IG: Air traffic control system vulnerable to cyberattack
- By Kathleen Hickey
- May 06, 2009
The Federal Aviation Administration’s air traffic control system is vulnerable to cyberattacks via Web applications that support the system, according to a new report released by the Transportation Department’s Office of Inspector General (OIG).
“In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, [air traffic control] systems encounter attacks that do serious harm to [air traffic control] operations,” wrote Rebecca Leng, DOT’s assistant inspector general for financial and information technology audits, in the report.
Reps. John Mica (R-Fla.) and Tom Petri (R-Wis.) requested the report, titled “Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems.”
The satellite-based air traffic control system is heavily reliant on commercial software and IP-based technology. Among the auditors’ conclusions:
- Web applications used to support system operations were not properly secured to prevent attacks or unauthorized access.
- FAA has not established an adequate intrusion-detection capability to monitor and detect potential cybersecurity incidents.
- Cybersecurity incidents were not dealt with in a timely manner.
OIG tested 70 Web applications — some of which are used to disseminate information via the Internet, such as communications frequencies for pilots and controllers — and others that are used internally to support eight air traffic control systems. Auditors from DOT and KPMG identified 763 high-risk, 504 medium-risk and 2,590 low-risk vulnerabilities, including weak passwords and unprotected critical file folders.
They defined high-risk vulnerabilities as those that could give an attacker immediate access to a computer system, such as allowing execution of remote commands. Medium- and low-risk vulnerabilities were defined as providing an attacker with useful information, such as error messages that reveal system configuration details, that attackers can then use to compromise a computer system.
Those vulnerabilities could lead to unauthorized access to information on Web application computers and air traffic control systems, the report states. Auditors were able to gain unauthorized access to information stored on Web application computers and an air traffic control system, and confirmed the system’s vulnerability to malicious code attacks.
The auditors found Web applications that had not been adequately configured to prevent unauthorized access and Web application software with known vulnerabilities that were not corrected in a timely manner by installing readily available security patches released by software vendors.
The auditors also found poor monitoring and detection of cybersecurity incidents. Although air traffic control systems are located at hundreds of operational facilities — such as en route centers, terminal radar approach control facilities and airport control towers — sensors for intrusion detection have been deployed at only 11 of the facilities. Furthermore, none of the sensors monitor operational air traffic control systems. Instead, they provide monitoring coverage only for mission-support systems, such as e-mail.
At the end of fiscal 2008, the Air Traffic Organization had not addressed 150 of the 800 cyber-incident alerts it had received that year, including critical incidents in which hackers might have taken control of ATO computers.
“Our concerns about the cybersecurity of the U.S. air traffic control system are validated by this report,” said Mica, ranking member of the House Transportation and Infrastructure Committee. “In recent years, hackers have been able to access FAA systems. Luckily, these attacks have not resulted in any serious damage, but this report confirms that our entire system could be compromised by a similar threat.”
“FAA’s capability to avert and respond to cyber threats must be strengthened,” he added. “Any such attack on U.S. transportation systems is serious, but an attack on our aviation system could jeopardize the entire industry and poses a significant threat to safety.”
OIG recommended that all Web applications used in air traffic control systems be configured to comply with government security standards. In addition, the auditors recommended that FAA:
- Identify Web applications that have known vulnerabilities and promptly install security patches.
- Take immediate action to correct high-risk vulnerabilities.
- Establish a timetable for remediation of all remaining vulnerabilities identified in the report.
- Establish a timetable for deploying intrusion-detection systems at all air traffic control facilities.
- Institute procedures for ensuring timely remediation of future cyber incidents.