Information Security:

Progress Made, but Federal Aviation Administration Needs to Improve Controls over Air Traffic Control Systems

GAO-05-712: Published: Aug 26, 2005. Publicly Released: Sep 26, 2005.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Aviation Administration (FAA) performs critical functions that contribute to ensuring safe, orderly, and efficient air travel in the national airspace system. To that end, it operates and relies extensively on an array of interconnected automated information systems and networks that comprise the nation's air traffic control systems. These systems provide information to air traffic controllers and aircraft flight crews to help ensure the safe and expeditious movement of aircraft. Interruptions of service by these systems could have a significant adverse impact on air traffic nationwide. Effective information security controls are essential for ensuring that the nation's air traffic control systems are adequately protected from inadvertent or deliberate misuse, disruption, or destruction. Accordingly, GAO was asked to evaluate the extent to which FAA has implemented information security controls for these systems.

FAA has made progress in implementing information security for its air traffic control information systems; however, GAO identified significant security weaknesses that threaten the integrity, confidentiality, and availability of FAA's systems--including weaknesses in controls that are designed to prevent, limit, and detect access to these systems. The agency has not adequately managed its networks, software updates, user accounts and passwords, and user privileges, nor has it consistently logged security-relevant events. Other information security controls--including physical security, background investigations, segregation of duties, and system changes--also exhibited weaknesses, increasing the risk that unauthorized users could breach FAA's air traffic control systems, potentially disrupting aviation operations. While acknowledging these weaknesses, agency officials stated that the possibilities for unauthorized access were limited, given that the systems are in part custom built and that they run on older equipment that employs special-purpose operating systems, proprietary communication interfaces, and custom-built software. Nevertheless, the proprietary features of these systems cannot fully protect them from attacks by disgruntled current or former employees who are familiar with these features, nor will they keep out more sophisticated hackers. A key reason for the information security weaknesses that GAO identified in FAA's air traffic control systems is that the agency had not yet fully implemented its information security program to help ensure that effective controls were established and maintained. Although the agency has initiatives under way to improve its information security, further efforts are needed. Weaknesses that need to be addressed include outdated security plans, inadequate security awareness training, inadequate system testing and evaluation programs, limited security incident-detection capabilities, and shortcomings in providing service continuity for disruptions in operations. Until FAA has resolved these issues, the information security weaknesses that GAO has identified will likely persist.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by ensuring that risk assessments are completed.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA ensured that risk assessments were completed.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by developing and implementing policies and procedures to address such issues as patch management and the reviewing and monitoring of physical access.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA implemented policies and procedures to address patch management and developed procedures for reviewing and monitoring physical access.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing system security plans to ensure that they contain the information required by OMB A-130 and are up to date.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA, revised a critical system security plan to include missing information and kept the plan up-to-date.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by enhancing the security awareness training program to ensure that all employees and contractors receive information security awareness training, as well as system specific training, and that completion of the training is appropriately reported and tracked.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA enhanced its security awareness training program to ensure that all employees and contractors receive information security awareness training, as well as system specific training, and that completion of the training is appropriately reported and tracked.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by developing a process to ensure that sensitive information is not publicly available on the Internet.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA developed a process to ensure that sensitive information is not publicly available on the Internet.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by conducting tests and evaluations of the effectiveness of controls on operational systems, and document results.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA conducted tests and evaluations of the effectiveness of controls on operational systems, and documented results.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by performing more frequent testing of system controls on critical systems to ensure that the controls are operating as intended.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA performed frequent testing of system controls on critical systems to ensure that the controls were operating as intended.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing remedial action plans to ensure that they address all of the weaknesses that have been identified.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA, reviewed remedial action plans to ensure that they addressed all of the weaknesses that have been identified.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by prioritizing weaknesses in the remedial action plans and establish appropriate, timely milestone dates for completing the planned actions.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA prioritized weaknesses in remedial action plans and established appropriate, timely milestone dates for completing the planned actions.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by implementing FAA's plan to deploy intrusion detection capabilities for portions of the network infrastructure that are not currently covered.

    Agency Affected: Department of Transportation

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that FAA implemented a plan to deploy intrusion detection capabilities for portions of the network infrastructure that were not currently covered.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by correcting configuration issues in current intrusion detection systems to ensure that they are working as intended.

    Agency Affected: Department of Transportation

    Status: Closed - Not Implemented

    Comments: FAA has tested, and intends to purchase, a product to mitigate the weakness with current intrusion detection systems, but has not yet done so because funding has not been approved according to FAA officials.

    Recommendation: To help establish effective information security over air traffic control systems, the Secretary of Transportation should direct the FAA Administrator to fully implement an information security program by reviewing service continuity plans to ensure that they appropriately reflect the current operating environment.

    Agency Affected: Department of Transportation

    Status: Closed - Not Implemented

    Comments: The service continuity plan for a key system does not appropriately reflect the current operating environment.

    Jul 31, 2014

    Jul 23, 2014

    Jun 25, 2014

    Jun 24, 2014

    Jun 18, 2014

    Jun 11, 2014

    May 30, 2014

    Looking for more? Browse all our products here