Air Traffic Control:

FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen

GAO-15-370: Published: Apr 14, 2015. Publicly Released: Apr 14, 2015.

Additional Materials:

Contact:

Gerald Dillingham, Ph.D.
(202) 512-2834
dillinghamg@gao.gov

 

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

As the agency transitions to the Next Generation Air Transportation System (NextGen), the Federal Aviation Administration (FAA) faces cybersecurity challenges in at least three areas: (1) protecting air-traffic control (ATC) information systems, (2) protecting aircraft avionics used to operate and guide aircraft, and (3) clarifying cybersecurity roles and responsibilities among multiple FAA offices.

As GAO reported in January 2015, FAA has taken steps to protect its ATC systems from cyber-based threats; however, significant security-control weaknesses remain that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system. FAA has agreed to address these weaknesses. Nevertheless, FAA will continue to be challenged in protecting ATC systems because it has not developed a cybersecurity threat model. NIST guidance, as well as experts GAO consulted, recommend such modeling to identify potential threats to information systems, and as a basis for aligning cybersecurity efforts and limited resources. While FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so. Without such a model, FAA may not be allocating resources properly to guard against the most significant cybersecurity threats.

  • Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems. As part of the aircraft certification process, FAA's Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.
  • FAA is making strides to address the challenge of clarifying cybersecurity roles and responsibilities among multiple FAA offices, such as creating a Cyber Security Steering Committee (the Committee) to oversee information security. However, AVS is not represented on the Committee but can be included on an ad-hoc advisory basis. Not including AVS as a full member could hinder FAA's efforts to develop a coordinated, holistic, agency-wide approach to cybersecurity.

FAA's acquisition management process generally aligned with federal guidelines for incorporating requirements for cybersecurity controls in its acquisition of NextGen programs. For example, the process included the six major information-technology and risk-management activities as described by NIST. Timely implementation of some of these activities could have been improved based on their importance to NextGen, cost, and deployment status. The Surveillance and Broadcast Services Subsystem (SBSS)—which enables satellite guidance of aircraft and is currently deployed in parts of the nation—has not adopted all of the April 2013 changes to NIST security controls, such as intrusion detection improvements, although the Office of Management and Budget guidance states that deployed systems must adopt changes within one year. Systems with weaknesses that could be exploited by adversaries may be at increased risk if relevant controls are not implemented.

Why GAO Did This Study

FAA is responsible for overseeing the national airspace system, which comprises ATC systems, procedures, facilities, and aircraft, and the people who operate them. FAA is implementing NextGen to move the current radar-based ATC system to one that is based on satellite navigation and automation. It is essential that FAA ensures effective information-security controls are incorporated in the design of NextGen programs to protect them from threats.

GAO was asked to review FAA's cybersecurity efforts. This report (1) identifies the cybersecurity challenges facing FAA as it shifts to the NextGen ATC system and how FAA has begun addressing those challenges, and (2) assesses the extent to which FAA and its contractors, in the acquisition of NextGen programs, have followed federal guidelines for incorporating cybersecurity controls. GAO reviewed FAA cybersecurity policies and procedures and federal guidelines, and interviewed FAA officials, aviation industry stakeholders, and 15 select cybersecurity experts based on their work and recommendations by other experts.

What GAO Recommends

GAO recommends that FAA: 1) assess developing a cybersecurity threat model, 2) include AVS as a full member of the Committee, and 3) develop a plan to implement NIST revisions within OMB's time frames. FAA concurred with recommendations one and three, but believes that AVS is sufficiently involved in cybersecurity. GAO maintains that AVS should be a member of the Committee.

For more information, contact Gerald L. Dillingham, Ph.D. at (202) 512-2834 or dillinghamg@gao.gov, Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, Nabajyoti Barkakati, Ph.D. at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Priority recommendation

    Comments: FAA initiated its current modernization efforts in 2004 with the Next Generation Air Transportation System (NextGen), which consists of several programs that provide digital communications between controllers and pilots, as well as between satellite-based surveillance and navigation. NextGen increases reliance on integrated information systems and distribution of information, digital communication methods, and Global Positioning System (GPS) technology that may put the air-traffic control (ATC) system at greater risk for intentional or unintentional information-system failures and breaches. In 2015, GAO reported that as the agency transitions to NextGen, FAA faces cybersecurity challenges in several areas that include among other things, protecting air-traffic control (ATC) information systems. GAO previously reported that FAA had taken steps to protect its ATC systems from cyber-based threats; however, significant security-control weaknesses remain that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system. FAA had agreed to address these weaknesses. Nevertheless, FAA would continue to be challenged in protecting ATC systems because it had not developed a cybersecurity threat model. NIST guidance, as well as the 12 selected experts GAO consulted, recommended that FAA develop an enterprise-level holistic threat model. Such a model was needed to identify potential threats to information systems, and serve as a basis for aligning cybersecurity efforts and limited resources. While FAA had taken some steps toward developing a holistic threat model, it had no plans to produce one and has not assessed the funding or time that would be needed to do so. Without a holistic threat model, FAA might not allocate resources properly to guard against the most significant cybersecurity threats. Therefore, GAO recommended that FAA, as a first step to developing an agency-wide threat model, assess the potential cost and timetable for developing such a threat model and the resources required to maintain it. In 2017, GAO confirmed that FAA issued the "FAA Threat Model Schedule and Cost Estimate, Report of Findings," which was in direct response to the above GAO recommendation. Specifically, the report stated that FAA is developing an Enterprise Threat Model that will be a holistic approach to the identification and assessment of cybersecurity threats, hazards and vulnerabilities. The report provided a detailed schedule and cost estimate for developing the Enterprise Threat Model as well as the resources to maintain it. As a result, FAA has an estimate of the funding and time required to develop such a system as well as the resources needed to implement it.

