DOT Issues Vulnerability Report On The FAA’s ATC System


  Bookmark and Share

DOT Issues Vulnerability Report On The FAA’s ATC System

By Steve Hall

April 22, 2011 - Department of Transportation’s Office of the Secretary of Transportation Office of Inspector General (OIG) issued a quality control review report on the vulnerability assessment of the Federal Aviation Administration's (FAA's) operational air traffic control (ATC) system.   

The review was conducted at the request of the current Chairmen of the House Transportation and Infrastructure Committee and its Subcommittee on Aviation.

The objective of audit was to determine whether the ATC systems can be accessed by unauthorized users from inside ATC facilities through FAA’s Mission Support System Network by assessing systems and networks at two FAA facilities.

Clifton Gunderson LLP, of Calverton, Maryland, completed the audit under contract to the Office of Inspector General (OIG). OIG staff performed a quality control review of Clifton Gunderson's audit work to ensure that it complied with generally accepted government auditing standards. Their review disclosed no instances in which Clifton Gunderson did not comply in all material respects with applicable auditing standards.  

Clifton Gunderson concluded that unauthorized users were unable to gain access to FAA's operational ATC systems. However, they identified the following weaknesses at the Air Route Traffic Control Centers: 1) information disclosure vulnerabilities; 2) inadequate system patch levels and unsupported operating systems; 3) improper network configurations; and 4) communication system vulnerabilities.  

Information disclosure vulnerability, information disclosure vulnerability during testing at one ARTCC that allowed them to view, without using a password, hundreds of pages of sensitive technical information describing network configuration, gateways and other devices. This sensitive information may provide a rogue employee or contractor sufficient understanding to identify and exploit weaknesses in the ATC security structure. 

Patch management vulnerabilities on FAA's MSSN revealed several critical and high risk Common Vulnerabilities and Exposures (CVE) related to missing or outdated system patches or the running of operating systems no longer supported by their vendors. System patch levels and operating systems that are not kept current not only may result in system unavailability, but may also create a risk of exploitation of security holes for access to ATC systems and data. Any of these systems could be compromised, and allow the attacker to use the system to hide his or her identity in order to launch more attacks. 


System configuration vulnerabilities on FAA's MSSN revealed several critical and high risk CVEs related to improper system configurations. An attacker could leverage these vulnerabilities to gain total control of the systems. Furthermore, the systems could be used to compromise other systems that depend on the same network management and configuration services.

Communication system weaknesses identified a communication system at one location that does not require complex passwords and is no longer supported by the vendor. This lack of sufficiently complex passwords could lead to an unauthorized manipulation of the communication system, a total system shutdown, or falsification and impersonation of facility communications.

Other News Stories (For the latest news please checkout our home page)


Home Aviation News Aviation Stories Of Interest FAA Exam Upcoming Events Links To Other Sites General Aviation Helicopters Medical Factors Facing Pilots
Maintenance and Aircraft Mechanics Hot Air Balloon Aviation Training Handbooks Read Online Aviation History Legal Issues In Aviation Sea Planes Editorials
 ©AvStop Online Magazine                                                                 Contact Us                                                  Return To News                                          Bookmark and Share


AvStop Aviation News and Resource Online Magazine

Grab this Headline Animator