With new TSA restrictions following the attacks of 9/11, most Americans have settled their fears associated with flying. But with the evolution of the Internet Age we may be facing a new security concern in the skies: the Internet of Things. In January, the United States Government Accountability Office conducted an investigation and reported that the Federal Aviation Administration (FAA) has several weaknesses in the air traffic control system. These vulnerabilities could be exploited if left unfixed.
The FAA is under the umbrella of the Department of transportation. The mission of FAA is to provide the “safest, most efficient aerospace system in the world.” The FAA oversees the National Airspace System (NAS), which includes air traffic control systems, ATC procedures, operational facilities, aircraft, and the people who certify, operate, and maintain them.
This large network of equipment and people opens many metaphorical doors for weaknesses. Several organizations within FAA are responsible for information security and this is why many of the weaknesses are cause for worry.
The almost-50-page report outlines the background of the investigation, the systems at risk, and recommendations for action.
There are many weaknesses in the controls intended to prevent, limit, or detect unauthorized access to computer resources. There was a major theme found within the report: inconsistency.
The report found that some security policies in place did not consistently protect from possible intrusions. Consistency issues were found with identifying and authenticating users, controlling authorized access, and encryption protocols for sensitive data.
One way the FAA manages information systems are identification and authentication controls. Typically users are authenticated with a user ID and strong password. The strong password should be a certain length, and include upper- and lower-case letters, numbers, and special characters. There were inconsistencies found in enforcement. Some applications or servers didn’t implement the strong password requirements.
Another issue was found with sensitive data. The report relays information that the FAA did not always ensure sensitive data was encrypted during transmission and at rest. Certain NAS devices did not encrypt authentication during transmission across the network. On other systems, passwords were not encrypted at rest, and the algorithms were not strong enough. These weaknesses leave accounts open to interception and eavesdropping from attackers.
Issues were found with the overall management of hardware, software, and firmware. Configuring and maintaining a large network, like the NAS, takes sophisticated policies, procedures, techniques, and talent. Regular patching is a critical component for keeping systems secure; outdated software is vulnerable to attack. The GAO reported that the FAA did not always follow the control process they have in place, making changes to a device without documenting, analyzing, and testing security before implementing the change. Also, some devices would go long periods of time before security patches were put into place.
In summary, several of these issues are rooted in the lack of an organization-wide program for managing information security and risks to the FAA. The interconnectivity of the NAS, along with the large amounts of information being processed and transmitted significantly increases the chance for exploitation—and poses risks for anyone who depends on safe air transportation.
At the conclusion of the report, GAO recommended over a dozen executive actions and also issued 168 recommendations that were not disclosed to the public. The FAA responded saying they agreed with the recommendations and the FAA recognizes the need to secure the NAS environment.
Although the report did not publicly release the GAO’s recommendations, here are some of ours:
System admins must check for regular updates and patches, test them before implementation, and keep systems up-to-date. Keeping operating systems and software updated is a simple way of protecting your organization against vulnerabilities.
Ensure sensitive data is encrypted during transmission using a SSL Certificate and at rest using a hard drive or at a data storage facility. SSL Certificates should be used for login portals and device-to-device communication.
Lack of security diminishes trust in any industry. The FAA cannot take chances with information security because so many people depend on safe plane travel. The FAA should move swiftly to resolve the weaknesses with IoT in the sky.