The Government Accountability Office, known as the GAO for short, indicated in a report that the Federal Aviation Administration’s computer systems exhibit “significant security control weaknesses” and that they threaten the agency’s ability to ensure the safety and “uninterrupted operation of the national airspace.”
One of the primary findings of the GAO report pertained to a lack of structure protecting the aviation agency’s computers from cyberattack.
Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.
The report makes a total of 17 recommendations and a total of 168 specific actions to address weaknesses in security controls, which the Washington Post reports that the FAA has indicated that it intends to implement changes.
While the accountability officer withheld the details of the specific security vulnerabilities discovered, it did say that the air traffic control system’s threats are growing due to foreign governments, criminals and the obvious to Americans in light of 9/11, terrorists.
Amongst the GAO’s recommendations for the FAA were the establishment of multiple firewalls to help prevent unauthorized intrusions, enhanced encryption, requiring security training for employees as well as contractors and a better system for controlling access to computer systems.
Encrypting sensitive data helps mitigate the risk associated with intrusions as even if intruders manage to siphon the data, strong encryption measures can prove difficult for attackers to decipher in a timely fashion, if at all.
As humans make mistakes, social engineers exploit human weaknesses in order to gather data and penetrate systems. An example of such and a reason for why the GAO might suggest security training for contractors and employees as it pertains to social engineering can be seen in the case of USB drives which can be infected with a virus. An example of such a virus, a worm known as Stuxnet, infected USB flash drives a means through which it propagated. This technique allowed the computer virus to traverse air-gapped networks, which are networks which have been physically isolated. The simple transference of an infected USB stick to a computer on an air-gap network is all it would take for the virus to spread to the otherwise isolated network and this could potentially be avoided through proper training of personnel and a system of controlled access to secure systems.
An analysis published in February by researchers are Kaspersky Lab, a Russian-based international cybersecurity firm, attributed the Stuxnet virus to a shadowy group of NSA-linked hackers the company dubbed the “Equation Group” in its report. The report also implicated the sophisticated world-class hacking group with the infection of hard-drives produced by various manufacturers around the world.
The hard-drive hacking scandal was reportedly part of an NSA espionage campaign, according to various reports, some of which cited sources with knowledge of the program.
Are you glad the GAO is making these recommendations to the FAA in order to preemptively address security concerns with the U.S. agency responsible for the development, safety and regulation of civil aviation, as well as the oversight of the development of air traffic control?