Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



FAA Must Address Cyber-Security of Air Traffic Control Systems: GAO

The Government Accountability Office (GAO) has released a report calling for the Federal Aviation Administration (FAA) to strengthen the cyber-security of the nation’s air traffic control systems.

The Government Accountability Office (GAO) has released a report calling for the Federal Aviation Administration (FAA) to strengthen the cyber-security of the nation’s air traffic control systems.

The report contends the FAA has failed to consistently control access to NAS [National Airspace System] computers, implement controls for identifying and authenticating users and encrypt sensitive data. The GAO conducted its review between August 2013 and January 2015.

“Although FAA has taken steps to safeguard its air traffic control systems, significant security control weaknesses remain in NAS systems and networks, threatening the agency’s ability to adequately fulfill its mission,” according to the report. “FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment. However, a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems.”

Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses, the report noted.

“Researchers have already demonstrated multiple ways to attack the air traffic control system, as well as adjacent aviation systems,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “We’ve seen demonstrations of injecting fake aircraft and compromising flight control systems. My concern is that the regulatory bodies in the industry will respond negatively to these disclosures, and rather than seek a reasonable approach to protect these systems, they will try to stop the research and prevent researchers from publishing this kind of information.”

According to the report, a fundamental cause for these weaknesses is that the FAA has not implemented an effective program for managing organizational information security risk. This in turn has caused the Air Traffic Organization – the FAA’s operational arm – to lack a “clear set of goals, objectives, and performance measures around which it can organize its information security program for NAS systems,” the report states.

In addition, the report found that the FAA did not always ensure security patches were applied. In some cases, systems were missing patches dating back more than three years. In other cases, certain “key servers” had reached end-of-life and were no longer supported by the vendor.As a result, FAA is at an increased risk that unpatched vulnerabilities could allow its information and information systems to be compromised, according to the report. 

“Although FAA established a cyber security steering committee, roles and responsibilities remain unclear, and AIT [Office of Information Technology] and ATO [Air Traffic Organization] officials continue to disagree on who should be responsible for the security of NAS systems,” the report notes. “Likewise, an out-of-date information security strategic plan contributes to the lack of an adequate risk-based structure to guide implementation of security controls.”

The GAO recommends the Department of Transportation order the FAA to take a number of steps, including: finalizing the incident response policy for ATO and ensuring that NAS system-level incident response policies specify reporting timelines; establish a mechanism to ensure that all contractor staff complete annual security awareness training; and ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet