Skip to main content

Information Security: FAA Needs to Address Weaknesses in Air Traffic Control Systems

GAO-15-221 Published: Jan 29, 2015. Publicly Released: Mar 02, 2015.
Jump To:
Skip to Highlights

Highlights

What GAO Found

While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.

FAA also did not fully implement its agency-wide information security program. As required by the Federal Information Security Management Act of 2002, federal agencies should implement a security program that provides a framework for implementing controls at the agency. However, FAA's implementation of its security program was incomplete. For example, it did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster. Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA's ability to detect and respond to security incidents affecting its mission-critical systems.

The weaknesses in FAA's security controls and implementation of its security program existed, in part, because FAA had not fully established an integrated, organization-wide approach to managing information security risk that is aligned with its mission. National Institute of Standards and Technology guidance calls for agencies to establish and implement a security governance structure, an executive-level risk management function, and a risk management strategy in order to manage risk to their systems and information. FAA has established a Cyber Security Steering Committee to provide an agency-wide risk management function. However, it has not fully established the governance structure and practices to ensure that its information security decisions are aligned with its mission. For example, it has not (1) clearly established roles and responsibilities for information security for the NAS or (2) updated its information security strategic plan to reflect significant changes in the NAS environment, such as increased reliance on computer networks.

Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk.

Why GAO Did This Study

In support of its mission, FAA relies on the NAS—one of the nation's critical infrastructures—which is comprised of air traffic control systems, procedures, facilities, aircraft, and people who operate and maintain them. Given the critical role of the NAS and the increasing connectivity of FAA's systems, it is essential that the agency implement effective information security controls to protect its air traffic control systems from internal and external threats.

GAO was asked to review FAA's information security program. Specifically, the objective of this review was to evaluate the extent to which FAA had effectively implemented information security controls to protect its air traffic control systems. To do this, GAO reviewed FAA policies, procedures, and practices and compared them to the relevant federal law and guidance; assessed the implementation of security controls over FAA systems; and interviewed officials. This is a public version of a report containing sensitive security information. Information deemed sensitive has been redacted.

