At the Start of 2023, the FAA Grounded Planes Nationwide Due to a Computer Glitch; Is It Any More Secure Now?
By Walt Szablowski, Founder and Executive Chairman, Eracent
Just a few months ago, the FAA grounded all flights across the nation resulting in thousands of flight delays. There was a subdued panic as the country theorized the possible and unsettling scenarios that would have led to such an extreme measure; a glitch in the system was not one of them. But that was the official determination by the FAA. How could one accidentally deleted file have such a profound impact on the largest transportation agency of the U.S. government? The White House is pushing toward Zero Trust Architecture to target the cybersecurity vulnerabilities that can so easily be exploited.
Nationwide Ground Stop. What Happened?
On January 11, 2023, the FAA initiated a nationwide Ground Stop (GS).1 This response was a drastic measure on the part of the FAA and has not been implemented on a nationwide scale since the unprecedented terrorist attacks carried out on September 11, 2001.2 A GS is initiated reactively due to severe weather, equipment failure, or a catastrophic event.
Speculation ran rampant on that day. Was it another terrorist attack? A cyberattack? The response from the FAA did little to assuage the media or the public at large. The FAA attributed the GS to an overnight outage that disrupted the Notice to Air Missions (NOTAM) System.3 NOTAM issues real-time alerts triggered by any abnormal status of the National Airspace System to prevent air disasters.4
One Unintentionally Deleted File?
So, what happened? Federal aviation officials reported this thoroughly avoidable debacle was a result of one engineer performing routine maintenance who accidentally replaced one file with another.5 This event was a catastrophic failure of the FAA’s software fail-safe infrastructure. Was there no backup system in place?
The U.S. Department of Transportation Office of the Inspector General issued a report citing the ongoing challenges integrating the FAA’s Next Generation Air Transportation System due to extended program delays. Case in point; a planned modernization of the antiquated practice of air traffic controllers using paper flight strips to track aircraft is not expected to take effect until 2029.6
EO 14028
On May 12, 2021, the White House issued Executive Order 14028: Improving the Nation’s Cyber Security, requiring federal agencies to enhance cybersecurity and software supply chain integrity by adopting Zero Trust Architecture and mandating the deployment of multifactor authentication encryption.7 The effective date for compliance by all civilian government agencies is September 2024.8
Never Trust. Always Verify.
Zero Trust Architecture eliminates blind faith in all components of the cybersecurity supply chain relationships by always presuming the presence of internal and external network threats. The Cybersecurity and Infrastructure Security Agency (CISA) is currently examining legacy government cybersecurity programs. CISA’s Zero Trust Maturity Model aims to assist government agencies in developing and implementing Zero Trust strategies and solutions.9
If the FAA already had a Zero Trust system in place, this isolated area of vulnerability in the NOTAM system would have been immediately flagged. The necessary controls would instantly switch to the backup system in real time.
No Process = No Cybersecurity
The theoretical implementation of a Zero Trust model is only as effective as the process that monitors it and distills it into a structured and auditable process. It requires a comprehensive framework that supports, expedites, and coalesces all networks and endpoints along with their components, software applications, organizational data, policies, and audit-risk analysis.
Traditional security approaches automatically conclude that all software components are secure once they gain access to the network. In a Zero Trust configuration, every component must continually prove that it can be relied upon. Its application on a federal and corporate level is a critical IT initiative to prevent systemwide failures like what happened to the FAA.
What Needs To Be Protected?
Most importantly, businesses and government agencies need to define what they need to protect to design a cybersecurity system that fits and supports each organization’s unique requirements. It’s all about risk analysis. What is the size of the network? What software is on the network? What data is on the network, and where is it? Vulnerabilities need to be identified and mitigated before they can be exploited. And that requires vigilance. Holistic cybersecurity requires Zero Trust Architecture that is clearly defined, managed, and constantly evolving. It’s one thing to design a process and another to make sure that it’s actually happening through constant reporting.
Most companies expect their cybersecurity software to fail, assuming the fault lies within their organization, prompting them to try something else. Zero Trust is not “one and done.” Successful execution requires complete network visibility within a single management and reporting platform in an automated and repeatable process.
Zero Trust vs. VPN
No one is safe from cyber threats. Any organization that sells or uses software must be vigilant. Although the FAA denies that the NOTAM system was hacked, its current lack of Zero Trust Architecture leaves it open to cybersecurity threats.
Cyber threats come in many forms — malware, ransomware, phishing, or corporate account takeover. For corporate cybersecurity that relies on Virtual Private Networks (VPNs), a compromised external device could infect an entire network. With the increased prevalence of remote and hybrid workers, VPN vulnerabilities are becoming more apparent.10 VPNs are contained within the network’s perimeter, permitting only users with access to engage with the network, assuming that anything within the boundary can be trusted.
Zero Trust takes the opposite approach, assuming nothing and no one can be trusted. It oversees the entire network and serves as the gatekeeper demanding continuous authorization to gain entry. It is imperative for organizations to implement technologies that are built on a well-defined and scheduled process that is routinely tested.
Hackers Could Be a NASDAQ Company Today
Cyberattacks have become so commonplace that corporations consider dealing with the constant threat as a cost of doing business, like dealing with the mafia. A new breed of ‘ethical hackers’ use ransomware attacks to bully companies by demanding money to restore access to their network. The amount demanded is ‘reasonable’ in that it won’t put the target organization out of business. After all, hackers want repeat customers too.
There is less noise in the media about major hacks because the hackers don’t want to garner too much attention; they want to build up their clientele. Hacking is a business in its own right.
Is the FAA Any More Secure?
The FAA NOTAM system is reportedly 30 years old and at least six years away from being updated.11 The good intentions of EO 14028 can only become a reality if there are consequences for failing to implement it. Execution of the mandate is complicated, confusing, and time-consuming, and if there is no penalty for being hacked, there is no motivation to follow through on the initiative.
The FAA shutdown is a wake-up call that all government agencies and civilian organizations need to answer.
About the Author
Walt Szablowski is the Founder and Executive Chairman of Eracent and serves as Chair of Eracent’s subsidiaries (Eracent SP ZOO, Warsaw, Poland; Eracent Private LTD in Bangalore, India, and Eracent Brazil) . Eracent helps its customers meet the challenges of managing IT network assets, software licenses, and cybersecurity in today’s complex and evolving IT environments. Eracent’s enterprise clients save significantly on their annual software spend, reduce their audit and security risks, and establish more efficient asset management processes. Eracent’s client base includes some of the world’s largest corporate and government networks and IT environments. Dozens of Fortune 500 companies rely on Eracent solutions to manage and protect their networks. Visit https://eracent.com/.