Oversight

Air traffic systems need better security monitoring, says watchdog

Shutterstock image (by iconerinfostock): Air traffic control radar. 

The Federal Aviation Administration and its parent agency the Department of Transportation are out of sync when it comes to cybersecurity, according to a critical oversight report.

The DOT inspector general found that the critical National Airspace Systems, which comprise the air traffic control systems for civilian flight, are not properly linked to the agency's Security Operations Center. The IG report blamed the department's CIO office for not pushing compliance with policies that require oversight of 39 NAS systems as well as monitoring of cloud providers used by the FAA. The report also found that the FAA created its own cyber monitoring system for NAS systems in 2013, without consulting the CIO's office.

"OCIO's lack of enforcement of DOT's cyber security policies coupled with the weaknesses in FAA's monitoring puts the Department's information systems at risk for compromise," the report said.

Investigators learned from FAA and DOT personnel in interviews that "unique authorities and relationships exist between FAA and OCIO," and that coordination took place "at key points" between the DOT OCIO and FAA senior leaders.

Additionally, FAA officials said that DOT's Security Operations Center didn't monitor certain NAS systems because they were classified as industrial control systems rather than as IT. The FAA also said that because of the closed, contained nature of the NAS, which has limited and contractor-monitored entry points, the system "is at a low risk for compromise."

Transportation CIO Richard McKinney pushed back on these findings. "Each year DOT responds to thousands of security incident reports, for the hundreds of systems in the DOT inventory, with no major incident or breach, and no significant impact to a DOT information system," McKinney wrote in reply comments.

The IG was apparently unconvinced, and urged four recommendations to change cybersecurity oversight of FAA systems. These include enforcing agency policy to provide Cybersecurity Management Center oversight of all NAS systems, or updating policy to reflect the current reporting structure, putting new controls over maintenance access to NAS systems and for FAA to obtain more visibility into the networks of cloud providers. DOT accepted three of the four recommendations, and came up with a alternative solution that met the intent of the fourth recommendation.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.