On January 11, 2023, the Federal Aviation Administration (FAA) made a decision that hadn’t been implemented on a nationwide scale since the terrorist attacks on September 11, 2001. The FAA initiated a nationwide Ground Stop (GS), which resulted in thousands of flight delays and left the country in a state of panic and confusion.
Speculation ran rampant as people tried to make sense of the situation. Was it another terrorist attack? A cyberattack? The FAA’s response did little to calm the fears of the public. They attributed the GS to an overnight outage that disrupted the Notice to Air Missions (NOTAM) system. The NOTAM system is responsible for issuing real-time alerts to prevent air disasters.
It was revealed that the cause of the outage was an unintentional mistake made by an engineer during routine maintenance. One file was accidentally replaced with another, causing a catastrophic failure of the FAA’s software fail-safe infrastructure. This raised questions about the lack of backup systems and the challenges the FAA faces in modernizing its air traffic control practices.
In response to incidents like this, the White House issued Executive Order 14028 on May 12, 2021. The order required federal agencies to enhance cybersecurity and software supply chain integrity through the adoption of Zero Trust Architecture. This approach eliminates blind faith in all components of the cybersecurity supply chain and assumes the presence of internal and external threats.
The Cybersecurity and Infrastructure Security Agency (CISA) is currently examining legacy government cybersecurity programs and developing a Zero Trust Maturity Model to assist government agencies in implementing Zero Trust strategies. If the FAA had a Zero Trust system in place, the vulnerability in the NOTAM system would have been immediately flagged, and the necessary controls would have switched to the backup system in real time.
However, implementing a Zero Trust model is not just about the technology itself. It requires a comprehensive framework that supports and coalesces all networks and endpoints, along with their components, software applications, data, policies, and audit-risk analysis. Without a structured and auditable process, the effectiveness of the model is compromised.
Additionally, organizations must define what needs to be protected and conduct risk analysis to design a cybersecurity system that fits their unique requirements. Vigilance is key in identifying and mitigating vulnerabilities before they can be exploited. Zero Trust is an ongoing process that requires constant monitoring and reporting to ensure its effectiveness.
One common cybersecurity approach that is being challenged is the use of Virtual Private Networks (VPNs). VPNs rely on trust within the network perimeter, assuming that anything within the boundary can be trusted. However, with the increase in remote and hybrid work, VPN vulnerabilities have become more apparent. Zero Trust takes the opposite approach, assuming nothing and no one can be trusted, and continuously authorizing access to the network.
Cyberattacks have become increasingly common, with hackers using ransomware attacks to bully companies into paying for access to their network. These attacks have become a cost of doing business for many organizations. The FAA’s outdated NOTAM system leaves it vulnerable to cybersecurity threats.
The FAA shutdown serves as a wake-up call for all government agencies and civilian organizations to take cybersecurity seriously. The implementation of Zero Trust Architecture and compliance with cybersecurity mandates must come with consequences to motivate organizations to prioritize their cybersecurity efforts.
In conclusion, the FAA’s nationwide Ground Stop was a result of an unintentional mistake that exposed the vulnerabilities in the agency’s cybersecurity infrastructure. It highlights the need for organizations to adopt a Zero Trust approach and prioritize cybersecurity to prevent systemwide failures and protect critical infrastructure.