US air traffic control system is riddled with vulnerabilities

A recently released report by the US Government Accountability Office has revealed that despite some improvements, the Federal Aviation Administration (FAA) still needs to quash significant security control weaknesses that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS).

GAO is an independent agency tasked with auditing and investigating the performance of federal government organizations on behalf of the US Congress.

The FAA, an agency of the Department of Transportation, is responsible for the safety and regulation of civil aviation. It oversees the development of the air traffic control system, and it’s tasked with keeping the National Airspace System (NAS) safe and efficient.

The report found that while the “FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment […] a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems.”

“Additionally, significant interconnectivity exists between non-NAS systems and the NAS operational environment, increasing the risk from these weaknesses. Further, the agency had not yet fully implemented an agency-wide information security program to ensure that controls are appropriately designed and operating effectively,” the investigators found.

In order to help the FAA remove these weaknesses, the GAO has offered 17 recommendations to the Administrator of FAA, which include security awareness trainings for contractors and staff, testing of security controls and NAS incident response capabilities, improving of intrusion detection capabilities, and so on.

The GAO will also offer 168 recommendations for implementing and correcting specific information security weaknesses related to access controls and configuration management, but for obvious reasons they will not be shared with the public.