Significant security weaknesses in the Federal Aviation Administration’s (FAA) information security program have placed the nation’s air traffic control system at risk of being hacked, according to a Government Accountability Office (GAO) audit report released Monday.
“While the FAA has taken steps to protect itsair traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS),” the GAO audit report said.
The FAA is responsible for overseeing the development of the air traffic control system which the agency uses to track flights around the world. According to FAA, the system includes more than 19,000 airports, nearly 600 air traffic control facilities, and approximately 65,000 other facilities.
In light of the critical role of NAS and the growing interconnectivity of information systems, GAO was requested to review whether the FAA has effectively implemented information security controls to protect air traffic control from a number of threats including criminals, foreign nations, terrorists and other adversarial groups.
Although the Federal Information Security Management Act of 2002 requires federal agencies to implement a security program that provides a framework for implementing controls at the agency, FAA’s implementation of the program is incomplete.
GAO discovered, for example, that FAA “did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster.”
Many of the weaknesses in FAA’s security controls and information security program stem from its failure to fully establish an organization-wide approach to managing information security risk. The National Institute of Standards and Technology (NIST) indicates that effective risk management requires agencies have a strategic plan for information security.
According to GAO, “NIST SP 800-100 states that agencies should revisit the information security strategic plan when a major change in the agency information security environment occurs. However, the FAA information security strategic plan has not been updated since 2010.”
GAO indicated FAA will continue to face major challenges and that major weaknesses will continue to persist until the agency develops an organization-wide risk management strategy.
GAO concluded that, “Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.”
The FAA concurred with the 17 recommendations made by the GAO to help the FAA fully implement its information security program and establish an integrated approach to managing information security risk. In addition, in a separate report with limited distribution, GAO recommended 168 specific actions to address weaknesses in FAA security controls.
"These vulnerabilities have the potential to compromise the safety and efficiency of the national airspace system, which the traveling public relies on each and every day," said Sens. John Thune (R-SD) and Bill Nelson (D-Fla.).
This is not the first time FAA’s air traffic control system has come under fire. Homeland Security Today reported last summer that a Department of Transportation (DOT) Office of Inspector General (OIG) memo uncovered numerous red flags regarding FAA’s new air traffic control system—the Standard Terminal Automation Replacement System (STARS).
According to the memo, the OIG conducted a review of STARS in May 2013 and discovered a number of significant problems, concluding “that the systemcould ultimately fall short of providing promised capabilities for controlling takeoffs and landings — the most critical phases of flight.”
Consequently, the OIG concluded that “The STARS deployment incorporates fewer capabilities than the system it aims to replace.”