July 7, 2023 30-Year-Old FAA Software Grounds Flights Nationwide

The FAA cites a software glitch after grounding thousands of flights. Zero Trust mitigates at-risk and outdated software vulnerabilities.

By Walt Szablowski, PE  

At the start of 2023, the Federal Aviation Administration (FAA) grounded all flights scheduled to depart the U.S. After several hours of anxious nationwide speculation; the FAA cited an accidentally deleted file as the culprit. This did not restore faith in the FAA or the federal government. Cyberattacks are a universal concern. Zero Trust Architecture mitigates omnipresent cyber threats and ensures the security and integrity of complex computer networks.     

FAA Nationwide Ground Stop

It’s the last thing air travelers want to hear; their flight is delayed, or worse yet, canceled. On January 11, 2023, 10,000 flights were delayed, and over 1,300 were canceled.¹ The disruption of normal flight operations was a result of a nationwide Ground Stop (GS) ordered by the FAA, pausing all domestic flight departures and requiring all aircraft to remain on the ground. A GS is usually called due to severe weather, equipment failure, or a catastrophic event.²

Considering the last time this occurred was on September 11, 2001, news of the event spread quickly worldwide. Could it be another terror attack? The GS lasted 90 minutes, plenty of time for talking heads on the news to opine on the cause, typically arriving at the worst-case scenario for the stoppage. On that day at 6:30 pm EST, the FAA announced that it had traced the outage to a damaged database file in the Notice to Air Missions (NOTAM) system and assured the nation that there was no evidence of a cyberattack.³ A NOTAM notifies all essential flight operations personnel that a component of the National Air System (NAS) is not operating normally.⁴

Antiquated Government Technology

The FAA pinpointed the source of the glitch in the NOTAM system as the blunder of one engineer inadvertently replacing one file with another.⁵ The software currently running the NOTAM system was installed in 1993 and is not scheduled to be updated for another six years.⁶ In 2019, the U.S. Government Accountability Office (GAO) analyzed 65 federal legacy IT systems. In 10 government agencies, including the Department of Defense and the Treasury, the IT systems were found to be 8 to 51 years old and cost roughly $337 million annually to maintain.⁷

If It Could Happen to the FAA …

By 2025, the global cost of cybercrime is estimated to reach an annual rate of $10.5 trillion.⁸ In 2022, a single cyberattack on a business — malware, ransomware, phishing, or corporate account takeover — was estimated to cost an average of $18,000.⁹ A security breach can continue to hurt a business years after the initial attack. Some statistics on the reputational cost of a data breach to a company found that compromised businesses experienced 46% harm to credibility, an 81% loss of their consumer base, and nearly 60% went out of business.¹⁰

Zero Trust Architecture

Zero Trust Architecture provides vigilant and constant oversight of software supply chain security by always anticipating internal and external threats to the network. For government agencies and private organizations, the implementation of Zero Trust provides a security framework that demands continuous validation, authentication, and authorization for all attempted access inside and outside the computer network. Zero Trust is the gatekeeper and guardian for all software components along the supply chain.  

In 2021, the White House issued Executive Order 14028: Improving the Nation’s Cyber Security. The EO requires federal agencies to strengthen cybersecurity and software supply chain integrity by adopting Zero Trust Architecture and multifactor authentication encryption.¹¹ Federal agencies must comply by 2024.¹² CISA’s Zero Trust Maturity Model is designed to support government agencies in developing and implementing Zero Trust strategies and solutions.¹³

If the FAA already had a Zero Trust system in place, its risk analysis tools would detect the importance of the file in question and recognize the potential consequences of its failure; then, a backup system would have kicked in until the primary system was fixed.

Whether it’s nuclear secrets or a company’s proprietary information, the application of Zero Trust requires an automated, continuous, and repeatable management process. 

It’s Not ‘One and Done.’

To successfully achieve the assurances of Zero Trust, there need to be specific guidelines and tools that automatically provide all of the necessary data, manage process workflows, and incorporate real-time progress reporting. It’s not “one and done.” Every organization must design a security system with its own unique requirements in mind.

What are the objectives and goals of the organization’s Zero Trust program? What networks, endpoints, systems, and people are involved? What are the greatest risks and priorities? All activities and tasks need to be defined, automated, and verified. Vulnerabilities need to be identified and mitigated before they can be exploited by malicious cyber threats. And that demands vigilance. Comprehensive cybersecurity requires Zero Trust Architecture that is clearly defined, managed, and constantly evolving. It’s one thing to design a process and another to make sure that it’s actually taking place through constant reporting.  

