With all the talk about security and encryption on devices that are personal to us like smartphones and tablets, we’d like to think that computer systems that help to control and monitor key U.S. infrastructure and transportation systems would employ rigorous security measures to safeguard against cyberattacks. This is even more important when it comes to the daunting task of air traffic control where interruptions to service and computer downtime could cripple air travel across the country and put passenger (and flight crew) lives at risk.
With so much at stake, it’s quite disappointing to hear the results of a Government Accountability Office (GAO) report that is highly critical of the Federal Aviation Administration's (FAA) air traffic control systems used across the U.S. Most damning is that an agency-wide information security program that was mandated by the Federal Information Security Management Act of 2002 was never fully implemented by the FAA. As a result:
- Security controls implemented to ward off incoming cyberattacks were never sufficiently tested to ensure that they were functioning properly
- Security lapses that were identified and brought to the attention of the FAA were dealt with in a languid fashion.
- The FAA failed to have sufficient protocols in place to restore air traffic control operations in the event of a natural disaster or service disruption
- The team responsible for national airspace system (NAS) did not have access to the proper tools to detect or even thwart cyberattacks on “mission-critical systems”
The GAO goes on to state that the FAA has failed on a multitude of levels, and its failures are organization wide. The GAO points to the fact that the FAA instituted a Cyber Security Steering Committee to assess risks to the NAS, but it never fully “established the governance structure and practices to ensure that its information security decisions are aligned with its mission.”
But that’s not all; these are just the “highlights” of the FAA’s numerous blunders with regards to safeguarding the NAS. There are plenty of other grim details found within the full 46-page report [PDF]. Examples of security lapses included NAS-accessible applications and severs that “did not implement sufficiently strong password controls” and in many cases, FAA personnel and contractors were given access to NAS controls without first determining if they were even authorized to access such sensitive information. “As a result, users of these air traffic control systems may have greater access than they need to fulfill their responsibilities, increasing the risk that these systems could be compromised, either inadvertently or deliberately,” states the GAO report.
Shall we go on? Sensitive data stored on NAS systems were not always encrypted (neither while stored nor while transmitted), and what is seemingly unthinkable for such mission critical systems, the FAA was incredible lax in applying security patches to its servers and attached computers:
The agency did not always ensure that security patches were applied in a timely manner to servers and network devices supporting air traffic control systems, or that servers were using software that was up-to-date. For example, certain systems were missing patches dating back more than 3 years. Additionally, certain key servers had reached end-of-life and were no longer supported by the vendor. As a result, FAA is at an increased risk that unpatched vulnerabilities could allow its information and information systems to be compromised.
And that’s just the tip of the iceberg. There are pages and pages of incidents of security lapses, incomplete and untested contingency plans, and poor response times to system outages. In the end, the GAO offers a rather sobering account of what problems plague the FAA and what that could mean for the millions of Americans that travel by air everyday. “Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk.”
Needless to say, the FAA has its work cut out for it and if the GAO’s report wasn’t trouble enough, it now has two U.S. senators breathing down its neck. Senators John Thune (Rep-SD) and Bill Nelson (Dem-FL) called the report “troubling,” and added “these vulnerabilities have the potential to compromise the safety and efficiency of the national airspace system, which the traveling public relies on each and every day.”
The FAA is currently offering no comment on the GAO report.