Air Traffic Control vulnerable to attack report says

by Steve Ragan - May 7 2009, 17:10

While most of the security world awaits the Obama administration’s report on cybersecurity, a different report was released recently, detailing the security weaknesses of the Air Traffic Control (ATC) systems and the FAA’s network intrusion detection abilities.

According to the report, ordered by Ranking Minority members of the House Committee on Transportation and Infrastructure and its Aviation Subcommittee, the FAA fails. The results in brief say it all:

“Web applications used in supporting ATC systems operations are not properly secured to prevent attacks or unauthorized access. In addition, FAA has not established adequate intrusion-detection capability to monitor and detect potential cyber security incidents at ATC facilities,” outlined the report.

“In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations,” it added.

The network audit was performed by KMPG out of Washington D.C. under contract to the Office of Inspector General (OIG). The OIG staff auditing the work, along with testing performed by KMPG, looked at 70 Web applications compromised of both internal and public-facing access points. In all, 3,857 vulnerabilities were discovered and, of those, some 763 were ranked as 'high risk'.

During testing, “unauthorized access” was gained to information stored on Web application computers attached to the Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower.

In addition, this access would allow Malware to be installed on the FAA’s computers. The report says that the unauthorized access was available because of poorly secured Web applications, which were not configured to prevent this type of access. Also, vulnerable software used by the Web applications was not properly patched.

“This vulnerability was found on Web applications associated with the Traffic Flow Management Infrastructure system. Once infected via these applications, FAA user computers would take orders from hackers to attack other computers or send critical network information to hackers (“exfiltration”),” the report cited as an example.

“A similar incident actually occurred in August 2008. By executing malicious codes, hackers took control of FAA’s critical network servers (domain controllers) and gained the power to shut down the servers, which could have caused serious disruption to FAA’s mission-support network.”

The report goes on to list issues with intrusion detection. In 2008 (fiscal year), over 800 incidents were issued to the Air Traffic Organization, yet by the end of the fiscal year, 150 of them were still unresolved.

To highlight the potential threats that the failure to remediate network alerts could cause, the report simply listed two well known network attacks on the ATC.

The first took place in 2008, when “hackers took over FAA computers in Alaska, becoming FAA “insiders.” By taking advantage of FAA’s interconnected networks, hackers later stole FAA’s enterprise administrator’s password in Oklahoma, installed malicious codes with the stolen password, and compromised FAA’s domain controller in its Western Pacific Region. At that point, hackers had the ability to obtain more than 40,000 FAA user IDs, passwords, and other information used to control a portion of the FAA mission-support network.”

The second happened earlier this year, when a public-facing Web application was compromised and used as a direct patch into an FAA database server. Once compromised, the database server spilled the details on over 48,000 current and former FAA employees. The details included names, birth dates, social security numbers, pay grades, addresses, usernames and passwords, as well as health-related information.

The FAA is working on the issues, a memo included with the report said.

The memo highlighted the steps that were being undertaken by the Air Traffic Organization including, “implementing a comprehensive Information System Security (ISS) Program in support of Federal Information Security Management Act (FISMA) requirements; separating NAS operational ATC systems from Mission Support and Administrative systems; identifying and fixing Cyber security weakness in a prioritized process, with expedited processes in place to address critical issues identified as high priority; and modernizing ATO Cyber security through improvements in processes and technology.”

The entire report can be viewed online by clicking here.

Around the Web