The Office of Inspector General (OIG) at the Department of Transportation has found that the Federal Aviation Administration (FAA) is not remediating some security weaknesses.
The weaknesses relate to the Standard Terminal Automation Replacement System (STARS), which is used by air traffic controllers to provide critical air traffic services at the 11 largest Terminal Radar Approach Control (TRACON) facilities.
The FAA operates up to 172 TRACON facilities which provide air traffic control services to pilots in the airspace immediately surrounding major airports. The 11 largest TRACONs, which use STARS, handle about 33 percent of all TRACON traffic in the United States. Effective security controls and contingency plans at these 11 facilities are therefore critical to maintaining the safety and security of the National Airspace System.
Due to the nature of the information, OIG has not provided detail about the weaknesses but said on July 15 that the FAA is “identifying STARS’ security risks but is not mitigating vulnerabilities in a timely manner”.
FAA had found vulnerabilities in 53 of 73 STARS security controls in March 2019 but did not meet its own schedule for remediating them. Department of Transportation policy requires timely remediation of vulnerabilities to reduce the risk that an attacker could gain unauthorized access to mission-critical systems.
OIG also found that the FAA’s STARS incident response policy does not comply with federal requirements, adding that its review found “security control weaknesses that could make it harder for the Agency to ensure the confidentiality, integrity, and availability of STARS”.
Further, OIG said FAA’s contingency plans for three large TRACONS are not sufficient to maintain continuity of air traffic operations during unplanned outages.
In January, FAA contracted Raytheon to improve the usability and reduce operational costs for the Standard Terminal Automation Replacement System. Consequently, Raytheon’s STARS team has been working with the FAA’s NextGen modernization initiative to achieve a single national software and hardware baseline across the country.
This work may go some way to addressing the eleven security recommendations that OIG has made, but not publicly revealed, to FAA. OIG said only that it considers most of the recommendations resolved but still open pending completion of FAA’s planned actions.