On January 11, 2023, the Federal Aviation Administration (FAA) in the United States issued a ground stop order due to the Notice to Air Mission (NOTAM) system being unavailable because of a software update issue.
The NOTAM system is one of the flight planning tools pilots use to check for any adverse impacts to flights, such as runway construction, deicing, weather along the route, and other key pieces of information critical to keeping the flight safe and comfortable for passengers.
Reports indicate the system broke down late on January 10, leading to the cancellation of over 1,000 flights and more than 6,000 delays. According to CNN, a corrupted file server was the source of the problem. This server required a 90-minute reboot but did not come back online properly.
This incident highlights the two main challenges facing critical infrastructure:
The need to reduce technical debt
The persistent risk of cybersecurity incidents
Technical debt is what happens when speed to production is prioritized over quality or security. Reducing technical debt requires a combination of technical, process, and cultural changes. It is an ongoing challenge that demands regular attention and commitment from the entire organization. To reduce technical debt, it is essential to have a clear understanding of the sources of technical debt in your organization. These sources may vary widely and can include shortcuts taken during development, lack of proper documentation, or a lack of attention to longterm maintainability. If left unaddressed, technical debt can significantly affect an organization's ability to innovate, respond to changing business needs, and remain secure in the face of evolving threats.
The very nature of critical infrastructure systems - for instance, the need to support millions of travelers every day - makes it particularly difficult to address issues that arise. Taking a system offline for a quick refresh or update is simply not possible when something as crucial as flight safety is at risk. Add in the challenges of allocating budget, and a vicious cycle of inaction is likely to emerge. Technical debt may be impossible to avoid entirely, but reducing its impact is a worthy goal with real-world benefits.
When the FAA outage story broke, there was widespread suspicion that it was a cyberattack. Fortunately, this particular incident does not appear to have been malicious. The White House Press Secretary even stated there was no evidence of a cyberattack behind the outage.
Still, it was not unreasonable to jump to the conclusion that nefarious actors were at play in the FAA outage. After all, there was a 560% annual increase in aviation cyberattacks over the past year, according to the European Organization for the Safety of Air Navigation. Aviation systems and other critical infrastructure are susceptible to an extensive range of cyberthreats, from ransomware to denial-of-service attacks.
And when it comes to the potential consequences of such attacks, it's hard to overstate the danger. Beyond reputational damage and financial losses, the real threat if critical systems are compromised is to human life and safety. Paradoxically, it is the essential nature of these systems, plus the vulnerable, aging infrastructure they run on, that makes them such a tempting target for cybercriminals.
As an OT security specialist who happens to love air travel, the FAA outage news caught my attention on both the professional and personal levels. I am grateful that no people were harmed and that the outage was short-lived, if terribly inconvenient for those affected. Thankfully, as should be the case in aviation, there were multiple redundancies, and pilots were able to safely navigate their aircraft and passengers to their destinations. And, in the best-case scenario, this incident may just provide the impetus for critical infrastructure organizations to address their technical debt and further harden their systems against cyberattacks.
Kevin Kumpf has more than 20 years of IT security and compliance experience, including over 10 years of cybersecurity, governance and critical infrastructure experience working in the energy, medical, manufacturing, transportation and FedRAMP realms. Kevin’s past roles include Director of OT Security (N.A.) for Iberdrola, where he oversaw the security, and regulatory compliance of multiple OpCo’s, and Principal Security and Regulatory Lead for interactions with the NY and NE ISO’s, NERC, ISAC’s as well as state and federal entities. He has also worked internally and as a vendor/consultant at multiple healthcare and manufacturing entities to mitigate the threats they were under in relation to ransomware, insider threats and malware infestation. Today Kevin works as the OT Technical Lead at Cyolo.