The U.S. Government Accountability Office (GAO) recently issued a report [PDF] warning of “significant security control weaknesses” in the Federal Aviation Administration’s (FAA) air traffic control system.
“These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring controls on FAA’s systems,” the report states.
While the Federal Information Security Management Act of 2002 (FISMA) requires that the FAA implement a security program, the GAO found that the FAA’s implementation of its security program was incomplete.
“For example, it did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster,” the report states.
Among the significant issues identified in the report is the fact that the FAA’s National Airspace System (NAS) has weaknesses in its access controls, change controls and patch management. “Additionally, significant interconnectivity exists between non-NAS systems and the NAS operational environment, increasing the risk from these weaknesses,” the report states.
“A large, complex, interconnected system like the NAS inherently faces many security risks,” the report concludes. “Although FAA took many steps to address these risks, weaknesses remain that challenge the FAA in fulfilling its mission of ensuring the safety and efficiency of the nation’s airspace operations.”
The report offers 17 recommendations for improved security, including establishing a mechanism to ensure that all contractor staff complete annual security awareness training, ensuring that NAS system-level incident response policies specify incident reporting timeframes, and providing NAS Cyber Operations with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points.
Tripwire director of IT security and risk strategy Tim Erlin told eSecurity Planet by email that researchers have already demonstrated several ways to attack air traffic control systems. “My concern is that the regulatory bodies in the industry will respond negatively to these disclosures, and rather than seek a reasonable approach to protect these systems, they will try to stop the research and prevent researchers from publishing this kind of information,” he said.
The increasing sophistication of attacks, Erlin said, and the participation of nation states, create significant challenges for the aviation industry. “It’s hard to get an accurate picture of how many nation state sponsored attacks are out there because there are a lot of unsubstantiated claims and attribution,” he said.
“At the same time, there’s undoubtedly more genuine nation-state activity,” Erlin added. “It is a challenge for information security professionals to defend against nation-state attackers. How can an IT security analyst at a for-profit organization expect to keep the NSA, or China, or GCHQ out of their organization’s network?”