US airspace system vulnerable to cyber attack

While the United States has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, according to a government watchdog.

Read Moving Targets: James Careless assesses the huge challenge of developing a cyber security strategy for European air traffic management
Read Moving Targets: James Careless assesses the challenge of developing a cyber security strategy for European air traffic management

The Government Accountability Office (GAO) was asked to review the Federal Aviation Administration’s (FAA) information security programme and whether the US aviation agency had effectively implemented information security controls to protect its air traffic control systems.
In a public version of a report which has been redacted due to the sensitive nature of the subject, the GAO found that existing shortfalls in security threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS).
“These include weaknesses in controls intended to prevent, limit, and detect unauthorised access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorising users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA’s systems,” states the report. “Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.”
It also found that the FAA failed to fully implement a US-wide federal agency information security programme.
“The FAA’s implementation of its security programme was incomplete,” warned the report which cited insufficient test security controls to determine that they were operating as intended; a failure to both resolve identified security weaknesses in a timely fashion and complete or adequately test plans for restoring system operations in the event of a disruption or disaster.”
“Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting the FAA’s ability to detect and respond to security incidents affecting its mission-critical systems.,” the report adds.
The GAO warns that weaknesses in the FAA’s security controls and implementation of its security programme existed, in part, because it had not fully established an integrated, organisation-wide approach to managing information security risk that is aligned with its mission.
Although it notes that the FAA has established a cyber security steering committee to provide an agency-wide risk management function, it has not fully established the governance structure and practices to ensure that its information security decisions are aligned with its mission.
The GAO here cites the fact that the agency has not clearly established roles and responsibilities for information security for the NAS or updated its information security strategic plan to reflect significant changes in the NAS environment, such as increased reliance on computer networks.
“Until the FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security programme, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk,” it said.
The watchdog makes 17 recommendations to the FAA to fully implement its information security programme and establish an integrated approach to managing information security risk. In a separate report with limited distribution, the GAO is recommending that the FAA take 168 specific actions to address weaknesses in security controls.