Editor’s Note: The complete report GAO-15-370 is available here. Below are excerpts.
From: GAO
FAA faces cybersecurity challenges in at least three areas: (1) protecting its air traffic control (ATC) information systems, (2) securing aircraft avionics used to operate and guide aircraft, and (3) clarifying cybersecurity roles and responsibilities among multiple FAA offices. FAA has taken several steps to address these challenges, but cyber security experts suggested additional actions FAA could take to enhance cybersecurity.
New networking technologies connecting FAA’s ATC information systems expose these systems to new cybersecurity risks, potentially increasing opportunities for systems to be compromised and damaged. Such damage could stem both from attackers seeking to gain access to and move among information systems, and from trusted users of the systems, such as controllers or pilots, who might inadvertently cause harm.
Twelve of our 15 cybersecurity experts discussed enterprise-level holistic threat modeling, and all 12 agreed that FAA should develop such a model to strengthen cybersecurity agency-wide. NIST and the 12 experts we consulted said that threat modeling, a cybersecurity best practice, enables an organization to identify known threats, including insider threats, across its organization and align its cybersecurity efforts and limited resources accordingly to protect its mission. NIST guidance also states that an integrated, agency-wide view for managing risk can address the complex relationship among missions, the business processes needed to carry out missions, and the information systems supporting those missions and processes. NIST also recommends organization-wide threat modeling, assessment, and monitoring because an agency-wide threat model would help to identify all known threats to information systems, allowing an agency to further identify vulnerabilities in those systems.
Leave a Reply