Euro Security Watch with Mathew J. Schwartz

Critical Infrastructure Security

US Flights Resume After Reported Computer Glitch Resolved

Separately, UK's Royal Mail Blames 'Cyber Incident' for Service Disruption
US Flights Resume After Reported Computer Glitch Resolved
Image: Mark Bess via Flickr/CC

Anytime critical infrastructure gets disrupted, the first question inevitably seems to be: Was a cyberattack to blame?

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

So it went Wednesday when the U.S. Federal Aviation Administration announced a "ground stop," prohibiting flights from taking off, due to an overnight system failure.

"The FAA has ordered airlines to pause all domestic departures until 9 a.m. Eastern Time to allow the agency to validate the integrity of flight and safety information," the FAA, part of the Department of Transportation, reported early Wednesday.

The problem was an outage involving the FAA's system for sharing real-time information on flight hazards and restrictions with all commercial airline pilots, called NOTAM, for "Notice to Air Missions." The ground stop caused chaos at U.S. airports, as passengers were left stranded or delayed. While planes in the air could still land, the disruptions led to the delay of 6,000 flights and cancellation of 1,000 flights, according to tracking firm FlightAware.

The White House moved quickly to downplay suggestions that online attacks might have triggered the outage.

"The president has been briefed by the secretary of transportation this morning on the FAA system outage," press secretary Karine Jean-Pierre reported via Twitter.

"There is no evidence of a cyberattack at this point, but the president directed DOT to conduct a full investigation into the causes. The FAA will provide regular updates," she added.

Just shy of 9:00 a.m. Eastern Time, the FAA ended the ground stop.

"FAA has determined that the safety system affected by the overnight outage is fully restored, and the nationwide ground stop will be lifted effective immediately," Secretary of Transportation Pete Buttigieg reported via Twitter at 8:55 a.m. Eastern Time.

"I have directed an after-action process to determine root causes and recommend next steps," he added.

What that after-action report identifies as the culprit behind the NOTAM outage remains to be seen.

While the probe continues, Wednesday evening the FAA issued this update: "Our preliminary work has traced the outage to a damaged database file. At this time, there is no evidence of a cyberattack."

Royal Mail Disruption

Also on Wednesday, Britain's national postal service, Royal Mail, advised customers that it was "experiencing severe service disruption to our international export services following a cyber incident," and recommended they delay attempting to send any items abroad.

"We're experiencing disruption to our international export services and are temporarily unable to dispatch items to overseas destinations," Royal Mail said. "Items that have already been dispatched may be subject to delays. We would like to sincerely apologize to impacted customers for any disruption this incident is causing. Our import operations continue to perform a full service, with some minor delays."

It added: "Our teams are working around the clock to resolve this disruption and we will update you as soon as we have more information."

Subsequently, the BBC and other media outlets reported that Royal Mail systems had been disrupted by a ransomware group (see: LockBit Ransomware Group Reportedly Behind Royal Mail Attack).

Cyberattack Question Déjà Vu

Setting aside Royal Mail, any unusual critical infrastructure outage or delay these days - not just FAA systems but IT outages at British airports, power grid disruptions in South America, a U.S. Navy destroyer colliding with a merchant tanker - seem to immediately trigger the "was it a cyberattack?" question.

As those incidents highlight, online attacks are rarely to blame.

Until 2019, the tongue-in-cheek Cyber Squirrel 1 website tracked over 30 years of data pertaining to 2,524 global power outages. Only three could be ascribed to humans, in the form of nation-state attacks: the Ukrainian power outages in 2015 and 2016 and Stuxnet, which was discovered in 2010 and is widely believed to have been the result of a project run by the United States and Israel.

For the other outages, the leading culprit was clear: squirrels, followed distantly by birds, snakes and raccoons.

For IT outages, meanwhile, the digital version of a squirrel is already well known. "It was DNS. It's always DNS," tweeted cybersecurity expert Jake Williams, a former member of the National Security Agency's offensive hacking team, about the FAA system outage.

Jan. 12, 2023 08.30 UTC: This story has been updated to include the FAA stating late Wednesday that "a damaged database file" appears to be the culprit.

Jan. 13, 2023 09.30 UTC: This story has been updated to say that the Royal Mail disruption reportedly traces to a ransomware attack.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.