Worrying news from the other side of the Pond....
The US Federal Aviation Administration has just admitted that the nation's air traffic control systems are vulnerable to cyber attacks following a top level probe into systems security.
A government report by the Transportation Department's Office of Inspector General has revealed that support systems have been breached in recent months allowing hackers access to personnel records and network servers.
Crucially, investigators say those breaches could potentially compromise vital operational systems that control communications, surveillance and flight separation information.
The recent cyber attacks - which included a February incident where hackers gained access to personal information on about 48,000 current and former FAA employees, and an attack in 2008 when hackers took control of some FAA network servers - have led auditors to conclude that the FAA is not able to adequately detect potential cyber security attacks.
Incidents that the investigators highlighted include the fact that in 2006, the FAA's Remote Maintenance Monitoring System was connected to the less-secure mission-support network, which created security exposure to ATC operations.
In the same year, a viral attack originating from the internet spread from administrative networks to ATC systems, forcing FAA to shut down a portion of its ATC systems in Alaska.
Last year, hackers took over FAA computers in Alaska, becoming FAA "insiders." By taking advantage of FAA's interconnected networks, hackers later stole FAA's enterprise administrator's password in Oklahoma, installed malicious codes with the stolen password, and compromised FAA's domain controller in its Western Pacific Region.
At that point, hackers could have obtained more than 40,000 FAA user IDs, passwords, and other information used to control a portion of the FAA mission-support network.
Last year, hackers also compromised an FAA public-facing web application computer on the Internet and used it to enter an FAA internal database server. Included in the server was data on 48,000 current and former FAA employees, including names, dates of birth, social security numbers, pay grades/bands, addresses, veterans' preferences, usernames and passwords, and education/medical/health information.
"These web vulnerabilities occurred because firstly web applications were not
adequately configured to prevent unauthorized access and secondly web application software with known vulnerabilities was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors," says the report.
"In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, air traffic control systems encounter attacks that do serious harm to operations," say the investigators who went on to recommend that the FAA must secure its systems against hackers and other intruders.
In response to the findings, FAA officials stressed that the support systems and traffic control networks are indepeendent from each other.
"The Office of Inspector General did release a report that stated that FAA's computers are vulnerable to cyber attacks. We want to emphasize that the FAA's Air Traffic Organization uses two types of major networks that are separated physically and logically.
"One provides mission support for administrative functions and the other is used to operate the air traffic system. It is not possible to use the administrative and mission support network to access the air traffic control network. That said, we concur with the Inspector General's recommendations and are working to correct any vulnerabilities."
