The recent 2015 US Government Accountability Office (GAO) report on the Federal Aviation Administration (FAA) is titled “FAA Needs to Address Weaknesses in Air Traffic Control Systems (Accessible Version).” They say they are giving the FAA 168 specific recommendations in the private version of the report that will map out all of the deficiencies the review revealed. Government agencies are reviewed all the time, and many get bad marks when it comes to cybersecurity. Why is this report different?
The very first footnote on the very first page gives us a reason to see this one differently: it cites the phrase “a piece of critical infrastructure” and refers us to the US Patriot Act of 2001. The FAA deserves special attention because of the clear and present danger posed by weaknesses in the security of systems controlling the airplanes in our skies. "The weaknesses that we identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk," noted Gregory Wilshusen, director of information security issues at the GAO.
While the reason to pay special attention to the GAO’s FAA security report is clear, the contents of the report show that the FAA isn’t much different than many other organizations when it comes to security for their IT systems. The GAO report notes that the “FAA has not clearly and consistently established roles and responsibilities for information security for NAS [National Airspace System] systems” and that the “FAA does not have a strategic plan for information security that is up to date and reflects current conditions.” In short, the GAO doesn’t feel the FAA has a plan or an adequately coordinated team to make or enforce such a plan. It’s likely that many reading this feel pangs of empathy, just as I did. Maybe your organization can’t relate to the special position the FAA holds in the overall US infrastructure, but it’s certain you will be able to relate to the challenges they face as they try to establish secure IT operations.
Security Problems Start As People Problems
People are always the weakest part of any system’s security. The FAA’s security is no different. This comes through in several ways. There are deficiencies in the blocking and tackling of everyday security. Three of the fourteen recommendations the GAO makes to the FAA in the recommended executive actions are focused on training and awareness. They specifically call out contractors, incident response staff, and “all staff with significant security responsibilities.” Reading between the lines a bit, it’s easy to assume that the staff with significant security responsibilities is administrators. Administrators are one of the hardest classes of user to control from a security standpoint. They’ve got the security equivalent of a teleporter to make their way around the IT infrastructure, but good security practice wants them to walk the hallways and badge in at every door. While some contractors may need to be made aware of FAA specific policies and incident response folks need constant refreshers to stay ahead of the bad guys, administrators often know perfectly well when and how their elevated rights pose a risk. However, they may be so busy that they use the shortcuts their powers give them, despite that risk.
Where effective security is able to control administrators and keep everyone well educated about policies and trends, you can be sure there is a focused effort centered on up to date security education and communication. That kind of effort costs money. If you’ve ever felt that you didn’t have the funding for security efforts like this, then you and the FAA are in the same boat. There are several hints that their security program doesn’t get the kind of funding it would need for this proactive security education. In fact, it seems they are in the awkward position of begging for scraps:
“According to ATO officials, the NAS incident response organization, NCO, has limited capabilities and available staff because it is required to obtain funding from other program units within ATO, which have different priorities.”
Even where it’s most critical, security is a budgetary afterthought. If you don’t have enough incident responders to handle the incidents, then you won’t have enough time to rotate those people through the training they need to stay ahead of emerging threats. When you don’t control your own budget destiny, then you can’t make a plan.
The people problems start at the top for the FAA’s security program. It’s not hard to understand why they have issues getting staff in line and paid for once you see the state of leadership in the security program. Page 9 of the report, 318 words, is entirely dedicated to spelling out the complex structure of security leadership within the FAA. Like any large organization, there are many divisions with differing charters at the FAA. Each one seems to have a little piece of the security function. The FAA recently put a “cyber security steering committee” in place as an attempt to unify their approach, but the GAO quickly points out that “roles and responsibilities remain unclear, and AIT (Advanced Implementation Technologies) and ATO (Air Traffic Organization) officials continue to disagree on who should be responsible for the security of NAS systems. I would bet good money that the argument isn’t both sides insisting that they should own the responsibility for critical systems related to national security. If an organization has any hope of getting serious problems addressed, they need to have clear lines of responsibility. Security at the FAA is a serious problem, but it isn’t clear who owns that problem. Problems without people to own them don’t often find solutions.
