14 DAY TRIAL // Serious security control flaws have been found in the activity of guiding planes and other aircrafts conducted by the US Federal Aviation Administration (FAA), a report from US Government Accountability Office (GAO) reveals.
Working for the Congress, GAO is responsible for checking how the federal government spends taxpayer money.
Encryption, authorization and network isolation faults
While reviewing FAA’s information security program, the US watchdog has found “significant security control weaknesses,” which could pose a threat to the operation of the national airspace system (NAS).
In a lengthy report spanning over 40 pages, GAO revealed the flaws encountered during its evaluation, which range from failure to ensure proper authorization for accessing NAS to negligence towards implementing acceptable audit and monitoring controls.
Among the faults uncovered by GAO’s scrutiny was the fact that FAA would not isolate sensitive networks through firewall rules that can restrict inbound and outbound connections, although the means for the tasks were available.
Another serious flaw refers to identification, authentication and authorization of users and devices that accessed NAS machines. No time-sensitive passwords, or strong enough ones, were in place and access privileges were granted to users that did not require them to fulfill their responsibilities.
In its assessment, GAO discovered that encryption was not always used for sensitive data (authentication credentials) in transit or at rest.
Insufficient logging, outdated software and hardware
FAA also failed to conduct regular reviews of network events, which could determine suspicious activity from a threat actor and help identify intrusion attempts and even a developing cyber-attack.
Audit and monitoring controls were not implemented, leading to limited capability to check network traffic and to collect relevant security-related events.
Apart from this, one FAA system was found to be updated although impact assessment had not been conducted and modifications had not been approved.
On the other hand, some NAS systems were missing updates dating back three years and some key servers were no longer supported by the vendor, so security patches were no longer issued for them.
Total GOA recommendations tally: 185
Some of the issues discovered were in contradiction with FAA’s own policies regarding the safety of its operations.
Despite establishing the Cyber Security Steering Committee to provide an agency-wide risk management function, the organization did not set roles and responsibilities for the security of NAS systems, or update the information security strategic plan so that it mirrored the increased reliance on computer networks.
At the end of its report, GAO made 17 recommendations designed for full implementation of the information security program and mitigation of risks touching on NAS.
However, an additional private report ends with recommending a total of 168 specific actions to address 60 weaknesses relating to access controls and configuration management.
After reading the report, FAA agreed to all the recommendations made by the congress watchdog.