A government watchdog is calling on the FAA to update and complete plans to mitigate security breaches of its Data Communications (DataComm) system and minimize the potential effects of a loss of availability. On July 6, the Department of Transportation Office of Inspector General (OIG) released a report on FAA’s actions to guard against such DataComm security breaches, finding the “FAA is identifying—but is not mitigating—security risks in a timely manner.” The review focused on the FAA’s Data Communications Network Service (DCNS) and Tower Data Link Services (TDLS).
The OIG recognized that DataComm, which enables controllers and pilots to communicate digitally, is a key part of the FAA’s NextGen modernization effort. By early this year, DataComm had been rolled out to 57 airports, with another seven in line for the system, and was fully operational in more than 1,100 aircraft, the OIG said.
“Thus, it is critical that FAA incorporate sufficient controls to protect against potential security threats to that communication, including an effective contingency plan to ensure a quick recovery from losses of DataComm availability,” the watchdog added.
The OIG was specifically concerned about the FAA’s delays in implementing two “high impact” plans. Originally to be in place by October 2017, the first plan is now slated for implementation by the end of the year and the second by March 31, 2019. “[The] FAA had previously identified these two security deficiencies and wrote the [plans] to mitigate the control weaknesses, but did not meet, reduce, or eliminate the vulnerabilities by the planned completion dates,” the OIG said. “IT security control weaknesses that remain unaddressed for extended periods of time can create unnecessary system exposures that may be exploited by intruders or compromise the availability or integrity of systems and data.”
The OIG added that the delays stemmed from a funding issue and the FAA was currently working with a vendor to complete them. The OIG did not detail the security deficiencies.
The OIG, however, did say the FAA’s contingency plans for DCNS and TDLS “are sufficient to limit the effects of DataComm unavailability.”