Graph Image
Invictus
Articles November 25, 2020

Invictus Establishes an Agency Level Penetration Testing Program at FAA

By: Bink Skinner, CISSP - FAA Program Manager

Early last year, the FAA Air Traffic Organization (ATO), the operational arm of the FAA and its largest component, identified the requirement to quickly establish a Penetration Testing (PenTesting) capability in order meet the NIST testing criteria for FIPS-199 “High” systems.  ATO Cybersecurity Group (ACG) management was assigned the task to fill this gap.  Noting Invictus’ established reputation providing cybersecurity support to surveillance systems’ acquisitions and upgrades throughout the system lifecycle, we were approached to assist ACG in establishing a PenTesting capability. Working closely with ACG government leadership and technicians, we established a plan to form a team and reach initial operational capability (IOC) for an ATO PenTesting Team within a year. IOC for the team was set as A) completing a full NAS system test event on a “High” system, B) developing and delivering a PenTesting Program Strategy with standardized testing artifacts, and C) developing and delivering outreach materials and briefings. This involves not only finding qualified personnel, but creating a realistic and attainable mission, bolstered by a strategy document. Up until this moment, the FAA ACG (ATO Cyber Security Group) did not possess the capability to conduct penetration testing & assessments, analyze vulnerabilities that lie within the air traffic infrastructure, nor have any mitigation strategies to rectify gaps in security.

To meet the NIST criteria, a PenTesting Team should function to identify and mitigate security vulnerabilities before the nation’s adversaries can exploit them. This is complicated by the FAA’s unique environment that is focused on safety of flight and safety of life. As PenTesting of operational production systems would involve a potential risk to life, there is zero tolerance for system outages resulting from testing. This forced a shift from traditional testing practices to the use of non-operational engineering lab and test instantiations or not yet deployed or operational production versions for testing. Fortunately, the FAA maintains two robust lab and simulation facilities, one at Atlantic City, New Jersey and another at Oklahoma City, Oklahoma. Those facilities are primarily used for safety of flight testing and Air Traffic Controller system certification. They contain non-operational replicas (not connected to the National Aerospace System) of all ATC systems including the prioritized “High” systems. As these labs are primarily focused on the performance and operational aspects of systems, they provide the opportunity to also observe and gauge the impacts of an exploit on a system. By working with the engineers and operators, we can learn what they see on their monitoring consoles and determine at points air traffic operators loose confidence in those systems and what their actions are to determine mission impacts across the national system of systems. When and what malicious activity would impact the air traffic control mission?

Perhaps more importantly, the adoption of  requires an acceptance by FAA executives, system owners, engineering staff, and other stakeholders, with historically little insight to cyber threats, regarding what they consider risky activities that put their systems at risk. This requires a considerable education and outreach component of the program. Working with our ACG government and contractor mission partners, we developed detailed outreach briefings and presentations explaining the NIST requirements for a testing program, processes for integrating PenTesting into the existing Information Security Continuous Monitoring (ISCM) process, and the long-term programmatic benefits of the early discovery of previously unknown vulnerabilities. Within an organization focused on safety, system performance, and reliability,  recognizing those weakness early, offers executives and program managers an opportunity for pro-active planning vice costly, reactive system corrections.

Despite the normal growing pains and expedited timeline- compounded further with a nation-wide lockdown: Invictus was able to bring the FAA Penetration testing team to Initial Operating Capability (IOC) in less than twelve months. A milestone achievement for both the FAA & Invictus. We’ve identified high priority systems for testing, focusing on those capabilities key for the surveillance (radars, GPS beacons, etc.) of commercial and private aircraft, the transmission and distribution of air track data (command and control), and other capabilities providing inputs to the safety of air traffic including extreme weather and commercial space deconfliction. This lays the framework for growth and support to our FAA customer and their air traffic safety mission.

This framework enables improved strategic programmatic planning and management, cybersecurity risk management, and threat/vulnerability information sharing across all levels of management and executive leadership, improving the relationship between system owners and the security organization. It also reinforces the need for strong ties to threat information sharing with outside agencies/entities to accurately test against real world threats and threat actors. Through this methodology, we can demonstrate to management that, “real world threat actor A, would exploit your air traffic control system B, in this fashion, it may be detected by engineer or security monitoring C, and the impact to air traffic management (volume restrictions, re-routing, closures, etc.) would be D. This rings true at all levels and can be applied to all agencies and organizations.  At FAA, we’re defending the gates… one system at a time.

Invictus is an industry leader in cybersecurity assessments providing a wide range of assessments that include Penetration Testing, Security Control Assessments and Organization/Agency Level cybersecurity assessments and Command Cyber Readiness Inspections (CCRIs) for both commercial and government clients.  Contact us if you are interested in scheduling an assessment.