Report: ‘Significant Security Control Weaknesses’ at FAA Threaten US Airspace

Vulnerability to cyber threats pose safety risk to U.S. airspace

Wikimedia Commons
March 5, 2015

Security weaknesses in the computing systems of the Federal Aviation Administration (FAA) pose a cyber threat to U.S. airspace and has left the FAA with insufficient ability "to ensure the safe and uninterrupted operation of the national airspace system," according to a new report by the federal government’s watchdog group.

The FAA’s systems are vulnerable to hackers and other would-be cyber terrorists seeking to interrupt U.S. air traffic safeguards and cause catastrophic destruction, according to the report by the Government Accountability Office (GAO).

The cyber weaknesses range from the inadequate ability to detect intrusions by hackers to unsatisfactory safeguards on critical systems, according to the report.

"Significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS)," the report concluded.

"These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA’s systems," according to the report. "Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses."

These problems will persist at great risk to the nation until the FAA puts strict safeguards on its systems, the GAO concluded.

"The weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk," the report states.

The FAA has been well aware of these problems for quite some time and was instructed as far back as 2002 to address and correct the vulnerabilities. However, the agency has failed to do this, according to the GAO’s report, which is a public version of a more thorough but classified version that contained sensitive security information.

"FAA’s implementation of its security program was incomplete," the report found. "For example, it did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster."

"The group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA’s ability to detect and respond to security incidents affecting its mission-critical systems," the report states.

One of the major shortcomings in the FAA’s system is the lack of boundaries over who can access the system. This means that "unauthorized users" and even cyber "intruders" can access information with being detected.

"Without adequate access controls, unauthorized users, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain," the report found. "In addition, authorized users could intentionally or unintentionally modify or delete data or execute changes that are outside of their authority."

Sensitive information in the system is also not adequately protected by firewalls and other measures aimed at deterring cyber criminals.

The lack of technical safeguards, combined with the improper implementation of more stringent security procedures, leaves critical gaps in overall security at the FAA, the report concludes.

"These weak controls are mirrored in weak security management processes, such as incomplete policies and procedures for incident response and insufficient testing of security controls," it states. "Additionally, actions to mitigate identified security weaknesses are often delayed—sometimes for years."

"All of these weaknesses combine to pose increased risks to the confidentiality, integrity, and availability of NAS systems and thus put the safe and uninterrupted operation of the nation’s air traffic control system at risk," it states.

Published under: Cyber Security , FAA , GAO