished.
Paragraph (a) of the proposed new section was re-formatted to have two subparagraphs, but the wording remained the same. Paragraph (b) was added to ensure that actions taken by the Administrator would be in accordance with “the recommendations of the Aircraft Systems Information Security Protection Working Group [link added] under section 5029(d) [discussed in last week’s post] of this Act”.
Paragraph (c) would add an additional tasking for the ASISPWG in §5029(d). The Working Group would also be required to look at “the cybersecurity risks of in-flight entertainment systems to consider whether such systems can and should be isolated and separate from systems required for safe flight and operations, including reviewing standards for air gaps or other means determined appropriate”.
A number of amendments to the substitute language were adopted by unanimous consent. Two of those may be of specific interest to readers of this blog. The first was SA 3621 that is described above. The second was the unmanned aircraft system (UAS) amendment, SA 3492 (described here last week) that would allow critical infrastructure owners to fly UAS without restrictions on time of day or the requirement for the pilot to maintain visual contact with the UAS under certain circumstances.
Debate on HR 636 continues today. I have seen no reports that Sen. McConnell has filed cloture to close off debate, so the discussions will continue at least through tomorrow. TheHill.com is reporting that the agreement on adding tax breaks for environmental issues overlooked in last year’s spending bill will not be included in HR 636 as I reported last week. It is not clear what effect this will have on the continued consideration of this bill.
The avionics security amendment should be much more effective than the one that Nelson originally introduced. Ensuring that the Working Group recommendations are taken into account when the FAA writes the cybersecurity regulations will help ensure that the technical issues are adequately addressed.
Unless we see additional cybersecurity amendments proposed today or tomorrow (looking less likely) this will be the only additional security language included in the bill. The requirements in the substitute language and yesterday’s amendment will provide the FAA with lots of regulatory work for the next couple of years.
Will it be adequate to protect against all potential attacks on aircraft systems? Absolutely not. Anyone that thinks that a single set of regulations, no matter how well written, will stop all attacks completely misunderstands how security works. It is not possible to stop a determined, well financed and trained attacker.
Will the regulations help? Almost certainly. It will ensure that there is at least a minimum level of security at each of the airlines. More importantly, it puts airplane manufacturers on notice of their responsibility for ensuring minimum levels of cybersecurity on aircraft that they sell to the airlines. Finally, this bill will ensure that there is an official, documented discussion about the advisability of linking aircraft entertainment, communications, and control systems on a single network. When people’s reputations are put on the line, I would be willing to bet that they will agree (reluctantly to be sure in some cases) that establishing three separate networks will be less costly in the long run.
Could more be done? Certainly. The biggest thing lacking in this bill is formal language making some agency (I would nominate ICS-CERT, due to possible overlaps with non-aviation systems) to act as a coordinator between vendors, airlines and the cybersecurity research community for software and firmware vulnerability reports. Finally, on that topic, someone at the FAA needs to be formally designated as the final arbiter of whether or not an unfixed avionics system vulnerability is of high enough risk to ground aircraft until the vulnerability is appropriately mitigated.
It is not surprising that Congress has not attempted to address the software vulnerability disclosure and consequence issue here. It has studiously ignored the problem in all sectors of the economy. The potential consequences of an unaddressed vulnerability in this venue, however, have an extraordinary potential to result in a spectacularly public failure; the type of failure that ends in vocal finger pointing and blame laying. The political backlash will be of epic making proportions. And the resulting legislation will handicap the industry for decades to come as unintended consequences overwhelm the best intentioned manufacturers.