Tag Archives: cyber-security

UPDATE: Detailed results of the ATC web security audit

CNET posted a link to the Office of Inspector General’s report that lays out the vulnerabilities found in the recent audit of ATC systems security.  (See our previous post on this story.) There’s quite a lot of sobering content, here a small sample:

We tested 70 Web applications, some of which are used to disseminate information to the public over the Internet, such as communications frequencies for pilots and controllers; others are used internally within FAA to support eight ATC systems.3 Our test identified a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities,4 such as weak passwords and unprotected critical file folders.
By exploiting these vulnerabilities, the public could gain unauthorized access to information stored on Web application computers. Further, through these vulnerabilities, internal FAA users (employees, contractors, industry partners, etc.) could gain unauthorized access to ATC systems because the Web applications often act as front-end interfaces (providing front-door access) to ATC systems. In addition, these vulnerabilities could allow attackers to compromise FAA user
computers by injecting malicious code onto the computers. During the audit, KPMG and OIG staff gained unauthorized access to information stored on Web application computers and an ATC system, and confirmed system vulnerability to malicious code attacks.

  • Unauthorized access was gained to information stored on Web application computers  associated with the Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower;
  • Unauthorized access was gained to an ATC system used to monitor critical power supply at six en route centers; and
  • Vulnerability found on Web applications associated with the Traffic Flow Management Infrastructure system was confirmed, which could allow attackers to install malicious codes on FAA users’ computers.

This occurred because (1) Web applications were not adequately configured to prevent unauthorized access and (2) Web application software with known  vulnerabilities was not corrected in a timely matter by installing readily available security software patches released to the public by software vendors. [..]

In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations.

Advertisements

Leave a comment

Filed under news

DOT security audit shows ATC systems vulnerable, incidents not addressed

From Information Week:

The Transportation Department report states that auditors from KPMG and the Office of the Inspector General tested 70 Web applications, 35 used by the FAA to disseminate information over the Internet and 35 used internally to support air traffic control systems. The security audit found a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected folders.

Beyond the issue of poorly configured, buggy Web applications, the report also found that the air traffic control systems are woefully unprotected by intrusion-detection systems. Only 11% of air traffic control facilities have IDS sensors, the report states, and none of those IDS sensors monitors air traffic control operational systems; instead, they monitor mission-support systems, such as e-mail servers.

In 2008, more than 800 cyberincident alerts were issued to the Air Traffic Organization, which oversees air traffic control operations. At the end of that year, 17% of those incidents (150), some designated critical, had not been addressed.

Leave a comment

Filed under news