The Federal Aviation Administration’s (FAA) Civil Aviation Registry lacks proper security controls to prevent unauthorized access to its systems, according to a report based on a recent audit undertaken by the Office of the Inspector General (OIG) for the United States Department of Transportation (DoT).
The DoT’s OIG also expressed concerns regarding the FAA’s ability to recover information from and restore systems in the event of an emergency.
The OIG performed an audit to determine whether “(1) aircraft registrations and pilot certifications include the information needed for FAA to ensure aviation safety, (2) security controls keep the Registry secure from unauthorized access, and (3) contingency plans are sufficient to recover the Registry system in the event of an emergency.”
They published a report [PDF] highlighting their findings.
In the FAA’s words, “The Civil Aviation Registry is responsible for developing, maintaining, and operating national programs for the registration of United States civil aircraft and certification of airmen.”
Their audit determined not only that the FAA is doing a poor job of maintaining the data it needs to keep track of aircraft owners and their pilot certification information, but also that the administration has failed to implement the necessary security controls over the registry’s configuration and account management. Furthermore, the OIG claims that the FAA’s recovery plan does not meet department standards guaranteeing that systems are recoverable after a disaster or other event.
“We made several recommendations for further action,” the OIG wrote, “including developing procedures, policy or regulations necessary to improve the integrity of aircraft and airman data, and implementing controls required by the Federal Information Security Management Act and Department of Transportation policy to improve both its security posture and contingency plans to recover the system.”
The FAA’s transgressions include weaknesses in registry servers, a failure to encrypt sensitive information, a failure to ensure that third parties with access to the registry are protecting sensitive information, and other violations of the Federal Information Security Management Act. These policies render the Civil Aviation Registry vulnerable to data breaches that could potentially spill personally identifiable information, according to the report. The FAA claims it is not responsible for information voluntarily submitted to the registry, but this belief runs afoul of both the Office of Management and Budget and the National Institute of Standards and Technology, which call for the protection of PII and emphasize the importance of access controls, up-to-date operating systems, and continuous network monitoring.
The OIG is also concerned about the FAA’s ability to recover data if there were to be an unforeseen system shutdown.
“FAA’s test procedures for the Registry’s recovery plan did not include an alternative processing site for the resumption of Registry functions in case of a shut-down. Due to a reorganization of information technology activities some years ago and the Registry’s complexity, FAA had not yet selected an alternate processing site. Lack of testing of the Registry’s backup systems at an alternative site creates the risk that FAA will be unable to resume essential operations after a system shut-down.”
The PII at risk here mostly belongs to non-commercial pilots within the registry and could include social security numbers and personal medical information as well as information inadvertently included by registrants registering aircraft.
Specifically, the OIG found the following weaknesses in a vulnerability assessment they performed as part of the audit: 30 of 42 computer servers (70 percent) that support the registry contain at least one high risk or critical vulnerability, two servers run operating systems so old that they no longer receive vendor support or patches, seven servers were missing update patches from 2007 and beyond, and access to sensitive registry data is not monitored.
Furthermore, the FAA does not regularly identify and disable accounts that are no longer in use, meaning there could be any number of former and current employees with access well above their level of authorization. The FAA has also failed to implement multi-factor authentication.
*Image via Tydence‘s Flickr photostream