The Federal Aviation Administration has fallen short in its efforts to protect the national air traffic control system from terrorists or others who might try to hack into the computers used to direct planes in flight, according to a government report released Monday.
The Government Accountability Office report credited the FAA with taking steps to deter hackers but concluded that “significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace.”
The FAA said it intends to implement the 14 changes recommended in the GAO report.
In a written response to the GAO last month, Keith Washington, acting assistant secretary for administration at the Department of Transportation, said the FAA already had achieved six “major milestones” toward improving cybersecurity and agreed with the GAO recommendations for improvements.
A central finding in the GAO report is that the aviation agency has not fully put in place an organization-wide structure to protect its computers from attack. The report says threats to the air traffic control system are growing from terrorists, criminals and foreign governments.
The GAO withheld details of specific security vulnerabilities.
Air traffic controllers are responsible for the average 2,850 flights aloft at any given moment. The 14,000 controllers work in three types of facilities: 500 airport control towers that oversee landings and takeoffs; 160 facilities that direct planes to and from cruising altitudes; and 22 centers that supervise aircraft at cruising altitude.
The most serious threat would come if hackers broke into the system and found a way to disrupt the flow of aircraft without being noticed. A breach that was detected immediately, however, would be less likely to significantly compromise operations, experts said.
“The system is designed with contingency plans for a shutdown of any particular system,” said Steven B. Wallace, an aviation safety consultant who formerly directed the FAA office of accident investigation.
When fires — as in a recent incident in Chicago — tornadoes or other issues cause the rare shutdown of a facility, there are plans in place to transfer its responsibilities elsewhere in the system.
“Is it conceivable that a hack could go systemwide? I doubt it,” Wallace said, while acknowledging that ingenious hackers could strike anywhere. “I don’t know which computer system you couldn’t say that about.”
The GAO said, however, that as the FAA moves to implement the collections of computer-based systems known as NextGen, there will be increased integration of the FAA’s national air system computers, “creating a greater need to secure these systems from remote, external threats.”
The FAA needs to do a better job of controlling access to computer systems and establishing multiple firewalls to protect against unauthorized intruders, the GAO said. It also should enhance encryption of sensitive data and ensure that employees and contractors take required security training.
“A fundamental cause for these various weaknesses is that the FAA has not yet implemented an effective program for managing organizational information security,” the report said.
The FAA has created a cybersecurity steering committee, but the report said its work was hindered by disagreements between the agency’s technological office and the air traffic control group.