Study: FAA's System Lacks InfoSec FocusAgency Encouraged to Inculcate a CyberSec Mindset Everywhere
The Federal Aviation Administration has failed to integrate cybersecurity fully in its Next Generation Air Transportation Systems, as well as the current National Airspace System (NAS), a federal report says.
Published May 1 by The National Academies' National Research Council, the report titled A Review of the Next Generation Air Transportation System: Implications and Importance of System Architecture says cybersecurity challenges can be found in NextGen's major software platforms, as well as specification and design of embedded avionics equipment that connects directly to the NAS.
The NAS is the combination of airspace, navigation facilities, air traffic control systems and airports. NextGen is the new NAS system being rolled out in stages by the FAA over a 13-year period that's scheduled to be completed by 2025. Unlike the current NAS ground-based air control system, NextGen will feature a satellite-based network.
Shunning a Piecemeal Approach
"Cybersecurity requires a system-wide approach that is managed architecturally and cannot be addressed piecemeal by each contractor, or program, separately," the report says. "Nor can security be added to the system later. Safety properties themselves are dependent on a resilient, trustworthy, secure system, so careful integration of cybersecurity models and processes into safety analysis will become increasingly important."
The Council, in its report, recommends that the FAA incorporate cybersecurity as systems' characteristics at all levels of the architecture and design. "The FAA should begin by developing a threat model followed by an appropriate set of architectural and design concepts that will mitigate the associated risks, support resilience in the face of attack or compromise and allow for dynamic evolution to meet a changing threat environment," the report's recommendation states. "The FAA should inculcate a cybersecurity mindset complementary to its well-established safety mindset throughout the organization, its contractors and leadership."
The FAA did not respond to a request for a comment. But Keith Washington, Department of Transportation acting assistant secretary for administration, told the Government Accountability Office in a March 31 letter that the FAA is in the midst of an "expedited transition to a more comprehensive and proactive approach to cyberthreat protection, detection and rapid response."
Progressing by 'Fits and Starts'
Melanie Hinton, managing director of the trade group Airlines for American, points out that as key stakeholders in the NextGen process, the airlines strongly support its implementation. "Unfortunately, [NextGen has] progressed by fits and starts," she says. "Changing the FAA governance structure and funding mechanism are needed to move NextGen forward. Today, the governance structure creates an environment in which our aviation system is often treated like a political football. Further, the stops and starts of the federal budget process have also slowed progress. Taxpayers and users of the national airspace deserve better."
Aviation expert Lawrence Dietz, general counsel and managing director for information security at the consultancy TAL Global, says the FAA's failing to integrate IT security fully into its systems isn't uncommon among federal government agencies. "Security is not driving the train, except in today's world, security needs to be the driver, particularly in critical infrastructure," Dietz says. "Security can be life or death with airplanes. I know that mission takes precedence, but certain sectors within the critical infrastructure need to give security equal billing."
The report's authors characterize "NextGen" as a misnomer, saying it's basically an incremental modernization of the NAS that doesn't have an obvious completed state. "Given the continuing rapid pace of technological evolution and ongoing changes in what is demanded of the NAS, the NextGen effort is properly seen as an ongoing process punctuated by particular efforts focused on particular capabilities," the authors write. "Resetting expectations with a clear baseline will provide a useful foundation on which to build."
Citing a recent Government Accountability Office audit of the FAA, the Council says it saw little evidence of adequate measures to defend systems against various kinds of attack. "As systems are increasingly digital and dependent on communications and networks, and as the threat landscape for the nation as a whole continues to evolve, cybersecurity will need to be an important and integral part of safety activities and is an ongoing operational matter," the Council says.
GAO Identifies 3 Cyber Challenges to Transition to NextGen
In its April 14 report, the GAO identified three areas the FAA must address as it transitions to NextGen: Protecting air-traffic control information systems, protecting aircraft avionics used to operate and guide aircraft and clarifying cybersecurity roles and responsibilities among multiple FAA offices.
Not directly related to NextGen, that GAO report also points out that aircrafts' increasingly connectivity to the Internet such as through onboard Wi-Fi systems could potentially provide an attacker with remote access to aircraft information systems. That could potentially result in the planting of malware in the aircraft's systems if proper controls such as role-based access aren't implemented. "The presence of personal smart phones and tablets in the cockpit increases the risk of a system's being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems," the GAO report says.