Weaknesses in Air Traffic Control Systems are a serious issue for FAA

A GAO report to FAA reveals that the systems adopted in the Aviation industry are still affected by weaknesses that could be exploited by hackers.

A report published by Government Accounting Office (GAO) in January urges the Federal Aviation Administration (FAA) to adopt a formal process to “Address Weaknesses in Air Traffic Control Systems.” The FAA has taken steps to protect its air traffic control systems from threats, including cyber threats, but according to the GAO, the systems adopted in the Aviation industry are still affected by weaknesses that could be exploited by hackers.

The weaknesses addressed in the report include prevention, detection and mitigation of unauthorized access to computer resources used in the industry. The weaknesses mentioned in the document are related to controls for protecting system boundaries, user identification and authentication, protection of sensitive data, access controls, auditing and monitoring activity.

The report doesn’t address specific vulnerabilities, but provided a series of indications related to the shortcomings in the FAA approach to cyber security.

The Government Accounting Office report highlights that security of the operational national airspace system (NAS) environment depends on the level of security implemented for each single component, for this reason it is essential to adopt a formal process to identify and eliminate the weaknesses reducing the risks for cyber attacks.

The GAO criticized the approach to cyber security of the FAA, which has ignored NIST and Federal Information Security Management Act (FISMA) guidelines.

National Institute of Standards and Technology guidance urges agencies to establish and implement a security governance structure, an executive-level risk management function, and a risk management strategy. In compliance with the NIST guidance, the FAA has established a Cyber Security Steering Committee that implements the risk management function, but lack of a governance structure.

It is very serious that the FAA hasn’t clearly established roles and responsibilities approaching information security for the NAS.

” FAA has established a Cyber Security Steering Committee to provide an agency-wide risk management function. However, it has not fully established the governance structure and practices to ensure that its information security decisions are aligned with its mission. ” states the report.

The failure of the FAA approach to cyber security could result in the exposing to serious risks for traffic control operations and final users.

According to the GAO, the FAA didn’t consistently control access to NAS systems and resources. It is crucial to implement urgently such controls to avoid serious consequences, including data leakage, system intrusions and data breaches. Specifically, the GAO wants to see enhanced authentication, more authorization controlling access to resources, cryptography implementations, and audit and monitoring procedures put in place.

GAO stresses the FAA to enhanced processes for identification and authentication of users to the resources of the NAS.

“ Without adequate access controls, unauthorized users, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain. In addition, authorized users could intentionally or unintentionally modify or delete data or execute changes that are outside of their authority.” continues the report.

According to the report, FAA did not always ensure that sensitive data were protected, when stored and transmitted, with the adoption of encryption mechanisms as requested by the NIST guidance

The GAO report also remarks the absence of efficient audit and monitoring processes. Auditing and monitoring are essential processes to analyze auditable events and detect anomalous activities.

“Automated mechanisms may be used to integrate audit monitoring, analysis, and reporting into an overall process for investigation of and response to suspicious activities.” reads the report.

Resuming the FAA did not implement an efficient Information Security Program, exposing resources, users and the overall NAS environment for cyber threats.

GAO announced the release of a separate report with limited distribution, the document will include 168 recommendations to address 60 findings. These recommendations consist of actions to implement and correct specific information security weaknesses related to access controls and configuration management

“These recommendations consist of actions to implement and correct specific information security weaknesses related to access controls and configuration management“

Pierluigi Paganini

(Security Affairs –  GAO, FAA)