Air traffic systems need better security monitoring, says watchdog

The Federal Aviation Administration and its parent agency the Department of Transportation are out of sync when it comes to cybersecurity, according to a critical oversight report.

The DOT inspector general found that the critical National Airspace Systems, which comprise the air traffic control systems for civilian flight, are not properly linked to the agency's Security Operations Center. The IG report blamed the department's CIO office for not pushing compliance with policies that require oversight of 39 NAS systems as well as monitoring of cloud providers used by the FAA. The report also found that the FAA created its own cyber monitoring system for NAS systems in 2013, without consulting the CIO's office.

"OCIO's lack of enforcement of DOT's cyber security policies coupled with the weaknesses in FAA's monitoring puts the Department's information systems at risk for compromise," the report said.

Investigators learned from FAA and DOT personnel in interviews that "unique authorities and relationships exist between FAA and OCIO," and that coordination took place "at key points" between the DOT OCIO and FAA senior leaders.

Additionally, FAA officials said that DOT's Security Operations Center didn't monitor certain NAS systems because they were classified as industrial control systems rather than as IT. The FAA also said that because of the closed, contained nature of the NAS, which has limited and contractor-monitored entry points, the system "is at a low risk for compromise."

Transportation CIO Richard McKinney pushed back on these findings. "Each year DOT responds to thousands of security incident reports, for the hundreds of systems in the DOT inventory, with no major incident or breach, and no significant impact to a DOT information system," McKinney wrote in reply comments.

The IG was apparently unconvinced, and urged four recommendations to change cybersecurity oversight of FAA systems. These include enforcing agency policy to provide Cybersecurity Management Center oversight of all NAS systems, or updating policy to reflect the current reporting structure, putting new controls over maintenance access to NAS systems and for FAA to obtain more visibility into the networks of cloud providers. DOT accepted three of the four recommendations, and came up with a alternative solution that met the intent of the fourth recommendation.