An audit of the Web applications connected to air-traffic control networks found hundreds of critical vulnerabilities in the software and documented dozens of cyber incidents that continue to be unresolved, auditors stated in a report to the Federal Aviation Administration released this week.
During the investigation, auditors from the Office of the Inspector General for the U.S. Department of Transportation and accounting firm KPMG found 763 high-risk security issues in the Web servers set up to deliver information to the public and to FAA employees. The investigation also discovered more than 3,000 other vulnerabilities, according to the report (pdf). The vulnerabilities include incorrectly configured Web applications and software with known security issues that were not regularly patched.
"Web applications used in supporting ATC systems operations are not properly secured to prevent attacks or unauthorized access," Rebecca C. Leng, assistant inspector general for financial and information technology audits at the Office of Inspector General, stated in the report. "In addition, the FAA has not established adequate intrusion-detection capability to monitor and detect potential cyber security incidents at ATC facilities."
The vulnerabilities could be used to get access to information stored on the Web application computers, allow FAA users to gain unauthorized access to traffic control computers, and allow attackers to compromise the computers of FAA users. The auditors went even further and actually gained unauthorized access to Web applications for the Traffic Flow Management Infrastructure, a weather system and a control tower. By compromising a Web application, the auditors found that they could have infected FAA employees' computers.
"While use of commercial IP (Internet protocol) products, such as Web applications, has enabled FAA to efficiently collect and disseminate information to facilitate ATC services, it inevitably poses a higher security risk to ATC systems than when they were developed primarily with proprietary systems," Leng wrote.
Over the past decade, federal agencies have only slowly improved their compliance with the Federal Information Systems Management Act (FISMA), which mandates better computer security for government systems. In the last three years, the FAA has had several serious cyber incidents, including the theft of 48,000 employee records by online intruders. In a separate incident in 2008, hackers compromised the FAA's domain controllers and could have disrupted the ATC mission-support network, the auditors stated. The Obama administration has pledged to improve the security of U.S. government systems and is currently prepping a review of the previous administrations policy.
The auditors also found that more than 800 cyber incident alerts were issued to the Air Traffic Organization (ATO) in 2008, but at the end of the year, 150 incidents remained unresolved. In March 2008, ATO officials requested that the Department of Transportation close 60 unresolved incidents because of time constraints.
The auditors made five recommendations to the FAA, including bringing the Web applications up to government security standards, improving the patch management process, and extending intrusion-detection systems to cover all networks.
In the FAA's response to the report, CFO Ramesh Punwani agreed with the five recommendations and also pointed out that its network is separated into two systems, the administrative and traffic-control mission-support system and the National Airspace System that manages aircraft separation. The air-traffic control operations systems are prohibited from directly connecting to the administrative systems or to the Internet, the FAA stated.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos