GAO Calls on the FAA to Step Up Cyber Security

By Juliet Van Wagenen | March 12, 2015
Send Feedback

[Avionics Today 03-12-2015] The FAA is lacking in measures to prevent cyber-based threats to the increasingly automated Air Traffic Control (ATC) system, according to a report by the Government Accountability Office (GAO). The “Information Security: FAA Needs to Address Weaknesses in Air Traffic Control Systems” report, published earlier this month, finds that while the FAA has taken measures to protect the systems from cyber attacks, significant vulnerabilities remain. These vulnerabilities threaten the agency’s ability to ensure secure, orderly and efficient operation of the National Airspace System (NAS).

Jetblue Binary code plane
As data sharing and automation in the aircraft and ATM industries increase, cyber threats are becoming more imminent. Photo: Jetblue

“Cyber-based threats to federal information systems such as those that FAA relies on for its ATC systems are evolving and growing. These threats can be intentional or unintentional and can come from a variety of sources, including criminals, foreign nations, terrorists and other adversarial groups,” the report states, noting that threats can also come from less malicious sources in the form of hardware or software malfunctions that can disrupt operations.

With today’s NAS relying heavily on a number of automated systems and networks to provide information about weather, flight planning, surveillance, navigation and communication to ATCs and aircraft flight crews, weaknesses in the system come from a variety of sources as interconnectivity between these increases. This includes vulnerabilities in controls intended to prevent, limit and detect unauthorized computer resources, “such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on the FAA’s systems,” the report states, noting that there are additional shortcomings in boundary protection controls between less-secure systems.

“Although many legacy air traffic control systems continue to rely on point-to-point communications, NAS systems, including NextGen systems, increasingly use IP technologies to communicate over interconnected computer networks,” the report explains. “With increased use of these technologies, however, comes increased risk: integrating critical infrastructure systems with information technology networks provides significantly less isolation from the outside world than predecessor systems, creating a greater need to secure these systems from remote, external threats.”

And as automation and Internet reliance rise, GAO’s report predicts professional hackers could find it easier to gain access to critical NAS infrastructure systems and Information Technology (IT) networks through the holes in the FAAs security measures.

According to the report, many of the vulnerabilities in the ATC system were a result of the FAA’s failing to meet the obligations of a law set out in 2002. The Federal Information Security Management Act (FISMA) compelled the agency to “develop, document and implement an agency-wide information security program to provide security for the information and information systems that support operations and assets of the agency.” While the FAA did take some steps forward, establishing policies and procedures for controlling access to the NAS and configuring secure systems, it lacked largely in securing technical controls.

Additionally, the agency had not “adequately defined the roles and responsibilities of the different organizations within the department that was responsible for information security over the organization’s systems, as well as the air traffic control systems,” Gregory Wilshusen, a director in GAO’s information technology team, explained in a podcast associated with the report.

To remedy this, GAO included 17 public recommendations to the FAA to prompt the organization to establish an integrated, and organization-wide approach to managing information security risks in the future as well as to ensure that risk management decisions align with the agency’s overall security strategy.

Furthermore, GAO laid out 170 recommendations to address specific and technical security control weaknesses that the agency identified over the course of the report. In a two-page letter associated with the report, the FAA acknowledged the risks of leaving the ATC system open to cyber attacks and set out to address the recommended actions.

“The bottom line, as I see it, is that the security over the systems that control air traffic within the national air space is critical, vital and must be adequately protected,” Wilshusen said. “[The] FAA needs to take additional steps to ensure that the security is appropriate and sufficient to accomplish that aim.”

Receive the latest avionics news right to your inbox