Oversight

Air traffic systems need better security monitoring, says watchdog

Shutterstock image (by iconerinfostock): Air traffic control radar. 

The Federal Aviation Administration and its parent agency the Department of Transportation are out of sync when it comes to cybersecurity, according to a critical oversight report.

The DOT inspector general found that the critical National Airspace Systems, which comprise the air traffic control systems for civilian flight, are not properly linked to the agency's Security Operations Center. The IG report blamed the department's CIO office for not pushing compliance with policies that require oversight of 39 NAS systems as well as monitoring of cloud providers used by the FAA. The report also found that the FAA created its own cyber monitoring system for NAS systems in 2013, without consulting the CIO's office.

"OCIO's lack of enforcement of DOT's cyber security policies coupled with the weaknesses in FAA's monitoring puts the Department's information systems at risk for compromise," the report said.

Investigators learned from FAA and DOT personnel in interviews that "unique authorities and relationships exist between FAA and OCIO," and that coordination took place "at key points" between the DOT OCIO and FAA senior leaders.

Additionally, FAA officials said that DOT's Security Operations Center didn't monitor certain NAS systems because they were classified as industrial control systems rather than as IT. The FAA also said that because of the closed, contained nature of the NAS, which has limited and contractor-monitored entry points, the system "is at a low risk for compromise."

Transportation CIO Richard McKinney pushed back on these findings. "Each year DOT responds to thousands of security incident reports, for the hundreds of systems in the DOT inventory, with no major incident or breach, and no significant impact to a DOT information system," McKinney wrote in reply comments.

The IG was apparently unconvinced, and urged four recommendations to change cybersecurity oversight of FAA systems. These include enforcing agency policy to provide Cybersecurity Management Center oversight of all NAS systems, or updating policy to reflect the current reporting structure, putting new controls over maintenance access to NAS systems and for FAA to obtain more visibility into the networks of cloud providers. DOT accepted three of the four recommendations, and came up with a alternative solution that met the intent of the fourth recommendation.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.