FAA air-traffic systems lack cyberprotections, GAO finds

Air-traffic control systems operated by the Federal Aviation Administration contain significant cybersecurity weaknesses and are vulnerable to attack, according to a recent report from the Government Accountability Office.

In the report, GAO concluded that the agency has not completely implemented information security programs that protect its systems from cyberattack.

'FAA has made progress in implementing information security for its air traffic control systems by establishing an agencywide information security program and addressing many of its previously identified security weaknesses; however, it still has significant weaknesses that threaten the integrity, confidentiality and availability of its systems'including weaknesses in controls that are designed to prevent, limit and detect access to those systems,' the report said.

FAA officials admit the weaknesses exist, but contend that because parts of their systems are custom-built with older equipment, special-purpose operating systems and proprietary communication interfaces, chances for unauthorized access are limited, according to the report.

'Nevertheless, the proprietary features of these systems do not protect them from attack by disgruntled current or former employees who understand these features, or from more sophisticated hackers,' the report added.

GAO recommended that the agency address the following weaknesses: outdated security plans, inadequate security awareness training, inadequate system testing and evaluation programs, limited security incident-detection capabilities and shortcomings in providing service continuity for disruptions in operations.

In response, FAA officials said they will consider the recommendations, but also stated that the report is not indicative of the agency's security systems.

Meanwhile, Rep. Tom Davis (R-Va.), who chairs the House Government Reform Committee that asked for the report, said FAA must address the recommendations. 'Given the ever-evolving nature of cyberthreats and the thought of someone with malicious intent accessing FAA's IT systems, complacency is not an option,' he said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.