The security of America’s critical infrastructure has been a subject of debate for some time. Now, a new Government Accountability Office (GAO) report (Information Security: FAA Needs to Address Weaknesses in Air Traffic Control Systems) has declared that “significant” cybersecurity weaknesses at the Federal Aviation Administration (FAA) are “threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS).”
The GAO notes that, although the FAA had “taken steps to protect its air traffic control systems from cyber-based and other threats”, there were “weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA’s systems.”
The report also found that the FAA “did not fully implement its agency-wide information security program”, as required by the Federal Information Security Act of 2012, and that its information security strategic plan had not been updated since 2010.
Organization-wide approach to information security risk
“The weaknesses in FAA’s security controls and implementation of its security program existed, in part, because FAA had not fully established an integrated, organization-wide approach to managing information security risk that is aligned with its mission”, the report continued.
“Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.”
Weaknesses in the NAS leave the entire country’s air travel susceptible to attack. The hacking of the national airspace system doesn’t bear thinking about – terrorists and cyber criminals controlling where airplanes are headed has ‘national disaster’ written all over it.
The GAO makes 17 recommendations, including implementing cybersecurity staff awareness training, ensuring that security controls are adequately tested to determine whether they are in place and working effectively, and ensuring that incident response plans are documented and tested.
An information security management system (ISMS) would cover all of these recommendations, as well as addressing the weaknesses highlighted by the GAO report.
ISO 27001, the international standard for information security management systems, provides an organization-wide framework for risk-based information security that can be employed by organizations of all types, locations, and sizes, whatever your budget or the timescale of your project
To see how IT Governance’s fixed-price ISO 27001 Packaged Solutions can help you implement an ISMS in your organization and achieve certification to the Standard, click here >>