The Government Accountability Office recently found that the Federal Aviation Administration’s air traffic control systems remain terribly vulnerable to cyber and other threats.
The report was difficult for me to read and I can only assume the public version in my hands is far less frightening than the more detailed version provided to federal lawmakers. That’s fine. I don’t want any more details. Ignorance is bliss.
I am not a fan of flying. It’s a combination of many things. Start with claustrophobia. Add in a fear of heights, with a dash of I-really-have-no-idea-how-something-this-incredibly-heavy-is-soaring-above-the-clouds.
And now I am unfortunately aware that the complex and highly automated systems which keep these giant defiers of gravity in the air are vulnerable to cyberattack.
Gulp.
I mean, the report is called, “FAA Needs to Address Weaknesses in Air Traffic Control Systems.” It really doesn’t get any more direct than that. But if you need more: “…significant security control weaknesses remain, threatening the [FAA’s] ability to ensure the safe and uninterrupted operation of the national airspace system (NAS).”
And until the FAA “effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner,” the weaknesses identified will continue, the GAO said.
Interestingly the GAO compared the FAA’s policies and procedures with available guidance including the National Institute of Standards and Technology (NIST) guidelines for critical infrastructure cybersecurity.
The FAA set up multiple firewalls to prevent unauthorized access to systems but NIST also recommends monitoring and controlling communications at the boundaries of NAS systems, with careful management of how systems connect to external networks. These connections are not always protected, the GAO said. Additionally, some servers and applications supporting NAS systems did not have sufficient password controls, sensitive data was not encrypted, and the FAA did not make sure users had authorized access to air traffic control systems.
There’s more, but the fact is the FAA’s cybersecurity is not good. The GAO made 168 recommendations to address 60 findings in another report with limited distribution.
I’m never going to be comfortable with flying no matter how often I do it. This report certainly doesn’t help. My impression after reading it is that the FAA’s cybersecurity has little to do with there not being a major breach, but probably more to do with the fact someone hasn’t really tried.