Cyber-attack at 35,000ft
The Government Accountability Office (GAO) recently released a report to congressional requesters titled “FAA Needs to Address Weaknesses in Air Traffic Control Systems.” The Federal Aviation Administration (FAA) ensures the advancement, safety, and regulation of civil aviation, as well as the development of the air traffic control (ATC) system. They do this by providing the safest, most efficient aerospace system in the world, the national airspace system (NAS).
GAO performed this system review of FAA’s information security program in order to “evaluate the extent to which FAA had effectively implemented information security controls to protect its air traffic control systems.” GAO did this by reviewing FAA policies, procedures, and practices and comparing these to the relevant federal law and guidance, assessing the implementation of security controls in FAA, and by interviewing officials.
This public report is not fully comprehensive due to the sensitive nature of some material which has been redacted. GAO acknowledged that FAA has made certain advances in information security; however these advances did not outweigh the weaknesses GAO found. GAO provided a substantial list of security weaknesses that place air traffic control systems at risk:
- FAA did not consistently control access to NAS systems
- Although control mechanisms were put in place, FAA did not always adequately protect the boundary of NAS systems
- FAA did not consistently implement controls for identifying and authenticating users of NAS systems
- FAA did not always ensure users were properly authorized to access NAS systems
- Sensitive data were not always sufficiently encrypted
- FAA did not consistently implement sufficient audit and monitoring controls
- While background investigations were conducted in accordance with policy, changes to network systems and software were not always properly controlled
- FAA did not always properly control changes to network devices or ensure key systems were fully patched
- FAA did not fully implement its information security program, limiting the effectiveness of information security controls
- Policies and procedures were not always complete
- Users with significant security responsibilities had not always received required security training
- Security controls were not always tested sufficiently
- Identified security weaknesses were not always addressed in a timely fashion
- NAS incident detection and response activities were limited
- Contingency plans were not always complete or adequately tested
- Inadequate agency-wide information security risk management procedures contribute to weaknesses in security controls and security management
GAO concludes that these weaknesses hinder the fulfillment of FAA’s mission of ensuring the safety and efficiency of the nation’s airspace operations. GAO made 17 recommendations to help fully implement an information security program and ensure that the unnecessary risks to the security of NAS systems are mitigated, 14 can be viewed on the public document.
“Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.”
Article formerly posted at https://www.hsdl.org/blog/newpost/view/cyber-attack-at-35-000ft