Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

FAA Must Address Cyber-Security of Air Traffic Control Systems: GAO

The Government Accountability Office (GAO) has released a report calling for the Federal Aviation Administration (FAA) to strengthen the cyber-security of the nation’s air traffic control systems.

The Government Accountability Office (GAO) has released a report calling for the Federal Aviation Administration (FAA) to strengthen the cyber-security of the nation’s air traffic control systems.

The report contends the FAA has failed to consistently control access to NAS [National Airspace System] computers, implement controls for identifying and authenticating users and encrypt sensitive data. The GAO conducted its review between August 2013 and January 2015.

“Although FAA has taken steps to safeguard its air traffic control systems, significant security control weaknesses remain in NAS systems and networks, threatening the agency’s ability to adequately fulfill its mission,” according to the report. “FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment. However, a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems.”

Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses, the report noted.

“Researchers have already demonstrated multiple ways to attack the air traffic control system, as well as adjacent aviation systems,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “We’ve seen demonstrations of injecting fake aircraft and compromising flight control systems. My concern is that the regulatory bodies in the industry will respond negatively to these disclosures, and rather than seek a reasonable approach to protect these systems, they will try to stop the research and prevent researchers from publishing this kind of information.”

According to the report, a fundamental cause for these weaknesses is that the FAA has not implemented an effective program for managing organizational information security risk. This in turn has caused the Air Traffic Organization – the FAA’s operational arm – to lack a “clear set of goals, objectives, and performance measures around which it can organize its information security program for NAS systems,” the report states.

In addition, the report found that the FAA did not always ensure security patches were applied. In some cases, systems were missing patches dating back more than three years. In other cases, certain “key servers” had reached end-of-life and were no longer supported by the vendor.As a result, FAA is at an increased risk that unpatched vulnerabilities could allow its information and information systems to be compromised, according to the report. 

“Although FAA established a cyber security steering committee, roles and responsibilities remain unclear, and AIT [Office of Information Technology] and ATO [Air Traffic Organization] officials continue to disagree on who should be responsible for the security of NAS systems,” the report notes. “Likewise, an out-of-date information security strategic plan contributes to the lack of an adequate risk-based structure to guide implementation of security controls.”

Advertisement. Scroll to continue reading.
The GAO recommends the Department of Transportation order the FAA to take a number of steps, including: finalizing the incident response policy for ATO and ensuring that NAS system-level incident response policies specify reporting timelines; establish a mechanism to ensure that all contractor staff complete annual security awareness training; and ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively. 
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.