NOTAM system outage affected 10,000 US flights
On Wednesday morning January 11, 2023, almost 10,000 United States flights were delayed or canceled as a result of a technical failure of the FAA Notice to Air Missions (NOTAM) system which caused disruption to flights for roughly 90 minutes and a cascade of further delays and cancellation of flights throughout the day.
The NOTAM system, first deployed in 1947, compiles and relays essential pre-flight information for pilots, airline dispatchers and others including safety issues at and around the nation’s airports such as potential bad weather on the planned flightpath, runway and taxiway changes at airports or closed airspace that must be avoided which are ‘essential to personnel concerned with flight operations, but not known far enough in advance to be publicized by other means.’
Although the direct cause of the outage has not yet been identified, it is well known that the system relies upon technology which, while generally reliable, is out of date. Apparently, the FAA has been working for years on a still in-progress NOTAM modernization effort including having transitioned to a cloud-based platform, ensuring sufficient redundancy and promoting US system compliance with the standards and recommendations issued by the International Civil Aviation Organization (ICAO).
Notwithstanding current reports, which state that there is no evidence to suggest that this incident was a cyberattack, we know that digital forensic investigations can take time and attributing the incident to a specific source is even more difficult. As such, we believe that it is still important to analyze this event, its immediate impact and subsequent domino effects and the responses taken by the FAA and airport and airline operators in the hours to follow from the lens and context of a deliberate attack so that we may take away valuable insights that may be parlayed into security measures going forward.
Again, there is no current evidence of a deliberate cyberattack. And as of Wednesday evening, some reports had linked the outage to a ‘damaged database file.’ However, we know that in recent years largescale cyberattacks, including state-sponsored attacks, have become an attractive and increasingly commonplace occurrence, particularly targeting aviation and other critical infrastructures. And many of these attacks have had impacts, albeit short term, on airport, air navigation services or airline operations or integrity.
For example, in June 2015, a DDos attack against LOT Polish Airlines jammed the airline systems for five hours, leaving the airline unable to send flight plans to the aircrafts before takeoff and resulting in dozens of flight cancellations and delays. In September 2018, Bristol Airport suffered a ransomware attack after which airport authorities were forced to take their screens offline, displaying an ‘out of service’ notice. While flights remained unaffected, the airport was forced to revert to whiteboards and extra staff to handle passenger confusion.
More recently, in 2021, several U.S. airport websites were temporarily inaccessible or otherwise disrupted as a result of a targeted DDoS attack reportedly carried out by Killnet, a politically motivated, pro-Russian hacker group.
When analyzing this event from the perspective of a potential cyberattack, we must look at how the NOTAM system, which has been moved in recent years from a manual system to an internet-based system with built-in redundancies is connected, what it is connected to and how information flows from its source to its endpoint within the overall airport and airline network. Most airlines subscribe to services that gather NOTAM information from the FAA and package it for each flight. Alerts can be tens or even hundreds of pages long written in a coded parallel language. In 2020, the total number of NOTAM issued exceeded 1.7 million.
According to the FAA website, digital NOTAMs and machine-to-machine data connections can be accessed through the NOTAM Distribution Service via the System Wide Information Management (SWIM) portal and the NOTAM Application Programming Interface (API). The objective of this update is to allow a single platform for all pilots, operators, dispatchers and software developers to find all FAA NOTAMs. We assume that messages pass from the NDS through the SWIM in a unidirectional manner.
However, and without delving too deep into the intricate and complex web of aviation networks, we must recognize that when an airport or airline service puts itself on the internet and connects with other systems and portals, it makes itself vulnerable to potential external penetration. We see that NOTAMs, in particular, are viewed in their millions per year, with an average of 35,000 NOTAMs issued daily. Furthermore, based on the nationwide impact of this incident, it is clear that the system is critical to maintaining routine airline operations, making it both vulnerable to and likely attractive for a large-scale targeted attacks. In addition, and over and above this direct flow of NOTAMs, we must also consider the cascading effect of an attack against the NOTAM system in terms of impacts on any interconnected or interdependent systems within the airline and airport networks.
ASERO believes that when looking at an incident of the magnitude of this most recent NOTAM event, it is important to look at the big picture beyond just what actually happened but also what could have happened and what can be done to prevent a worst-case security scenario going forward.
Click here to apply to receive our full case study analysis, including insights and recommendations.