While the Federal Aviation Administration has made
progress implementing information security controls for
its air traffic control system, the Government
Accountability Office has identified “significant security
weaknesses that threaten the integrity, confidentiality,
and availability of FAA’s systems – including weaknesses
in controls that are designed to prevent, limit, and detect
access to these systems.”
It said the agency has not adequately managed its networks,
software updates, user accounts, passwords, or privileges,
and has not consistently logged security-relevant events.
GAO also found weaknesses in other controls that increase
the risk that “users could breach FAA’s air traffic
control systems, potentially disrupting aviation
operations,” including physical security, background
investigations, segregation of duties, and system changes.
Agency officials acknowledged the weaknesses, but said the
possibility of unauthorized access to its proprietary
systems and custom built interfaces and software, all of
which run on older equipment, is unlikely, according to
GAO-05-712.
However, GAO raised the possibility of “attacks by
disgruntled current or former employees or . . . more
sophisticated hackers,” and more generally faulted FAA for
not yet having fully implemented its information security
program.
Other weaknesses cited in the report include “outdated
security plans, inadequate security awareness training,
inadequate system testing and evaluation programs, limited
security incident-detection capabilities, and shortcomings
in providing service continuity for disruptions in operations.”