Recommendations

GAO is making 17 recommendations to FAA to fully implement its information security program and establish an integrated approach to managing information security risk. In a separate report with limited distribution, GAO is recommending that FAA take 168 specific actions to address weaknesses in security controls. In commenting on a draft of this report, FAA concurred with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy.
Closed – Implemented
FAA concurred with our recommendation. In fiscal year 2018, we verified that FAA has completed actions to address our recommendation. Specifically, in response to our recommendation, FAA established a mechanism to ensure that all contractor staff complete annual security awareness training as required by federal law and FAA policy.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that all staff with significant security responsibilities receive appropriate role-based training.
Closed – Implemented
FAA concurred with our recommendation. In fiscal year 2018, we verified that FAA has completed actions to address our recommendation. Specifically, in response to our recommendation, FAA developed and implemented a formal process for identifying personnel with key information security and privacy responsibilities and ensuring that they receive appropriate role-based training annually.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to establish a mechanism to ensure that personnel with incident response roles and responsibilities take appropriate training, and that training records are retained.
Closed – Implemented
FAA concurred with our recommendation. In fiscal year 2018, we verified that FAA has completed actions to address our recommendation. Specifically, in response to our recommendation, FAA established a mechanism to ensure that personnel with incident response roles and responsibilities are trained in their responsibilities. Additionally, FAA ensured that incident response training records are retained.
Department of Transportation
Priority Rec.
To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that testing of security controls is comprehensive enough to determine whether security controls are in place and operating effectively, by, for example, examining artifacts such as audit reports, change tickets, and approval documents.
Closed – Implemented
The Federal Aviation Administration (FAA) concurred with our recommendation. In fiscal year 2019, we verified that FAA has completed actions to address our recommendation. Specifically, in response to our recommendation, FAA improved its processes for testing security controls for the NAS systems we reviewed by examining appropriate artifacts and evidence to determine whether controls are in place and operating effectively.
Department of Transportation
Priority Rec.
To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to take steps to ensure that identified corrective actions for security weaknesses are implemented within prescribed timeframes.
Closed – Implemented
The Federal Aviation Administration (FAA) concurred with our recommendation. In fiscal year 2019, we verified that FAA has completed actions to address our recommendation. Specifically, in response to our recommendation, FAA implemented an effective process for ensuring that identified corrective actions for security weaknesses are actively managed and tracked through implementation. In addition, FAA implemented the majority of our recommendations to address security weaknesses that we identified in our separate limited distribution report.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NAS Cyber Operations (NCO) with full network packet capture capability for analyzing network traffic and detecting anomalies at major network interface points at FAA operational facilities.
Closed – Implemented
The Federal Aviation Administration (FAA) concurred with our recommendation. In fiscal year 2019, we verified that FAA has completed actions to address our recommendation. Specifically, in response to our recommendation, FAA implemented a network traffic monitoring system which, among other things, provides NAS Cyber Operations (NCO) with full network packet capture capability. The system has been deployed to major network gateways, and future phases are planned to expand this capability to all NAS operational network communications.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to integrate network traffic flow data into NCO's ad-hoc query systems.
Closed – Implemented
The Federal Aviation Administration (FAA) concurred with our recommendation. In fiscal year 2019, we verified that FAA has completed actions to address our recommendation. Specifically, in response to our recommendation, FAA implemented a network traffic monitoring system which, among other things, provides NAS Cyber Operations (NCO) with network traffic flow session data. The system has been deployed to major network gateways, and future phases are planned to expand this capability to all NAS operational network communications.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with access to network sensors on key network gateways for reviewing intrusion detection, network traffic, and network session data.
Closed – Implemented
FAA concurred with our recommendation and stated that it planned to implement it by December 2018. In fiscal year 2018, we verified that FAA has implemented compensating controls to address this weakness. Specifically, in response to our recommendation, FAA developed and implemented a coordinated procedure with the FTI Security Operations Center to provide packet capture information from network sensors based on identified incidents.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to address identified weaknesses in the search function of the NCO database event query system to eliminate the need for manual workarounds and ensure that all data relevant for security investigations can be retrieved.
Closed – Implemented
FAA concurred with our recommendation and stated that it had implemented it as of April 2015. In fiscal year 2017, we verified that FAA, in response to our recommendation, had updated the NCO database event query system to address identified weaknesses in its search function.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to develop a formal process for NCO to assess significant identified incidents for potential impact to NAS operations.
Closed – Implemented
As of August 2016, FAA has completed actions to address our recommendation. Specifically, we confirmed that FAA has developed an updated NAS Cyber Operations (NCO) Cyber Security Management Center (CSMC) Identified Incident Handling Standard Operating Procedures (SOP), dated December 2015, which includes a formal process for NCO to assess significant identified incidents for potential impact to NAS operations.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that NAS incident response capabilities are adequately tested, and that test results are sufficiently documented.
