DOT 2022 Cybersecurity Symposium - Keynote

Former Acting FAA Administrator Billy Nolen (April 1, 2022 – June 9, 2023)

Good morning everyone.

From air traffic control to the largest airliner or the lightest drone, connectivity is the way of the future in aerospace. It’s also why we have to constantly raise the bar when it comes to defending our computers, servers, networks and data from malicious attacks. 

Given that we’re increasingly reliant on highly integrated and interdependent systems in aerospace, it goes without saying that we have to be increasingly proactive and vigilant when it comes to cyber threats. 

That vigilance is carried out day-in and day-out by a cybersecurity workforce that protects our aerospace assets. You are in many respects our unsung heroes, because this cyber battle is being fought behind the scenes, 24/7/365. 

This is especially true at the FAA, where we are responsible for operating the nation’s air traffic control system and overseeing the design, manufacture and testing of aircraft and systems, including avionics. 

Within our agency, we have an extensive networking architecture, as data flows from trusted internet connections, through thousands of switches, and onward to almost 70,000 endpoints for the FAA network alone. A healthy network and systems are vital to us fulfilling our mission to provide the American people with the safest and most efficient aerospace system in the world. 

Today I’ll talk about the FAA’s approach to safeguarding this critical infrastructure from cyber threats, both within our agency and for the aerospace community at large. 

To achieve our mission, the FAA depends on information systems in three separate areas, which we call domains: the National Airspace System Domain, which is operated by FAA’s Air Traffic Organization; the Mission Support Domain, operated by FAA’s Office of Finance and Management, and the Research and Development Domain, which is operated by FAA’s Office of NextGen. 

Each of the three domains has its own security perimeter with a distinct set of security controls. To assess cyber threats and vulnerabilities to our networks, we developed a Cyber Test Facility at our William J. Hughes Technical Center, where we also conduct testing and evaluation. We ensure the health of our networks through the Security Operations Center, or SOC, where experts continually monitor the DOT and FAA infrastructure for suspicious cyber activity and resolve any incidents.

The FAA Chief Information Security Officer and the Chief Information Officer have overall responsibility for the FAA’s cybersecurity. They also make sure that each Domain complies with agency, departmental, and federal requirements.

Our goal as an agency has always been to reduce cybersecurity risks in civil aviation and in the FAA’s information systems, including air traffic control. The FAA developed its first cybersecurity strategy in 2015, and it is constantly evolving. 

The Cybersecurity Strategy discusses in detail the FAA’s goals, which include protecting and defending FAA networks and systems, enhancing data-driven decision capabilities, and building and maintaining workforce capabilities for cybersecurity. 

In 2018, we modified the strategy to align it with emerging executive branch cyber initiatives, including the National Cybersecurity Strategy and the National Strategy for Aviation Security. The big ticket item here was that we needed to address cyber threats associated with the growing use of cloud technologies.  

We also updated our strategy to include cybersecurity best-practices, often referred to as cyber hygiene principles, and we added a focus on sharing aviation cybersecurity information with our stakeholders.

And speaking of sharing, I want to thank the Department of Homeland Security and the Cybersecurity & Infrastructure Security Agency for their continued collaboration with us on cybersecurity. 

This was particularly helpful in carrying out President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity. Speaking of the President’s priorities, I’d like to highlight that the DOT, including FAA, last month reach 95% compliance in implementing multi-factor authentication for access to our networks. This is a huge step to becoming more resilient as an agency. 

That’s key, because lapses in cybersecurity can disrupt safety and efficiency in all the realms we operate, oversee and regulate—aircraft, air carriers, airports, air traffic operations, maintenance facilities and the people that carry out the functions for each. 

Protecting these assets is a massive job—the FAA has safety oversight responsibilities for aircraft design, manufacturing and testing of aeronautical products, production, the continuous operational safety of certified products—including avionics—and the certification of pilots and mechanics. 

We’re successful in large part because of our ongoing collaboration with other government agencies and private sector organizations that also have cyber responsibilities in the aviation ecosystem.  

I started out by talking about how connectivity is the way of the future in aerospace. Nowhere is this more evident than in the latest aircraft coming off the assembly lines.  

Modern airplanes include communications and navigation systems that rely on connectivity between an airplane and ground or space-based infrastructure. 

Unfortunately this reliance creates cyber risks that could affect the airworthiness of the aircraft. And that means it’s the FAA’s job to address any risks during the certification process. 

So as part of our certification practices for transport category airplanes, we require that the applicant conduct cybersecurity risk assessments for a new certification project or when there’s a change to a previously certified product.

We generally manage cyber risks by issuing project-specific “special conditions” that require the applicant to show that critical aircraft systems are protected from intentional unauthorized electronic interference—in other words, hacking.

The FAA uses special conditions when the existing airworthiness regulations don’t contain adequate safety standards for what we call “novel or unusual” design features. It’s hard to imagine anything more novel or unusual than advances in connectivity! 

Once an aircraft or product is out in the field, the FAA addresses cybersecurity safety issues in much the same way as all safety issues, by continuously monitoring operational safety using a data-driven methodology.  

You’ve heard FAA Administrators say this many times, and I’ll repeat it again, “Safety is a Journey, not a Destination.” 

The same is true of cybersecurity and our cybersecurity strategy. What we do today, will not be good enough tomorrow, or the day after. We are always striving to be more resilient to better protect against the next threat, and that includes taking input from others. 

We put a cyber-risk model in place to support our air traffic mission and related systems, and established priorities for research and development activities on cybersecurity in response to a 2019 DOT Office of Inspector General audit.

We tasked an Aviation Rulemaking Advisory Committee to develop solutions when the GAO issued a report about cyber threats to avionics. 

They responded with 30 recommendations related to information security and protection in aircraft systems. The FAA then updated policy, standards and industry guidance for certifying critical aircraft systems. 

And after a malicious actor in December 2020 infiltrated the networks of governments and businesses around the world by exploiting a vulnerability in a widely-used IT-monitoring software, the FAA developed a “Playbook" to ensure we could detect anomalous activity in our own systems, and minimize the chances that this type of hack could have an operational impact.

Part of making ourselves more resilient to future cyber threats is strengthening our core expertise in cyber through our workforce. 

Several years ago, we entered into an agreement with the National Academy of Sciences to conduct a workforce study. 

The results of that study made clear that there is more work to do, although I will say that many of the recommendations are consistent with the FAA’s cybersecurity strategic objectives, and many others align with broader ongoing FAA workforce development, and recruitment efforts.

And finally, one of the major components of our cybersecurity strategy is to build and maintain relationships—and trust—with external partners. 

This is critical for defending, reacting, and recovering from a cyber-attack. It’s why we are a lead agency on the Aviation Cyber Initiative interagency task force with the Department of Homeland Security and the Department of Defense. It’s why we work collectively to identify and address cybersecurity risks in the aviation ecosystem. 

As the technology of the aviation ecosystem evolves, we expect that cybersecurity will continue to be a growing challenge, and a significant component of aviation safety and airspace efficiency. 

And it’s a certainty that threats will continue to evolve—that’s the nature of the business. Our job is to ensure that many layers of defense are in place; that we act on threat information; detect attacks, and follow up with remediation and updated best practices. 

That’s how we protect against tomorrow’s threat. 

It’s a tough job, but it’s our job…and it’s our priority 24/7/365. 

I commend Secretary Buttigieg and the DOT for spotting a spotlight on this issue with all the activities around Cybersecurity Awareness month, including this annual Cybersecurity Symposium. I’ll repeat their tag line: Do your part—Be cyber smart. 

Thank you for inviting me.