The FAA’s air traffic control system is at “increased and unnecessary risk” from cyber-attacks and other threats, according to a government report released this week. The analysis by the Government Accountability Office found weaknesses in controlling access to computer systems, encrypting sensitive data, and implementing security programs. For example, the auditors found the agency’s information security systems and procedures don’t meet the requirements of a 2002 law, and its information security strategic plan hasn’t been updated since 2010. The GAO recommended 168 specific actions that the FAA should take to improve the security of the National Airspace System, and the FAA concurred.
“A large, complex, interconnected system like the NAS inherently faces many security risks,” says the GAO report. “Although FAA took many steps to address these risks, weaknesses remain. … Until FAA establishes stronger agency-wide information security risk management processes, fully develops its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses that we identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.” In a letter responding to the report, Keith Washington, of the Transportation Department, said the FAA is working to “increase cyber-security awareness and competence across the agency and to build an agile, highly skilled cyber-security workforce.”
