The Federal Aviation Administration needs to upgrade and update its information security capabilities–including building a threat-modeling capability and implementing federal security guidelines–in order to ensure the safety of the nation’s aviation infrastructure, according to a new report by the General Accounting Office.
The report is the result of a review of the FAA’s security practices as the agency moves from its decades-old air traffic control system to newer systems as part of its Next Generation Air Transportation System. The agency faces a long list of challenges in this process, including a number of cybersecurity hurdles. The GAO’s report, delivered on Tuesday, found that there are several offices inside the FAA that have some responsibility for cybersecurity, many of which overlap. That confusion, along with the lack of an internal threat modeling program and the increased interconnectivity of planes, ATC systems and other components of the FAA’s systems, all pose threats to the security of the systems, the report says.
“New networking technologies connecting FAA’s ATC information systems expose these systems to new cybersecurity risks, potentially increasing opportunities for systems to be compromised and damaged. Such damage could stem both from attackers seeking to gain access to and move among information systems, and from trusted users of the systems, such as controllers or pilots, who might inadvertently cause harm,” the report says.
“FAA’s ATC-related information systems are currently a mixture of old, legacy systems and new, IP-networked systems. FAA’s legacy systems consist mainly of decades-old, point-to-point, hardwired information systems, such as controller voice-switching systems, that share information only within their limited, wired configuration. In contrast, FAA plans for NextGen call for the new information systems to be networked together with IP technology into an overarching system of interoperating subsystems.”
The connectivity among old and new devices and the connectivity of systems on aircraft is a significant security concern, the report says. The new report is a follow-up to one published in March by the GAO.
“According to FAA officials and experts we consulted, the ease of access to these different types of systems, and the potential to damage them, varies. The older systems, depicted on the left in figure 3 below, are difficult to access remotely because few of them connect from FAA to external entities such as through the Internet. They also have limited lines of direct connection within FAA. Conversely, the new information systems for NextGen programs are designed to interoperate with other systems and use IP networking to communicate within FAA, as shown on the right in figure 3 below. According to experts, if one system connected to an IP network is compromised, damage can potentially spread to other systems on the network, continually expanding the parts of the system at risk,” the report says.
The GAO report says the FAA has taken some steps in recent months to help address the security weaknesses in its systems. Most significantly, the agency in the process of developing and implementing an enterprise approach to information security that is designed to defend against internal and external attacks.
“Nevertheless, FAA will continue to be challenged in protecting ATC systems because it has not developed a cybersecurity threat model. NIST guidance, as well as experts GAO consulted, recommend such modeling to identify potential threats to information systems, and as a basis for aligning cybersecurity efforts and limited resources. While FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so. Without such a model, FAA may not be allocating resources properly to guard against the most significant cybersecurity threats,” the recommendations from the GAO say.
The FAA also has created a Cyber Security Steering Committee, but the Office of Safety, which certifies the cybersecurity of planes and interconnected systems, is not part of that committee right now. The GAO recommends fixing that issue, in addition to the other changes in the report.