Govt Watchdog Finds Security Gaps in Key ATC Systems

Despite efforts to close security vulnerabilities, gaps remain in critical air traffic control systems, the Transportation Department Office of Inspector General (DOT OIG) found in newly-released audit results. According to the DOT OIG, the FAA had not fully implemented 1,836, or 11.3%, of the 16,245 required security controls for the 45 automation, surveillance/flight services, communications, and navigation/weather systems that the agency had categorized as “high impact.”

“Because the FAA has not ensured that all required high baseline security controls have been selected, properly implemented, documented, and tracked, or that risks have been otherwise mitigated where controls cannot be implemented, many of the FAA’s high-impact systems remain vulnerable to cyberattacks,” the DOT OIG maintained. “Consequently, the FAA cannot have assurance that critical NAS systems are protected from cybersecurity threats that could severely disrupt air traffic operations.”

Over the past decade, the FAA has recategorized 45 of its critical systems as “high impact” and requiring baseline security controls. This was done after previous DOT OIG and Government Accountability Office audits had found that the agency had not rated any of its critical air traffic control systems as high impact. In 2021, the DOT OIG followed with an audit revealing that the FAA still had not held the owners of these systems responsible for remediating what it called “high-impact baseline security controls.”

As a result, the DOT OIG followed with another audit to track progress in this area. The watchdog found that the FAA had begun implementing security controls, but some involved outdated standards, and the job overall was not complete. In some cases, the systems were missing the baseline security controls altogether, while planned implementation was still in the works for many others.

“According to FAA, these gaps exist in part because of technical and other challenges with FAA’s systems,” the DOT OIG stated. “Until these gaps are filled, these systems may be vulnerable to cyberattacks that could cause severe or catastrophic effects on the NAS.”

The DOT OIG made four recommendations around ensuring the updated controls are in place.