Air Traffic Control System VulnerableAuditor: FAA Fails to Safeguard System
"Attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC (air traffic control) systems, which is especially worrisome at a time when the nation is facing increased threats from sophisticated nation-state-sponsored cyber attacks," Rebecca Leng, Department of Transportation assistant inspector general for financial and information technology audits, wrote in 23-page report issued this week.
As recent as February, hackers compromised an FAA computer, using it as a channel to gain unauthorized access to personally identifiable information on 48,000 current and former FAA employees. Last year, hackers seized control of FAA's critical network servers and gained the power to shut them down, which Leng contends could have seriously disrupted FAA's mission-support network.
The FAA didn't dispute the inspector general's findings, promising to make corrective action. However, in a response to the inspector general, the FAA maintained that a critical element of its cybersecurity separates its network infrastructure between the National Airspace System (NAS) for aircraft separation and administrative/air traffic control mission support systems, parts of which are linked to the Internet. "We recognize the separation of FAA's network infrastructure," Leng said. "However, cyber attacks can spread from the mission-support network to the NAS network because of system interconnections."
The inspector general tested 70 Web applications, including some used to disseminate information to the public over the Internet, such as communications frequencies for pilots and controllers; others are used internally within FAA to support eight ATC systems, according to the audit. The inspector general's test identified 763 high-risk, 504 medium-risk and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical file folders.
According to the report, unauthorized access could be gained to information stored on Web application computers through those vulnerabilities. Internal FAA users - employees, contractors, industry partners - could gain unauthorized access to ATC systems because the Web applications often act as front-end interfaces that provide front-door access to ATC systems. "These vulnerabilities could allow attackers to compromise FAA user computers by injecting malicious code onto the computers," Leng said.
During the audit, staff from the inspector general office and contracted auditors KPMG gained unauthorized access to information stored on Web application computers and an ATC system, and confirmed system vulnerability to malicious code attacks, she said.
"Unless effective action is taken quickly," Leng wrote, "it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations."
Click here to see the full report, which includes corrective recommendations.