While the U.S. Federal Aviation Administration (FAA) has taken steps to protect ATC systems from cyber warfare threats, significant security control weaknesses remain, which threaten the FAA's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS), GAO investigators say.
Cyber weaknesses in the ATC system involve computers that control and protect air traffic system boundaries, identify and authenticate users, grant user access, sensitive data encryption, and monitoring FAA systems, GAO investigators say.
Additionally, shortcomings in boundary protection controls between less-secure systems and the operational National Airspace System (NAS) increase the risk from these weaknesses, GAO experts say.
FAA also did not implement its agency-wide information security program. As required by federal law, GAO says. FAA leaders did not test security controls sufficiently to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster.
Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA's ability to detect and respond to security incidents affecting its mission-critical systems.
FAA has not established an integrated, organization-wide approach to managing information security risk, GAO investigators say. Although the agency has established a cyber security steering committee to manage cyber risks, they did not establish information security practices.
In particular, FAA officials have not established roles and responsibilities for information security for the NAS or updated an information security strategic plan to reflect increased reliance on computer networks.
Until changes take place, the FAA's cyber security weaknesses are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk, GAO investigators say.
GAO is making 17 recommendations to FAA to implement the agency's information security program and establish an integrated approach to managing information security risks.