The Federal Aviation Administration has been put on notice that its information security controls are not up to par and that a risk-based program must be implemented from the ground up in order to assure the safety of its networks and passengers in the sky.
A scathing Government Accounting Office (GAO) report released earlier this year hammered the FAA about vulnerabilities on the networks used to support communication between the ground and aircraft and monitoring systems for air traffic control that make up the national airspace system (NAS).
The GAO contends that the FAA has ignored mandates and procedures as outlined by NIST and FISMA guidelines, and has not established a governance structure in order to align security decisions with its overall mission. More specifically, the GAO said the FAA has not established specific security roles and responsibilities for the NAS, or updated its information security strategic plan in order to line it up with the FAA’s reliance on computer networks.
“Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk,” the report said.
The GAO said the FAA’s failure to implement an agency-wide risk management and security controls plan puts air traffic control operations at risk. The GAO was especially hard on the FAA’s lack of adequate access controls to networks, systems and resources. It recommends designing and implementing controls that protect against data leaks and detect intrusions on the network leading to modifications of configurations and systems. Specifically, the GAO wants to see enhanced authentication, more authorization controlling access to resources, cryptography implementations, and audit and monitoring procedures put in place.
“Without adequate access controls, unauthorized users, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain,” the report said. “In addition, authorized users could intentionally or unintentionally modify or delete data or execute changes that are outside of their authority.”
The public report does not identify any specific vulnerabilities to be addressed by the FAA; instead a separate classified report is expected to be handed over that will detail those issues. The public report does, however, include 14 recommendations the GAO hopes the U.S. Secretary of Transportation Anthony Foxx will mandate of the FAA administrator, Michael Huerta.
The GAO has 168 security recommendations to improve FAA network security. via @ThreatpostTweet
Some of those recommendations include finalization of an incident response policy, mandates for security awareness and role-based training for staff and contractors, testing the efficacy of security controls, address vulnerabilities in a prescribed timeframe, implement network packet capture and anomaly detection capabilities at network interface points, manage security event log data, and develop contingency plans around business continuity and disaster recovery, among others. In all, the GAO is expected to make 168 recommendations addressing 60 issues it identified, the report said.