Federal Aviation Administration (FAA) is responsible for overseeing the US National Airspace System, which comprises ATC systems, procedures, facilities, and aircraft, and the people who operate them. FAA is implementing Next Generation Air Transportation System (NextGen) to move the current radar-based air-traffic control (ATC) system to one that is based on satellite navigation and automation. It is essential that FAA ensures effective information-security controls are incorporated in the design of NextGen programs to protect them from threats.
As the agency transitions to the NextGen, FAA faces cybersecurity challenges in at least three areas: (1) protecting ATC information systems, (2) protecting aircraft avionics used to operate and guide aircraft, and (3) clarifying cybersecurity roles and responsibilities among multiple FAA offices.

• FAA has taken steps to protect its ATC systems from cyber-based threats; however, significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system. FAA will continue to be challenged in protecting ATC systems because it has not developed a cybersecurity threat model to identify potential threats to information systems, and as a basis for aligning cybersecurity efforts and limited resources.

• Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems. As part of the aircraft certification process, FAA’s Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.

• FAA is making strides to address the challenge of clarifying cybersecurity roles and responsibilities among multiple FAA offices, such as creating a Cyber Security Steering Committee to oversee information security.

FAA’s acquisition management process generally aligned with federal guidelines for incorporating requirements for cybersecurity controls in its acquisition of NextGen programs. The process included the six major information-technology and risk-management activities as described by NIST. The Surveillance and Broadcast Services Subsystem (SBSS)—which enables satellite guidance of aircraft and is currently deployed in parts of the nation—has not adopted all of the NIST security controls, such as intrusion detection improvements. Systems with weaknesses that could be exploited by adversaries may be at increased risk if relevant controls are not implemented.


Vippan Raj Dutt


Starts at Saturday December 19 2015, 11:30 AM. The sessions runs for about 1 hour.