    Recommendation: To better ensure that cybersecurity threats to NextGen systems are addressed, as a first step to developing an agency-wide threat model, the Secretary of Transportation should instruct the FAA Administrator to assess the potential cost and timetable for developing such a threat model and the resources required to maintain it.

    Agency Affected: Department of Transportation

  2. Status: Closed - Implemented

    Comments: FAA initiated its current modernization efforts in 2004 with the Next Generation Air Transportation System (NextGen), which consists of several programs that provide digital communications between controllers and pilots, as well as between satellite-based surveillance and navigation. NextGen increases reliance on integrated information systems and distribution of information, digital communication methods, and Global Positioning System (GPS) technology that may put the air-traffic control (ATC) system at greater risk for intentional or unintentional information-system failures and breaches. In 2015, GAO reported that as the agency transitions to NextGen, FAA faces cybersecurity challenges in several areas that include among other things, protecting aircraft avionics used to operate and guide aircraft, and clarifying cybersecurity roles and responsibilities among multiple FAA offices. Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems. As part of the aircraft certification process, FAA's Office of Safety (AVS) certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems. FAA is also making strides to address the challenge of clarifying cybersecurity roles and responsibilities among multiple FAA offices, such as creating a Cyber Security Steering Committee (the Committee) to oversee information security. However, AVS is not represented on the Committee but can be included on an ad-hoc advisory basis to allow its subject matter experts to share information and recommendations. Not including AVS as a full member could hinder FAA's efforts to develop a coordinated, holistic, agency-wide approach to cybersecurity. Therefore, GAO recommended that FAA incorporate AVS into FAA's agency-wide approach by including it on the Cybersecurity Steering Committee. In 2017, GAO confirmed that FAA had made AVS a member of the Committee. As a member, AVS is able to share and exchange cybersecurity information regarding operational and airworthiness regulatory action that include aircraft cybersecurity initiatives, which support the FAA-wide cybersecurity effort. As a result, FAA is better positioned to help ensure that cybersecurity threats to NextGen systems are addressed.

    Recommendation: To better ensure that cybersecurity threats to NextGen systems are addressed, the Secretary of Transportation should instruct the FAA Administrator to incorporate the Office of Safety into FAA's agency-wide approach by including it on the Cybersecurity Steering Committee.

    Agency Affected: Department of Transportation

  3. Status: Closed - Implemented

    Priority recommendation

    Comments: FAA is implementing the Next Generation Air Transportation System (NextGen) to move the current radar-based air-traffic control (ATC) system to one that is based on satellite navigation and automation. This move will also employ digital and Internet-based computer-networking technologies, exposing the ATC system to evolving and growing cybersecurity risks. It is essential that FAA ensures effective information-security controls are incorporated in the design of NextGen programs to protect them from threats. In 2015, GAO reported that its analysis of two NextGen foundational programs, Surveillance and Broadcast Services Subsystem (SBSS) and Data Communications (Data Comm), revealed instances in which some of NIST's latest security controls-such as in intrusion detection improvements-were not incorporated into these programs. For these programs, FAA relied on contractors to assist with or complete most of the broad information technology and risk management activities. Specifically, SBSS and Data Comm contractors were not required to implement the most recent controls unless specifically tasked to do so by FAA. For example, the SBSS program asked the contractor to implement more recent NIST controls on an ad-hoc basis. However, these actions were outside of the contract's requirements and, according to program officials, had to be paid for separately. While ad-hoc additions may have been sufficient in some cases, SBSS had not yet implemented some of the controls that NIST recommended in its 2010 revision, but planned to address these controls in accordance with NIST's 2013 Rev. 4 update as these were part of a large update. SBSS officials explained that they did not previously have funding for an update of such a large scope, but they requested and received funding beginning in fiscal year 2015. Given the pace of evolving cybersecurity threat to information, the Office of Management and Budget (OMB) required that, if NIST updates its security control guidance, deployed systems must implement all relevant updates within one year or accept the risk within the flexibilities allowed agencies in the NIST 800 series publications, and systems under development must comply with NIST publications upon their eventual deployment. Systems with weaknesses that could be exploited by adversaries may be at increased risk if relevant controls in the new NIST guidelines are not implemented. Therefore, GAO recommended that FAA develop a plan to fund and implement the NIST revisions within OMB's time frames. In 2018, GAO confirmed that FAA took action to implement NIST revisions for SBSS. FAA has signed a contract that provides funding to implement the security controls needed to remediate cybersecurity issues with SBSS and includes a schedule for completion. In 2019, GAO confirmed that FAA took action to implement NIST revisions for Data Comm. FAA tasked its contractors to implement 25 prioritized NIST SP 800-53 Rev. 4 controls, which are the most recent. The contractor has overseen completion of 23 of those controls, with the remainder to be completed in 2020. FAA's actions will better enable the agency to mitigate program exposure to cybersecurity threats.

    Recommendation: To better ensure that cybersecurity threats to NextGen systems are addressed, given the challenges FAA faces in meeting the Office of Management and Budget's (OMB) guidance to implement the latest security controls in the National Institute of Standards and Technology's (NIST) revised guidelines within one year of issuance, the Secretary of Transportation should instruct the FAA Administrator to develop a plan to fund and implement the NIST revisions within OMB's time frames.

    Agency Affected: Department of Transportation

 

Explore the full database of GAO's Open Recommendations »

Oct 3, 2019

Sep 17, 2019

Sep 10, 2019

Aug 26, 2019

Aug 22, 2019

Jul 31, 2019

Jul 22, 2019

Jul 18, 2019

Jul 17, 2019

Jul 1, 2019

Looking for more? Browse all our products here