Congressman calls on CISA to investigate air travel vulnerabilities after outage
Congressman Ritchie Torres (D-NY) is calling for federal agencies to investigate cybersecurity vulnerabilities in all systems underpinning air travel after a technical glitch last week crippled flights across the country.
Thousands of flights were delayed or canceled last Wednesday, but both the White House and Transportation Secretary Pete Buttigieg were quick to tamp down concerns that the issues were caused by a cyberattack.
At my direction, FAA is continuing its system review. Preliminary work has traced the issue to a damaged database file, with no evidence of a cyber attack.
— Secretary Pete Buttigieg (@SecretaryPete) January 11, 2023
FAA will continue its work to further pinpoint the sources of this issue and steps to prevent it from occurring again.
Several outlets have reported that the outage affecting the Federal Aviation Administration's Notice to Air Mission (NOTAM) system last week was due to a damaged database file. The situation is still under investigation.
The outage reignited concerns about the damage a single cyberattack could have on the country’s air systems, with several recent incidents having exposed the use of antiquated software prone to downtime.
Rep. Torres said the outage at NOTAM – a crucial system that sends real-time alerts to pilots about safety conditions – caused 7,000 flight delays and more than 1,000 cancellations.
He called on the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation (DOT) to investigate the issue.
“Even though the precise cause of the outage has yet to be determined, the breakdown in NOTAM alerts raises concerns about the cyber vulnerabilities of the antiquated systems that undergird modern air travel,” the congressman from New York wrote in a January 12 letter to CISA Director Jen Easterly.
“At a time when cyberattacks are rising in both scope and sophistication, modernizing the cybersecurity of air travel must be a priority for the federal government. 20th century air systems will no longer suffice in a world of 21st century cyber challenges.”
Torres wants CISA to work with the DOT to conduct a joint review of the cyber vulnerabilities of all systems, such as NOTAM and air traffic control.
He added that the two agencies need to figure out what policies can be put in place and what investments can be made to secure air travel systems from threat actors.
I am calling upon DHS & DOT to investigate the cyber vulnerabilities of all systems underlying air travel. The FAA’s system failure led to thousands of flight disruptions.
— Rep. Ritchie Torres (@RepRitchie) January 13, 2023
A 20th century air travel system is destined to fail in a world of 21st century cyber challenges. (1/2) pic.twitter.com/c1zI1zTLEj
"We do not comment on congressional correspondence, and will respond directly to the Congressman," a CISA spokesperson told The Record.
The outage last week put a spotlight on the intricate systems that manage air traffic. Egnyte’s Neil Jones said the situation was an example of the kind of technical debt that the mission-critical airline industry continues to accrue.
This had direct ties to cybersecurity, Jones explained, because aging systems in dozens of industries are ripe targets for criminal and nation-state hackers eager to cause havoc. Investigations into NOTAM's systems found that some of the technology being used is more than 30 years old.
“For every month’s worth of technical debt that the airline industry accrues, potential cyberattackers have more time on their hands to detect flaws in existing software and develop new vulnerabilities that can jeopardize critical infrastructure,” he said.
“And, every technical incident that lacks a hot backup to a secondary system gives cyberattacks even more time and bargaining power. The result is that airlines face a ‘perfect storm’ of operational, customer satisfaction and cybersecurity impacts.”
While U.S. airlines have only faced relatively minor distributed denial-of-service (DDoS) attacks in recent years, other countries have dealt with more damaging incidents.
Hundreds of people were stranded at airports across India in May 2022 after the SpiceJet airline reported a ransomware attack, and that same month the Ragnar Locker ransomware group launched a successful attack against a Portuguese airline. Bangkok Air has similarly faced its own ransomware attack.
Accelya – a technology firm providing services to Delta, JetBlue, United, American Airlines and many more – was attacked by the AlphV/Black Cat ransomware group in August. Jeppesen, a wholly-owned Boeing subsidiary that provides navigation and flight planning tools, dealt with its own cybersecurity incident that caused some flight disruptions in November.
I really doubt you'll find some sinister cyber plot at the root of this FAA thing, but if you're looking for cybersecurity angles I think it's this: we live in an increasingly complex, interdependent system that is prone to unforeseen consequences and cascading failures.
— John Hultquist (@JohnHultquist) January 11, 2023
The White House has organized meetings with aviation industry leaders centered on aviation in recent months as it seeks to bolster cybersecurity protections in key sectors.
The Transportation Security Administration (TSA) has sought to mandate that all cybersecurity incidents experienced by aviation firms are reported to CISA within 24 hours.
But the aviation sector pushed back against some of the rules, arguing that they were onerous.
A recent report found that there were 62 ransomware attacks on global aviation stakeholders in 2020 alone, and the value of ransom demands broke records in 2021.
The European Air Traffic Management Computer Emergency Response Team (EATM-CERT) found the number of reported cyberattacks among airline industry organizations grew 530% from 2019 to 2020. The organization has tracked dozens of attacks against airports and airlines over the last six months.
Tim Morris, chief security advisor at Tanium, told The Record that last week’s incident shows how important air infrastructure is to our way of life.
“Any single point of failure has to be identified and appropriate mediation plans devised and put in place,” he said.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.