A Report by the Government Accounting Office (GAO) found significant weakness with the Federal Aviation Administration (FAA) Cyber Security Management.
The GAO found that although the FAA has taken steps to protect its Aircraft Traffic Control (ATC) systems from cyber-based threats, there remains significant security-control weaknesses that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system. FAA has agreed to address these weaknesses.
“Nevertheless, FAA will continue to be challenged in protecting ATC systems because it has not developed a cybersecurity threat model. NIST guidance, as well as experts GAO consulted, recommend such modeling to identify potential threats to information systems, and as a basis for aligning cybersecurity efforts and limited resources. While FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so. Without such a model, FAA may not be allocating resources properly to guard against the most significant cybersecurity threats.”
The GAO’s other criticism was the challenge of new aircraft being connected to the Internet and that the current certification body known as the FAA’s Aviation Safety Office (AVS) approves these types of connection. The AVS is not represented within the FAA’s Cyber Security Steering Committee and the GAO recommended that it should be on the committee.
According to the report, the “FAA is making strides to address the challenge of clarifying cybersecurity roles and responsibilities among multiple FAA offices, such as creating a Cyber Security Steering Committee (the Committee) to oversee information security. However, AVS is not represented on the Committee but can be included on an ad-hoc advisory basis. Not including AVS as a full member could hinder FAA’s efforts to develop a coordinated, holistic, agency-wide approach to cybersecurity.”0