The United States Federal Aviation Administration should implement cybersecurity upgrades recommended by the U.S. Government Accountability Office immediately, or risk hackers taking over its computer systems, Sen. Charles Schumer, D-N.Y., has warned.
The GAO last week released a report that found significant security control weaknesses in the FAA’s computer systems threatened its ability to ensure the safe and uninterrupted operation of the U.S. national aerospace system, or NAS.
Among them are weaknesses in controls that prevent, limit and detect unauthorized access. Twenty-six of the 35 IP-connected NAS systems did not provide security event logs to the person designated at the FAA to monitor the system, Schumer pointed out. Also, controls between the operational NAS systems and less-secure systems were found to be weak.
“The security vulnerabilities we identified are significant and unnecessarily increase the risk that competent attackers could compromise mission-critical air traffic control systems; compromise user accounts to gain unauthorized access to systems; and intercept, view, and modify transmitted data,” said Gregory Wilshusen, director of information security issues at the GAO.
“In addition, FAA has limited assurance that it would detect or appropriately respond to security incidents,” he told TechNewsWorld. “These deficiencies and others stated in the report threaten FAA’s ability to ensure the safe and uninterrupted operation of the [national aerospace system].
Failure to Launch
The FAA has not implemented its agency-wide information security program fully, the GAO said. For example, it did not sufficiently test all security controls to determine that they were operating as intended; it failed to resolve identified security weaknesses in a timely fashion; and it did not complete or adequately test plans for restoring system operations in the event of a disruption or disaster.
The Federal Information Security Management Act of 2002 requires federal agencies to implement a security program providing a framework for controls.
Inadequate access to NAS security logs or network sensors on the operational network limited the FAA’s ability to detect and respond to security incidents affecting its mission-critical systems.
The FAA has set up a Cybersecurity Steering Committee to provide an agency-wide risk management function, but it has not fully established the governance structure and practices to ensure that its information security decisions are aligned with its missions, the GAO reported.
“We believe that FAA needs to take immediate steps to fix the security weaknesses we identified and to address their underlying causes,” GAO’s Wilshusen said, or “the weaknesses that we identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.”
What the FAA Must Do
The GAO has made 17 recommendations to the FAA to fully implement its information security program and establish an integrated approach to managing information security risk.
It also recommended the FAA take 168 specific actions to address weaknesses in security controls.
“The FAA is actively addressing the recommendations … and has already remediated a number of technical findings,” FAA spokesperson Laura Brown told TechNewsWorld.
The agency’s Cybersecurity Steering Committee is “reviewing and providing oversight to ensure an agency risk-based approach as we address the recommendations,” Brown said, and the FAA “is also proactively identifying other potential actions to enhance the cybersecurity posture of the NAS and the agency.”
This latest GAO report on the FAA echoes one it made 17 years ago, in 1998. At the time, the GAO noted the FAA was ineffective in all critical areas included in its computer security review.
That year, the FAA began modernizing its air traffic control computer system.
“As we have reported, FAA does not have a good track record for remediating known vulnerabilities,” Wilshusen said.
The FAA’s system is very complex, and that increases the possibility of intrusions, said Jim McGregor, principal at Tirias Research.
Still, “considering the potential impact of this system on both public safety and security, the FAA should be doing everything it can,” he told TechNewsWorld, and should implement “a more flexible system that can be upgraded on a regular cadence, [because] the types and number of threats have increased with the rapid pace of technology.”