Closed – Implemented
FAA concurred with our recommendation. In fiscal year 2018, we verified that FAA has completed actions to address our recommendation. Specifically, in response to our recommendation, FAA ensured that the incident response capabilities for NCO and three key NAS systems were adequately tested, and that the test results were sufficiently documented.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to ensure that contingency plans for NAS systems are sufficiently documented, and that tests of contingency plans address key elements of the contingency plans, including notification procedures, recovering the system on an alternate platform, and system performance on alternate equipment.
Closed – Implemented
The Federal Aviation Administration (FAA) concurred with our recommendation. We confirmed that FAA sufficiently documented and updated the contingency plans for the NAS systems we reviewed. Additionally, FAA implemented compensating controls to ensure that tests of contingency plans addressed key elements of the plans. Specifically, FAA continued to rely on unscheduled maintenance activities to test key elements of the plans for the NAS systems we reviewed. The agency also ensured that it documented the test results of key activities, such as verifying notification procedures and recovering systems on an alternate platform. These actions meet the intent of our recommendation.
Department of Transportation To establish an integrated organization-wide approach to managing information security risk and to ensure that risk management decisions are aligned strategically with the FAA's mission, the Secretary of Transportation should direct the Administrator of FAA to update the FAA information security strategic plan to reflect current conditions, including the increased reliance on IP networking and the designation of the NAS as one of the nation's critical infrastructures.
Closed – Implemented
We confirmed that FAA has completed actions to address this recommendation. Specifically, FAA issued its updated information security strategic plan in September 2015. The plan reflects the importance and impact of significant changes to the National Airspace System (NAS) environment that we identified, including the increased reliance on IP networks, increased connectivity between systems, the introduction of NextGen systems, and the designation of the NAS as part of the nation's critical infrastructure.
Department of Transportation To establish an integrated organization-wide approach to managing information security risk and to ensure that risk management decisions are aligned strategically with the FAA's mission, the Secretary of Transportation should direct the Administrator of FAA to create an agency-wide commitment to strategic planning for information security by ensuring that planning activities are coordinated with all relevant organizations represented on the Cyber Security Steering Committee.
Closed – Implemented
In fiscal year 2017, we verified that FAA, in response to our recommendation, has created an agency-wide commitment to strategic planning for information security by ensuring that planning activities are coordinated with all relevant organizations represented on the Cybersecurity Steering Committee. Specifically, FAA ensured that information security strategic efforts are coordinated across all relevant organizations, and that all organizations have the same strategic vision for cybersecurity, by raising strategic cybersecurity issues at meetings of the Cybersecurity Steering Committee and discussing ATO/NAS-specific impacts and perspectives, and by establishing collaborative working groups under/associated with the Cybersecurity Steering Committee.
Department of Transportation To establish an integrated organization-wide approach to managing information security risk and to ensure that risk management decisions are aligned strategically with the FAA's mission, the Secretary of Transportation should direct the Administrator of FAA to clearly define organizational responsibilities for information security for NAS systems, and ensure that all relevant organizations, including the Office of Information and Technology and Air Traffic Organization, are in agreement with them.
Closed – Implemented
We confirmed that FAA has clearly defined organizational responsibilities for information security for NAS systems, and has ensured that all relevant organizations, including AIT and ATO, are in agreement with them.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to provide NCO with security event log data for all Internet Protocol (IP)-connected NAS systems.
Closed – Implemented
The Federal Aviation Administration (FAA) concurred with our recommendation. In fiscal year 2019, we verified that FAA, in response to our recommendation, has taken actions to address this weakness. Specifically, of the 29 National Airspace System (NAS) systems that are currently IP-connected, FAA ensured that 23 of them provided security event logs to the NAS Cyber Operations (NCO) and formally accepted the risk for the remaining 6 systems. Of the remaining 6 that did not provide security event logs, FAA implemented compensating controls for 3 systems; documented plans to provide security event logs to NCO by the end of 2019 for 2 systems; and indicated that 1 system is planned to be decommissioned by 2020.
Department of Transportation To fully implement its information security program and ensure that unnecessary risks to the security of NAS systems are mitigated, the Secretary of Transportation should direct the Administrator of FAA to finalize the incident response policy for the Air Traffic Organization and ensure that NAS system-level incident response policies specify incident reporting timeframes and the need for all incidents to be reported in accordance with FAA guidance.
Closed – Implemented
FAA concurred with our recommendation. In fiscal year 2018, we verified that FAA has completed actions to address this recommendation. Specifically, in response to our recommendation, FAA finalized the incident response policy for the Air Traffic Organization and updated NAS system-level incident response policies to specify incident reporting timeframes and the need for all incidents to be reported.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Air traffic control systemsComputer securityControlled accessCritical infrastructureCybersecurityData encryptionInformation securityInternal controlsMonitoringNational airspaceRequirements definitionRisk managementSecurity threatsStandardsUnauthorized access