US air traffic control 'vulnerable to hackers' says watchdog

'Weaknesses preventing and detecting unauthorised access to computers'

Air traffic control at NATS

US air traffic control systems are potentially vulnerable to hackers, according to an audit by the American government.

A report [46 pages, PDF] by the Government Accounting Office (GAO) faults the Federal Aviation Administration (FAA) for failing to meet compliance with the relevant government standards, specifically the Federal Information Security Management Act FISMA and NIST (National Institute of Standards and Technology) guidelines.

The report omits mention of specific vulnerabilities, instead highlighting technology areas that need to be improved. User identification and authentication, data protection, access controls and encryption all appear on that list. Here's an excerpt from the report:

While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorised access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorising users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA’s systems.

Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.

The limited-distribution report sees auditors makes 17 general recommendations, along with suggestions for 168 specific actions to harden air traffic control systems. The document also warns that unless "remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk."

The report was put together in January but only publicly released last week.

In a written response last month, Keith Washington, acting assistant secretary for administration at the Department of Transportation, said the FAA was on board with the GAO's recommendation and had already achieved six “major milestones” toward improving cybersecurity, the Washington Post reports.

Some lawmakers are not so sanguine. Sen. Chuck Schumer urged federal authorities to beef up cybersecurity protection in the wake of the report. Placing the worst possible interpretation on the reports findings the New York Democrat warned that terrorists might latch onto the flaws as a means to mount a cyber 9/11.

“If they were able to hack the system, thousands of planes could be in the air unguided. Sophisticated terrorists could even steer planes into one another,” he said, the New York Daily News reports.

Scary stuff, but perhaps the Senator may be overstating the threat.

In the interests of balance we'd like to point you towards our coverage of a presentation by two seasoned pilots, one an infosec experts, at Defcon 22 that punctures some of the myths about aircraft hacking. ®

Sponsored: Boost business agility and insight with flash storage for analytics