U.S. air traffic control computers vulnerable to hackers and other cyber security threats, GAO says

March 9, 2015
WASHINGTON, 9 March 2015. The U.S. commercial air traffic control (ATC) system is vulnerable to hackers and other cyber security threats, say auditors at the U.S. Government Accountability Office (GAO) in Washington, the investigative arm of Congress.

WASHINGTON, 9 March 2015. The U.S. commercial air traffic control (ATC) system is vulnerable to hackers and other cyber security threats, say auditors at the U.S. Government Accountability Office (GAO) in Washington, the investigative arm of Congress.

While the U.S. Federal Aviation Administration (FAA) has taken steps to protect ATC systems from cyber warfare threats, significant security control weaknesses remain, which threaten the FAA's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS), GAO investigators say.

Cyber weaknesses in the ATC system involve computers that control and protect air traffic system boundaries, identify and authenticate users, grant user access, sensitive data encryption, and monitoring FAA systems, GAO investigators say.

Additionally, shortcomings in boundary protection controls between less-secure systems and the operational National Airspace System (NAS) increase the risk from these weaknesses, GAO experts say.

Related: NASA ready to approach industry for simulations of future air traffic control system

FAA also did not implement its agency-wide information security program. As required by federal law, GAO says. FAA leaders did not test security controls sufficiently to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster.

Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA's ability to detect and respond to security incidents affecting its mission-critical systems.

FAA has not established an integrated, organization-wide approach to managing information security risk, GAO investigators say. Although the agency has established a cyber security steering committee to manage cyber risks, they did not establish information security practices.

In particular, FAA officials have not established roles and responsibilities for information security for the NAS or updated an information security strategic plan to reflect increased reliance on computer networks.

Related: General Dynamics to provide FAA with air traffic control radios

Until changes take place, the FAA's cyber security weaknesses are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk, GAO investigators say.

GAO is making 17 recommendations to FAA to implement the agency's information security program and establish an integrated approach to managing information security risks.

For more information contact the GAO online at www.gao.gov, or the FAA at www.faa.gov.

About the Author

John Keller | Editor

John Keller is editor-in-chief of Military & Aerospace Electronics magazine, which provides extensive coverage and analysis of enabling electronic and optoelectronic technologies in military, space, and commercial aviation applications. A member of the Military & Aerospace Electronics staff since the magazine's founding in 1989, Mr. Keller took over as chief editor in 1995.

Voice your opinion!

To join the conversation, and become an exclusive member of Military Aerospace, create an account today!