FAA leaves air traffic system open to security risk, says GAO
- By Mark Pomerleau
- Mar 04, 2015
The Federal Aviation Administration has compromised its ability to ensure the safety of the national airspace system by not addressing a number of weaknesses in how it prevents unauthorized access to its computers systems.
That’s the assessment of the Government Accountability Office, which in a report issued this week cataloged a number of areas where it believes the FAA has left the air traffic system vulnerable to attack.
The GAO said while the FAA has taken steps to safeguard the national airspace system (NAS), significant vulnerability remains in its controls for protecting system boundaries, authorizing users to access systems, data encryption and monitoring FAA systems.
“The weaknesses exist, in part because FAA had not fully established an integrated, organizationwide approach to managing information security risk,” according to GAO. Here is a summary of areas where GAO has concluded FAA systems are vulnerable.
Access to NAS systems. The GAO said the FAA has not taken adequate measures to protect its systems from unauthorized access, which it can address with boundary protection, identification and authentication of users, cryptography and auditing and monitoring procedures. The report also said FAA did not consistently implement identification controls in accordance with its security policies and guidance from the National Institutes of Standards and Technology. For example, certain servers and applications that support the NAS “did not implement sufficiently strong password controls.” And in several cases, the FAA and its contractors did not properly document that system users were authorized to access key air traffic controls systems, said the GAO.
Boundary of NAS systems. FAA and NAS environments and infrastructure become much more vulnerable when non-NAS systems and NAS systems become interconnected, with no safeguards between them, GAO pointed out. Implementing multiple layers of security is one way to ensure greater safety. “While FAA implemented numerous controls to separate NAS and non-NAS systems, it did not always protect connections between external partners and NAS mission support environments,” the report said.
Sensitive data encryption. The FAA did not always ensure sensitive data was encrypted when transmitted or stored, said GAO. For instance, it noted, network devices supporting NAS systems did not always encrypt authentication data in cross-network transmissions, while other systems did not encrypt stored passwords using sufficiently strong, FIPS-compliant, algorithms. “Due to these weaknesses, FAA faces an increased risk that attackers could compromise accounts or intercept, view and modify transmitted data,” GAO said.
Configuration and patch management. Even though configuration management is a key control, GAO said, the FAA did not always ensure that network changes to certain devices followed configuration policies, which increased the risk of vulnerabilities that might allow information to be compromised. For example, FAA did not ensure security patches were rolled out on a timely basis to IT systems that support the air traffic control system. Certain servers were missing patches dating back three years, said GAO.
Enterprise security management. The GAO cited the importance of an “entitywide” security program, which includes “continuous cycle of activity for assessing risk … and monitoring the effectiveness of those procedures.” Here the FAA earned credits from GAO, which said the agency had taken steps toward establishing an information security program, noting in particular the documentation of its risk assessment policy. At the same time, GAO said the FAA did not consistently document its incident response policies or ensure its contractors took required training on a timely basis.
Incident detection and response. GAO said the FAA has “notable shortcomings in security monitoring,” including insufficient access to systems. It cited a lack of full network packet capture or anomaly detection systems for network traffic at major FAA network interfaces. The FAA’s shortcomings in this area makes it susceptible to malicious incidents the GAO said.
All in all, GAO concluded, the FAA has not yet created “an effective program for managing organizational information security risk.”
“Until FAA establishes stronger agencywide security risk management, processes … the weaknesses we identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk,” GAO concluded.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.