The Internet hasn’t totally invaded the nation’s air traffic control system, but as it does the Federal Aviation Administration faces a growing challenge to make sure the network is locked down secure.
The security issues arise as the agency moves from a point-to-point legacy air traffic control structure to a new IP-based system commonly known as NextGen or Next Generation Air Transportation System. NextGen in a nutshell will move the current radar-based air traffic system to one that is based on satellite navigation and automation.
+More on Network World: The most magnificent high-tech flying machines+
“As the agency transitions to NextGen, the FAA faces cybersecurity challenges in at least three areas: (1) protecting air-traffic control information systems, (2) protecting aircraft avionics used to operate and guide aircraft, and (3) clarifying cybersecurity roles and responsibilities among multiple FAA offices,” according to a report issued this week by the Government Accountability Office.
According to FAA, so far, approximately 36% of the air traffic control systems in the national airspace system (NAS) are connected using IP, and FAA officials expect the percentage of NAS systems using IP networking to grow to 50 to 60% by 2020.
According to researchers with MITRE and other experts, this hybrid system is the FAA’s first challenge as a system made up of both IP-connected and point-to-point subsystems increases the potential for the point-to-point systems to be compromised because of the increased connectivity to the system as a whole provided by the IP-connected systems, the GAO stated.
“The older systems are difficult to access remotely because few of them connect from FAA to external entities such as through the Internet. They also have limited lines of direct connection within FAA. Conversely, the new information systems for NextGen programs are designed to interoperate with other systems and use IP networking to communicate within FAA. According to experts, if one system connected to an IP network is compromised, damage can potentially spread to other systems on the network, continually expanding the parts of the system at risk,” the GAO stated.
From the GAO: “FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems. Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors. FAA officials and cybersecurity and aviation experts we spoke to said that increasingly passengers in the cabin can access the Internet via onboard wireless broadband systems. One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through there infected machines.”
The GAO said most of the cybersecurity experts it utilized in forming its report -- those experts including representatives from HP, MITRE, Columbia University, Raytheon and others --said the FAA should adopt a enterprise-level holistic threat modeling program that would let the agency identify known threats, including insider threats, across its organization and align its cybersecurity efforts and limited resources accordingly to protect its mission.
+More on Network World: The zany world of identified flying objects+
For its part the FAA has not produced a plan to develop an enterprise-wide threat model but has made some initial steps toward developing such a model, the GAO stated. Specifically, FAA officials said that they have examined threats to the future NextGen air-transportation system and are currently working to develop multiple threat models. Such efforts include reviewing the resiliency of the air traffic control system in conjunction with the Department of Homeland Security (DHS). According to FAA, it also assesses risks associated with individual systems when it acquires them and during system reauthorization.
The GAO report also found that the FAA is making strides to address the challenge of clarifying cybersecurity roles and responsibilities among multiple FAA offices, such as creating a Cyber Security Steering Committee (the Committee) to oversee information security. However, the FAA’s own Office of Office of Safety is not represented on the Committee but can be included on an ad-hoc advisory basis, the GAO stated. Not including AVS as a full member could hinder FAA’s efforts to develop a coordinated, holistic, agency-wide approach to cybersecurity, the GAO said. FAA’s Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.
Check out these other hot stories: