In a November 2, 2009 Report issued by the Department of Transportation Office of Inspector General (“OIG”), the OIG discussed its review of the FAA’s renewed initiatives in addressing air traffic control (ATC) systems security weaknesses. The report noted that Homeland Security Presidential Directive (HSPD)–7 designates ATC systems as part of the Nation’s critical infrastructure which the FAA must protect by preventing disruption wherever possible and minimizing disruptions when they do occur. The OIG’s audit objectives were to “determine FAA’s progress in correcting security weaknesses previously identified in the air traffic control (ATC) system by assessing (1) the status of Business Continuity Plan implementation and (2) the enhanced methodology used in the certification and accreditation of air traffic control systems security at operational sites.”
The audit revealed that several unresolved technical challenges (staffing issues and funding requirements) could delay ATC recovery site readiness. It also found that the FAA’s process of reviewing ATC systems security, although enhanced from previous levels, are still not properly carried out to ensure security protection of operational ATC systems. The report concludes with eight recommendations for the FAA:
- Conduct testing to ensure that radar signals will not be lost or disrupted when using modems and telephone/fax lines to send radar data to the recovery site.
- (a) Develop a detailed plan addressing how FAA will install network connections between radio towers and the recovery site through the local exchange carrier during BCP operations, and (b) conduct tests to ensure that communications through the new connection can meet the latency (speed) requirements for air travel safety.
- Develop a plan to address human integration issues such as relocating and housing air traffic controllers at the Technical Center recovery site on a long-term basis.
- Conduct a credible cost estimate for testing the integrity of the alternate methods of re-routing radar and voice communication signals to the recovery site, and addressing human integration issues at the recovery site. Use such analysis to secure funding accordingly to complete the business continuity plan.
- Assess the potential impact on air travel of losing each, or at least the most critical, en route centers for 3 weeks, and provide the results to the Secretary of Transportation in support of HSPD–7.
- Enhance the site-selection process by requiring (a) thorough reviews of site- system configuration to ensure that sites that pose the greatest risk of unauthorized hardware/software configurations are selected for review and (b) documented justification for the sites selected for review.
- Enhance training on on-site review by requiring review teams to conduct examination and/or testing to verify that required security controls are in place at operational sites.
- Increase oversight of the on-site review process to ensure that all security control checks on the questionnaires are completed or properly justified if not reviewed.
The report notes that the FAA concurred with the OIG’s recommendations and “has begun to take appropriate or alternative corrective actions and provided acceptable target dates for completing these actions.” For more information on the FAA’s responses to the OIG’s recommendations, including explanations of actions taken and actions yet to be completed, you may review them at the end of the report.