Report: FAA security doesn't fly

The Federal Aviation Administration lacks security controls for its IT networks and in some cases hasn't installed software patches that are several years old, according to a report made public last week by the U.S. Government Accountability Office.

The FAA's lack of controls on network security and passwords, user accounts, and user privileges could "lead to disruption in aviation operations," the GAO report said. The FAA had not installed patches released in 2002 on some of its servers and has permitted "excessive access" to air traffic control systems by granting permissions that allowed more access than users needed to do their jobs, according to the GAO.

The FAA says the GAO's findings do not reflect the overall security of FAA systems, such as air traffic control. The GAO examined only three of the FAA's 80 information systems, says FAA spokesman Greg Martin. "We have a very secure system," he says.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The Federal Aviation Administration lacks security controls for its IT networks and in some cases hasn't installed software patches that are several years old, according to a report made public last week by the U.S. Government Accountability Office.

The FAA's lack of controls on network security and passwords, user accounts, and user privileges could "lead to disruption in aviation operations," the GAO report said. The FAA had not installed patches released in 2002 on some of its servers and has permitted "excessive access" to air traffic control systems by granting permissions that allowed more access than users needed to do their jobs, according to the GAO.

The FAA says the GAO's findings do not reflect the overall security of FAA systems, such as air traffic control. The GAO examined only three of the FAA's 80 information systems, says FAA spokesman Greg Martin. "We have a very secure system," he says.

The FAA has established an extensive security-training program, deployed intrusion-detection systems and established a cybersecurity incident response center, FAA officials told the GAO. The GAO conducted the security review between March 2004 and June 2005, at the request of two congressmen.

The GAO report failed to look at the FAA's "multiple redundant systems" and special access protocols built in to its IT infrastructure, Martin adds, mirroring comments in the report from FAA CIO Dan Mehan's office. Asked about unpatched systems, Martin says the FAA has used a "risk-based" approach to patch the most important vulnerabilities.

FAA will consider GAO's recommendations, Martin says. "It's important to note that as we go about implementing a systemwide security program, we're not going to go in quickly and install systems for the sake of meeting some schedule, but rather, do it very carefully, do it very deliberately," he says. "We don't want patches to have unintended, adverse consequences."

Read more about security in Network World's Security section.