US air traffic control 'vulnerable to hackers' says watchdog

'Weaknesses preventing and detecting unauthorised access to computers'

12 Reg comments Got Tips?

US air traffic control systems are potentially vulnerable to hackers, according to an audit by the American government.

A report [46 pages, PDF] by the Government Accounting Office (GAO) faults the Federal Aviation Administration (FAA) for failing to meet compliance with the relevant government standards, specifically the Federal Information Security Management Act FISMA and NIST (National Institute of Standards and Technology) guidelines.

The report omits mention of specific vulnerabilities, instead highlighting technology areas that need to be improved. User identification and authentication, data protection, access controls and encryption all appear on that list. Here's an excerpt from the report:

While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorised access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorising users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA’s systems.

Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.

The limited-distribution report sees auditors makes 17 general recommendations, along with suggestions for 168 specific actions to harden air traffic control systems. The document also warns that unless "remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk."

The report was put together in January but only publicly released last week.

In a written response last month, Keith Washington, acting assistant secretary for administration at the Department of Transportation, said the FAA was on board with the GAO's recommendation and had already achieved six “major milestones” toward improving cybersecurity, the Washington Post reports.

Some lawmakers are not so sanguine. Sen. Chuck Schumer urged federal authorities to beef up cybersecurity protection in the wake of the report. Placing the worst possible interpretation on the reports findings the New York Democrat warned that terrorists might latch onto the flaws as a means to mount a cyber 9/11.

“If they were able to hack the system, thousands of planes could be in the air unguided. Sophisticated terrorists could even steer planes into one another,” he said, the New York Daily News reports.

Scary stuff, but perhaps the Senator may be overstating the threat.

In the interests of balance we'd like to point you towards our coverage of a presentation by two seasoned pilots, one an infosec experts, at Defcon 22 that punctures some of the myths about aircraft hacking. ®


Keep Reading

Defending critical national infrastructure... hmm. Does Zoom count as critical now?

Infosec Europe All the old lines are getting pretty darn blurred, say security experts at Euro online confab

Hack a small airplane? Yes, we CAN (bus) – once we physically break into one, get at its wiring, plug in evil kit...

DEF CON PASSENGERS IN PERIL? CRISIS IN THE SKIES? No – but neat ways to frig with your own aircraft

What's the frequency, KeNNeth? Neural nets trained to tune in on radar signals to boost future mobe broadband

It's time we rise up against these AI overlords and overthrow their useful technologies

Raytheon techie who took home radar secrets gets 18 months in the clink in surprise time fraud probe twist

Be careful about bunking off when you're billing your hours to a government

It's July 2020, and your PC or Mac can be pwned by a dodgy Photoshop file – Adobe emits critical patch batch

Major fixes for Bridge and Prelude, too, plus Reader Android updated

Spending on 5G to double despite the pandemic while legacy network infrastructure sector suffers – Gartner

Also, half of the world's 5G investment currently is spent by China

F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch

Not to worry, there are only *searches* several thousand devices apparently exposed online

Australia launches critical infrastructure security reforms

Part 1: find out who owns what. Part 2: get them to take security seriously ... or else

Biting the hand that feeds IT © 1998–2020