Aviation securityFAA should address weaknesses in air traffic control systems: GAO

Published 9 March 2015

The Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, but significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS), the GAO says in a new report. The GAO report says that FAA also did not fully implement its agency-wide information security program.

The Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, but significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS), the GAO says in a new report.

These weaknesses include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA’s systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational national airspace system (NAS) environment increase the risk from these weaknesses.

The GAO report says that FAA also did not fully implement its agency-wide information security program. As required by the Federal Information Security Management Act of 2002, federal agencies should implement a security program that provides a framework for implementing controls at the agency. FAA’s implementation of its security program, however, was incomplete. For example, it did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster.

Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA’s ability to detect and respond to security incidents affecting its mission-critical systems.

The weaknesses in FAA’s security controls and implementation of its security program existed, in part, because FAA had not fully established an integrated, organization-wide approach to managing information security risk that is aligned with its mission. National Institute of Standards and Technology guidance calls for agencies to establish and implement a security governance structure, an executive-level risk management function, and a risk management strategy in order to manage risk to their systems and information.

FAA has established a Cyber Security Steering Committee to provide an agency-wide risk management function. However, it has not fully established the governance structure and practices to ensure that its information security decisions are aligned with its mission. For example, it has not (1) clearly established roles and responsibilities for information security for the NAS, or (2) updated its information security strategic plan to reflect significant changes in the NAS environment, such as increased reliance on computer networks.

The GAO says that until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.

The GAO notes that in support of FAA mission, FAA relies on the NAS — one of the U.S. critical infrastructures — which comprises air traffic control systems, procedures, facilities, aircraft, and people who operate and maintain them. Given the critical role of the NAS and the increasing connectivity of FAA’s systems, it is essential that the agency implement effective information security controls to protect its air traffic control systems from internal and external threats.

GAO was asked to review FAA’s information security program. Specifically, the objective of the GAO review was to evaluate the extent to which FAA had effectively implemented information security controls to protect its air traffic control systems. To do this, GAO reviewed FAA policies, procedures, and practices and compared them to the relevant federal law and guidance; assessed the implementation of security controls over FAA systems; and interviewed officials.

The GAO notes that the version of its report which was publicly release does not contain sensitive security information. Information deemed sensitive has been included only in the classified version of the report..

GAO made seventeen recommendations to FAA fully to implement its information security program and establish an integrated approach to managing information security risk. In a separate report with limited distribution, GAO is recommended that FAA take 168 specific actions to address weaknesses in security controls.

The GAO notes that in commenting on a draft of the GAO report, FAA concurred with GAO’s recommendations.

— Read more in Information Security: FAA Needs to Address Weaknesses in Air Traffic Control Systems, GAO-15-221 (Published: 29 January 2015; publicly released: 2 March 2015)