Delays in implementing cybersecurity tools are inhibiting the FAA from remaining up-to-date on its efforts to fully identify and mitigate vulnerabilities, according to a new report from the Department of Transportation’s Office of Inspector General (OIG). At the request of U.S. House Transportation and Infrastructure Committee leaders, the OIG examined the FAA’s progress in meeting cybersecurity enhancements that Congress mandated in the FAA Extension, Safety, and Security Act adopted in 2016.
The OIG found that the FAA has taken significant steps in enhancing security. As required by Congress, the FAA completed a cybersecurity strategic plan, coordinated with other agencies to identify vulnerabilities, and developed a threat model and research and development plan, the OIG said.
However, the agency has not yet completed a comprehensive framework for the identification and mitigation risks, the OIG added. Specifically, the FAA had established a government-industry working group to recommend rulemaking and policies for aircraft systems. But citing other rulemaking priorities, the agency has not set target dates to implement four recommendations covering engines, propellers, rotorcraft, and general aviation. ”The FAA’s lack of target dates for the four recommendations inhibits the agency’s ability to fully implement regulations and policy to mitigate cybersecurity issues for the diverse range of aircraft operating in the National Airspace System (NAS), as required by the [congressional] act,” the OIG said.
Further, the agency has developed a cybersecurity risk model in conjunction with Mitre Corp. that is designed to take an end-to-end approach to assessing risks. At the time of the OIG audit conducted late last year, the agency was still working to implement the model across all of the NAS, as well as mission support and research and development (R&D) efforts.
The FAA also was still formulating its R&D requirements and priorities for Fiscal Year 2019 and beyond. “This lack of finalized priorities makes it difficult for FAA to pursue improved safeguards for the NAS and limits the agency’s ability to achieve a total systems cybersecurity approach,” the OIG said.
As a result of the findings, the OIG recommended that the FAA develop targets dates on the outstanding four recommendations from the working group, develop a plan with target dates to fully implement the cybersecurity risk model, and establish R&D priorities. The FAA has agreed to move forward on all fronts.
Senate Commerce Committee members Edward Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut), said the FAA needs to swiftly meet the OIG recommendations. In a joint statement, the senators said the agency has failed to “fully adopt sensible, meaningful cybersecurity protections. We need to ensure our aircraft, ground support equipment, and operations and maintenance practices are protected from cyberattacks, but we are still at risk.”