The nation’s air traffic control system is wide open to malicious hacker attacks because of “significant weaknesses” in the Federal Aviation Administration’s network security maintenance, according to a warning from the U.S. GAO (Government Accountability Office).
The Congressional watchdog’s startling findings formed part of an update to a study first conducted in 2000 into the FAA’s information security systems.
According to the independent GAO, not much has improved in the five years since the original study.
“Although FAA has made progress in implementing information security by establishing an agency-wide information security program and addressing many of its previously identified security weaknesses, significant information security weaknesses remain that could potentially lead to disruption in aviation operations,” the GAO said in a report released this week.
The 37-page document pinpointed weaknesses in electronic access controls, physical security and background investigations that “increase the level of risk.”
These lax controls extend to the managing of computer networks, system and software patches, user accounts and passwords, user rights and the auditing of security-relevant events.
“A key reason for FAA’s weaknesses in information system controls is that it has not yet fully implemented an information security program to ensure that effective controls are established and maintained,” said the GAO, which is a nonpartisan agency that works for Congress.
The accountability watchdog said effective implementing of the program calls for the assessment of risks, the establishment of appropriate policies and procedures and the implementation of security plans.
The GAO report found major gaps in the way the FAA handled the security of the air traffic networks.
“For the systems we reviewed, FAA did not consistently configure network services and devices securely to prevent unauthorized access to and ensure the integrity of computer systems operating on its networks,” the report said.
“We identified weaknesses in the way the agency restricted network access, developed application software, segregated its network, protected information flow and stored the certificates that are used for authentication,” it added.
The report included specific examples of the lax network security, pointing out that access for system administration “was not always adequately restricted, and unnecessary services were available on several network systems.”
“As a result, it is at increased risk of unauthorized system access, possibly disrupting aviation operations,” the report added.
Last year, the FAA’s air traffic control system managed more than 46 million flights, accounting for 640 million passengers. In all, the system was used to control about 7,000 civilian and military aircraft at any one time.
With such a massive responsibility, the GAO found that the FAA’s response during the study did not fully address the risks.
“While acknowledging these weaknesses, agency officials stated that because portions of their systems are custom built and use older equipment with special-purpose operating systems, proprietary communication interfaces, and custom-built software, the possibilities for unauthorized access are limited,” the report noted.
“Nevertheless, the proprietary features of these systems do not protect them from attack by disgruntled current or former employees, who understand these features, or from more sophisticated hackers.”
“The complex air traffic control system relies on several interconnected systems. As a result, the weaknesses we identified may increase the risk to other systems,” the GAO said, sidestepping the FAA’s defense that individual system vulnerabilities are mitigated by system redundancies and separate access control built into the overall air traffic control system architecture.
Among other things, the watchdog body recommends that the FAA develop and implement policies and procedures to address as patch management and the reviewing and monitoring of physical access.
The FAA is urged to review system security plans and enhance the security awareness training program to ensure that all employees and contractors receive information security awareness training, as well as system specific training, and that completion of the training is appropriately reported and tracked.
The GAO also recommends that a process be developed to ensure that sensitive information is not publicly available on the Internet.
Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.