Federal investigators were able to hack into an air traffic control tower, weather systems and traffic flow management computers as part of a wide-ranging cyber security audit of the US FAA's air traffic control infrastructure.
The audit results, published 4 May by the Transportation Department's Office of Inspector General (OIG), concluded that "web applications used in supporting ATC systems operations are not properly secured to prevent attacks or unauthorized access".
In addition, the OIG found that the FAA has not established "adequate intrusion-detection capability" to monitor and detect potential cyber security incidents at ATC facilities.
Initiated at the request of House aviation subcommittee members, John Mica and Tom Petri, the audit set out to determine if the FAA's increased use of commercial software and internet protocol (IP)-based technologies in air traffic modernization projects pose a higher security risk than the proprietary software platforms previously used.
"Now, attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems," the audit finds, "which is especially worrisome at a time when the nation is facing increased threats from sophisticated nation-state-sponsored cyber attacks."
For the report, investigators tested 70 web applications, some of which are used to disseminate information to the public over the internet, including communications frequencies for pilots and controllers. Others were used internally within the FAA to support eight ATC systems. "Our test identified a total of 763 high-risk, 504 medium-risk and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical file folders," the report states.
The OIG says that by exploiting the vulnerabilities, the public could gain "unauthorized access" to information stored on the web application computers and further that internal FAA users, including employees, contractors, industry partners, could gain unauthorized access to ATC systems. The vulnerabilities could allow attackers to compromise FAA user computers by injecting malicious code into those devices, the report states.
The OIG says that in fiscal year 2008, more than 800 cyber incident reports were issued to the FAA's air traffic organization and that by year's end, 150 had not been "remediated, including critical incidents in which hackers may have taken over control of ATO computers".
Congressman Mica says: "Our concerns about the cyber security of the US air traffic control system are validated by this report. FAA systems are vulnerable to cyber terrorist attacks."