From Theoretical to Actual Implementation

Successful execution requires complete network visibility within a single management and reporting platform. Zero Trust Architecture is not one-size-fits-all. Every organization has its own operation-specific needs, challenges, and vulnerabilities.

The failure of the NOTAM system was a preventable embarrassment for the FAA and the federal government. Zero Trust ensures vulnerability assessment, management, and mitigation, whether it’s a cyber attack or a keystroke error. 

Never trust. Always verify.

About the Author
Walt Szablowski is the Founder and Executive Chairman of Eracent and serves as Chair of Eracent’s subsidiaries (Eracent SP ZOO, Warsaw, Poland; Eracent Private LTD in Bangalore, India, and Eracent Brazil LTDA). Eracent helps its customers meet the challenges of managing IT network assets, software licenses, and cybersecurity in today’s complex and evolving IT environments. Eracent’s enterprise clients save significantly on their annual software spend, reduce their audit and security risks, and establish more efficient asset management processes. Eracent’s client base includes some of the world’s largest corporate and government networks and IT environments. Dozens of Fortune 500 companies rely on Eracent solutions to manage and protect their networks. Visit https://eracent.com/ 

References:

1. Person, & David Shepardson, R. K. S. (2023, January 12). Airlines hope for return to normal Thursday after FAA outage snarls U.S. travel. Reuters. Retrieved March 30, 2023, from reuters.com/business/aerospace-defense/us-faa-says-flight-personnel-alert-system-not-processing-updates-after-outage-2023-01-11/
2. Ground stop (GS). NBAA. (2019, January 29). Retrieved March 30, 2023, from nbaa.org/aircraft-operations/airspace/tfm/tools-used-for-traffic-flow-management/ground-stop-gs/
3. FAA Notam Statement. FAA NOTAM Statement | Federal Aviation Administration. (n.d.). Retrieved March 30, 2023, from faa.gov/newsroom/faa-notam-statement
4. What is a notam? What is a NOTAM? | Federal Aviation Administration. (n.d.). Retrieved March 30, 2023, from faa.gov/about/initiatives/notam/what_is_a_notam
5. Jr., T. H. (2023, January 13). FAA says Engineer’s slip-up caused midweek ground-stop debacle. The Washington Times. Retrieved March 30, 2023, from washingtontimes.com/news/2023/jan/13/faa-points-to-slip-up-by-engineer-as-cause-of-midw/
6. NBCUniversal News Group. (2023, January 13). Corrupt software introduced by contractors took down FAA system, officials say. NBCNews.com. Retrieved March 30, 2023, from nbcnews.com/news/us-news/software-blamed-faa-outage-three-decades-old-years-upgrade-official-sa-rcna65562
7. Office, U. S. G. A. (2023, February 15). Information technology: Agencies need to develop and implement modernization plans for Critical Legacy Systems. Information Technology: Agencies Need to Develop and Implement Modernization Plans for Critical Legacy Systems | U.S. GAO. Retrieved March 30, 2023, from gao.gov/products/gao-21-524t
8. Freeze, D. (2021, April 27). Cybercrime to cost the world $10.5 trillion annually by 2025. Cybercrime Magazine. Retrieved March 30, 2023, from cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/
9. Kerner, S. M. (2023, January 26). 34 cybersecurity statistics to lose sleep over in 2023. WhatIs.com. Retrieved March 30, 2023, from techtarget.com/whatis/34-Cybersecurity-Statistics-to-Lose-Sleep-Over-in-2020#:~:text=The%20average%20total%20cost%20of,most%20expensive%20at%20%249.44%20million
10. EasyDmarc. (2023, January 25). Reputational cost of a data breach. EasyDMARC. Retrieved March 30, 2023, from easydmarc.com/blog/reputational-cost-of-a-data-breach/
11. Executive order 14028: Improving the nation’s cybersecurity. GSA. (2021, October 28). Retrieved March 30, 2023, from gsa.gov/technology/technology-products-services/it-security/executive-order-14028-improving-the-nations-cybersecurity
12. Sabin, S. (2023, January 6). Government agencies, companies race to adopt zero-trust security in 2023. Axios. Retrieved March 30, 2023, from axios.com/2023/01/06/zero-trust-cybersecurity-white-house
13. Zero trust maturity model: CISA. Cybersecurity and Infrastructure Security Agency CISA. (n.d.). Retrieved March 30, 2023, from cisa.gov/zero-trust-maturity-model

Subscribe to Industry Today