Yesterday, the Government Accountability Office (GAO) released “FAA Needs to Address Weaknesses in Air Traffic Control Systems,” a report that highlights the improvements the Federal Aviation Administration (FAA) needs to make to its critical air traffic control systems. The FAA operates 100 air traffic control systems that include radar, weather, flight plans, surveillance, in-flight communication, navigation and landing. These FAA IT systems are automated and complex, including hardware, software and telecommunication equipment.
The GAO report identifies intentional and unintentional threats against the FAA, noting that the interconnectivity of FAA systems increases the opportunity for cyberattack. Unintentional threats are a bit of a misnomer since they simply refer to software programming errors that could negatively impact operations; it would have been less inflammatory if the GAO had referred to this as risk. The GAO defines intentional threats as terrorists, criminals and foreign nations and includes the possibility of Advanced Persistent Threats (APTs) from well-organized attackers.
The GAO report concedes that the FAA has taken steps to increase security, but ultimately criticizes the FAA for weakness in its security program that includes an inability to limit unauthorized access and poor auditing and monitoring of security events. This is the result of the FAA not completely implementing its prescribed security plan.
The GAO provides recommendations for the FAA to improve information security by establishing an integrated, organization-wide information security system, including 170 specific technical recommendations. The GAO contends that the bottom line is that the security of air traffic control systems is critical and must be adequately protected.
It is great that the GAO produced this report and is pressuring the FAA to improve its security posture. There is no doubt that FAA air traffic control systems number among some of the most important pieces of critical infrastructure, along with public utilities, such as power and telecommunications networks. The “Internet of Things” is coming into focus, yet security is so frequently an afterthought. Currently, financially-motivated cyberattacks greatly outnumber attacks on critical infrastructure by several orders of magnitude, but to assume that critical infrastructure won’t be attacked because it hasn’t been attacked is dangerous thinking. I have complete confidence when I take a flight, but for once, it is great to see an organization pushing to get in front of its security challenges before they become a serious issue.