Oversight

Air traffic systems need better security monitoring, says watchdog

Shutterstock image (by iconerinfostock): Air traffic control radar. 

The Federal Aviation Administration and its parent agency the Department of Transportation are out of sync when it comes to cybersecurity, according to a critical oversight report.

The DOT inspector general found that the critical National Airspace Systems, which comprise the air traffic control systems for civilian flight, are not properly linked to the agency's Security Operations Center. The IG report blamed the department's CIO office for not pushing compliance with policies that require oversight of 39 NAS systems as well as monitoring of cloud providers used by the FAA. The report also found that the FAA created its own cyber monitoring system for NAS systems in 2013, without consulting the CIO's office.

"OCIO's lack of enforcement of DOT's cyber security policies coupled with the weaknesses in FAA's monitoring puts the Department's information systems at risk for compromise," the report said.

Investigators learned from FAA and DOT personnel in interviews that "unique authorities and relationships exist between FAA and OCIO," and that coordination took place "at key points" between the DOT OCIO and FAA senior leaders.

Additionally, FAA officials said that DOT's Security Operations Center didn't monitor certain NAS systems because they were classified as industrial control systems rather than as IT. The FAA also said that because of the closed, contained nature of the NAS, which has limited and contractor-monitored entry points, the system "is at a low risk for compromise."

Transportation CIO Richard McKinney pushed back on these findings. "Each year DOT responds to thousands of security incident reports, for the hundreds of systems in the DOT inventory, with no major incident or breach, and no significant impact to a DOT information system," McKinney wrote in reply comments.

The IG was apparently unconvinced, and urged four recommendations to change cybersecurity oversight of FAA systems. These include enforcing agency policy to provide Cybersecurity Management Center oversight of all NAS systems, or updating policy to reflect the current reporting structure, putting new controls over maintenance access to NAS systems and for FAA to obtain more visibility into the networks of cloud providers. DOT accepted three of the four recommendations, and came up with a alternative solution that met the intent of the fourth recommendation.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.