The Department of Transportation's inspector general hired auditors from the accounting firm Clifton Gunderson to conduct the audit earlier this year, and they identified an information disclosure exposure, inadequate system patch levels, unsupported operating systems, improper network configurations and communication system vulnerabilities.
In one test at an air route traffic control center, the auditors viewed, without using a password, hundreds of pages of sensitive technical information describing network configuration, gateways and other devices. "This sensitive information may provide a rogue employee or contractor sufficient understanding to identify and exploit weaknesses in the air traffic control security structure," Louis King, acting assistant inspector general for financial and information technology audits, said in six-page summary of the audit. Because of sensitive information in the audit, only the summary was made public.
Some, but not all, of the air traffic control computers are Internet accessible through the FAA's mission support/administrative system network. Clifton Gunderson's review of the network revealed several critical and high risk vulnerabilities tied to improper system configurations. "An attacker could leverage these vulnerabilities to gain total control of the systems," King said. "Furthermore, the systems could be used to compromise other systems that depend on the same network management and configuration services."
The auditor's review of the mission support/administrative system network uncovered several critical and high-risk vulnerabilities involving missing or outdated system patches and the running of operating systems no longer supported by their vendors. The IG explained that system patch levels and operating systems not kept current may result in system unavailability and create a risk of exploitation of security holes for access to air traffic control systems and data. "Any of these systems could be compromised and allow the attacker to use the system to hide his or her identity in order to launch more attacks," King said.
At one location, Clifton Gunderson auditors identified a communication system that didn't require complex passwords and isn't supported by the vendor. "This lack of sufficiently complex passwords could lead to an unauthorized manipulation of the communication system, a total system shutdown or falsification and impersonation of facility communications," King said.
The FAA concurred with all audit findings, and has agreed to develop plans to implement corrective actions to remediate all weaknesses.
The FAA operates 21 air route traffic control centers throughout the United States, serving the major communication hubs for flight plan routing and the systems that provide radar and communication services to aircraft operating above 18,000 feet. Air traffic control systems communicate with one another employing the same technology used for Internet communication.
Auditors assessed air traffic controls systems and networks located at two FAA facilities within the continental United States.