Processes and Practices Are Also a Security Focus
The two most important elements of healthy cybersecurity are people and practices. We’ve seen the hints and headlines in the GAO report on FAA security about problems with personnel. There are also quite a few that point to issues with the FAA security processes. Some of these concerns seem to be rooted in the tensions between making the IT systems work well for their users and trying to keep them secure at the same time. It’s the classic tension between security and ease of use. Most of the “significant security control weaknesses" cited in the report are problems that are all too common, problems which you will no doubt recognize as things your organization struggles with as well.
Security is the art of controlling access. It’s clear that the GAO thinks the FAA is failing to raise their security to an art form. After detailing several detailed failings, they sum up the overall issue:
“Without adequate access controls, unauthorized users, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain.”
Since we’re dealing with the FAA, it’s no surprise there’s a focus on “malicious purposes.” But the GAO is thorough here, and remembers that there are likely all manner of schemes that may plot to steal PII or leverage access to FAA systems to learn information to be used in other criminal enterprises (what could organized crime do with the exact position of every private jet in the US skies?). While your organization may not have to worry about managing data as interesting as that, there are other elements here which speak to very common process issues.
One that struck me was that this includes “former employees” as one of the classes of people that requires special attention. Provisioning, one of the operational origins of identity management, has morphed into a critical security concern as systems have become more connected to each other and the outside world. Where a former employee was once only a concern if they kept a key and could sneak back onto systems in a building, today if not properly deprovisioned a former employee could use their lingering access to do serious damage. Concerns about both deprovisioning former employees and changing access as users move within an organization is one of the most common worries.
The interconnectedness of systems is also a potential threat even if all the access is provisioned well. While granting users network access to systems produces huge benefits, it also creates risks. The GAO points out that “integrating critical infrastructure systems with information technology networks provides significantly less isolation from the outside world than predecessor systems, creating a greater need to secure these systems from remote, external threats.” You want to have users, especially administrative users; able to do as much as possible from where they happen to sit. This allows you to recruit the best people wherever they may be, and let them work with the systems where they can have the best impact.
This falls into conflict immediately with good security practices, which want to isolate critical systems from as much potential harm as possible. Here the FAA once again looks like just about every other organization on earth that attempts to harness the full power of IT. While many organizations may choose to simply take their lumps from their auditors on points like this in order to have the positive revenue benefits of highly networked systems, we are forced to ask if an organization with as critical a charter as the FAA’s should also be allowed to make that choice.
“Certain network devices supporting NAS systems did not always encrypt authentication data when transmitting them across the network and other systems did not always encrypt stored passwords using sufficiently strong encryption algorithms in compliance with FIPS 140-2,” the GAO writes. Since most of us will never see the detailed report of the deficiencies, we have to guess at exactly what this means. If we continue to assume the FAA isn’t that much different than other organizations, then we can make some educated guesses.
Many times, third-party systems don’t design as securely as we’d like. Systems developed by organizations for their own needs make the same errors. Both do this for the same reasons. Most systems aren’t built to be perpetually secure; they’re built to fill a need. Again, security is an afterthought. One thing you hear from many organizations is that the user demand for mobile connectivity to systems is a big offender in storing and transmitting authentication details securely. You can almost hear the arguments in FAA conference rooms about specialists and executives who are always on the run demanding access on their phones and tablets and how that has to be balanced with the sensitive security needs of their NAS systems. You may have been in meetings exactly like that yourself.
Is The FAA A Mirror?
When reports like the GAO’s come to light and point out the flaws in security at a critical agency like the FAA, it’s very easy to climb up on a high horse and judge. Yes, it’s true that organizations like the FAA should be held to a high standard. That’s exactly why organizations like the GAO exist. What you need to ask yourself is where does the vitriol come from?
Are we truly so upset that the FAA has these issues or are we also a bit upset by this because we see so much of our own security efforts in the failures of the FAA? What would we think if the government wanted to raise airfare taxes to increase the FAA budget by an order of magnitude so that they could close these security gaps? As we go to our executives for funding to better our own security posture, we should ponder that. Those who live in glass firewalls should not throw stones.
About the Author:
Jonathan Sander is STEALTHbits’s Strategy & Research Officer. He is responsible for steering the direction of the company through corporate development and the products through product management. This involves working extensively with all STEALTHbits’s clients and partners. As part of Quest Software from 1999 through 2013, He worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development & product strategy efforts. Previous to that, Jonathan was a consultant at Platinum Technology focusing on the security, access control and SSO solutions.
