FAA Must Address Cyber-Security of Air Traffic Control Systems: GAO

The Government Accountability Office (GAO) has released a report calling for the Federal Aviation Administration (FAA) to strengthen the cyber-security of the nation’s air traffic control systems.

The report contends the FAA has failed to consistently control access to NAS [National Airspace System] computers, implement controls for identifying and authenticating users and encrypt sensitive data. The GAO conducted its review between August 2013 and January 2015.

“Although FAA has taken steps to safeguard its air traffic control systems, significant security control weaknesses remain in NAS systems and networks, threatening the agency’s ability to adequately fulfill its mission,” according to the report. “FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment. However, a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems.”

Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses, the report noted.

“Researchers have already demonstrated multiple ways to attack the air traffic control system, as well as adjacent aviation systems,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “We’ve seen demonstrations of injecting fake aircraft and compromising flight control systems. My concern is that the regulatory bodies in the industry will respond negatively to these disclosures, and rather than seek a reasonable approach to protect these systems, they will try to stop the research and prevent researchers from publishing this kind of information.”

According to the report, a fundamental cause for these weaknesses is that the FAA has not implemented an effective program for managing organizational information security risk. This in turn has caused the Air Traffic Organization – the FAA’s operational arm – to lack a “clear set of goals, objectives, and performance measures around which it can organize its information security program for NAS systems,” the report states.

In addition, the report found that the FAA did not always ensure security patches were applied. In some cases, systems were missing patches dating back more than three years. In other cases, certain “key servers” had reached end-of-life and were no longer supported by the vendor.As a result, FAA is at an increased risk that unpatched vulnerabilities could allow its information and information systems to be compromised, according to the report. 

“Although FAA established a cyber security steering committee, roles and responsibilities remain unclear, and AIT [Office of Information Technology] and ATO [Air Traffic Organization] officials continue to disagree on who should be responsible for the security of NAS systems,” the report notes. “Likewise, an out-of-date information security strategic plan contributes to the lack of an adequate risk-based structure to guide implementation of security controls.”