Cyolo listed as a Sample Vendor for ZTNA in Gartner® Hype Cycle for Endpoint Security™

What the FAA Outage Reveals About the State of Critical Infrastructure

Kevin Kumpf

Kevin Kumpf

On January 11, 2023, the Federal Aviation Administration (FAA) in the United States issued a ground stop order due to the Notice to Air Mission (NOTAM) system being unavailable because of a software update issue.  

The NOTAM system is one of the flight planning tools pilots use to check for any adverse impacts to flights, such as runway construction, deicing, weather along the route, and other key pieces of information critical to keeping the flight safe and comfortable for passengers.  

Reports indicate the system broke down late on January 10, leading to the cancellation of over 1,000 flights and more than 6,000 delays. According to CNN, a corrupted file server was the source of the problem. This server required a 90-minute reboot but did not come back online properly.  

This incident highlights the two main challenges facing critical infrastructure:  

  1. The need to reduce technical debt   
  2. The persistent risk of cybersecurity incidents  

 

The Unbearable Weight of Technical Debt 

Technical debt is what happens when speed to production is prioritized over quality or security. Reducing technical debt requires a combination of technical, process, and cultural changes. It is an ongoing challenge that demands regular attention and commitment from the entire organization. To reduce technical debt, it is essential to have a clear understanding of the sources of technical debt in your organization. These sources may vary widely and can include shortcuts taken during development, lack of proper documentation, or a lack of attention to longterm maintainability. If left unaddressed, technical debt can significantly affect an organization’s ability to innovate, respond to changing business needs, and remain secure in the face of evolving threats.  

The very nature of critical infrastructure systems – for instance, the need to support millions of travelers every day – makes it particularly difficult to address issues that arise. Taking a system offline for a quick refresh or update is simply not possible when something as crucial as flight safety is at risk. Add in the challenges of allocating budget, and a vicious cycle of inaction is likely to emerge. Technical debt may be impossible to avoid entirely, but reducing its impact is a worthy goal with real-world benefits.  

 

The Looming Threat of Cyberattacks 

When the FAA outage story broke, there was widespread suspicion that it was a cyberattack. Fortunately, this particular incident does not appear to have been malicious. The White House Press Secretary even stated there was no evidence of a cyberattack behind the outage. 

Still, it was not unreasonable to jump to the conclusion that nefarious actors were at play in the FAA outage. After all, there was a 560% annual increase in aviation cyberattacks over the past year, according to the European Organization for the Safety of Air Navigation. Aviation systems and other critical infrastructure are susceptible to an extensive range of cyberthreats, from ransomware to denial-of-service attacks.  

And when it comes to the potential consequences of such attacks, it’s hard to overstate the danger. Beyond reputational damage and financial losses, the real threat if critical systems are compromised is to human life and safety. Paradoxically, it is the essential nature of these systems, plus the vulnerable, aging infrastructure they run on, that makes them such a tempting target for cybercriminals. 

 

Conclusion  

As an OT security specialist who happens to love air travel, the FAA outage news caught my attention on both the professional and personal levels. I am grateful that no people were harmed and that the outage was short-lived, if terribly inconvenient for those affected. Thankfully, as should be the case in aviation, there were multiple redundancies, and pilots were able to safely navigate their aircraft and passengers to their destinations. And, in the best-case scenario, this incident may just provide the impetus for critical infrastructure organizations to address their technical debt and further harden their systems against cyberattacks. 

 

Read the SANS Report on OT/ICS Cybersecurity

 

Subscribe to our Blog

Get the latest posts in your email
Digital transformation brings security benefits to manufacturing sector

How Zero-Trust Security Helps Manufacturers Achieve Digital Transformation Success

Flights,Canceled,Or,Delayed,On,Information,Board,,Terrorism,Threat,At

What the FAA Outage Reveals About the State of Critical Infrastructure

More Articles

Subscribe to our Blog

Subscribe to our Blog

Get the latest posts in your email