DOT Issues Vulnerability Report On The FAA’s ATC System
By Steve Hall
April 22, 2011 - Department of Transportation’s Office
of the Secretary of Transportation Office of Inspector
General (OIG) issued a quality control review report on
the vulnerability assessment of the Federal Aviation
Administration's (FAA's) operational air traffic control
The review was conducted at the request of the current Chairmen of the House Transportation and Infrastructure Committee and its Subcommittee on Aviation.
The objective of audit was to determine whether the ATC systems can be accessed by unauthorized users from inside ATC facilities through FAA’s Mission Support System Network by assessing systems and networks at two FAA facilities.
Clifton Gunderson LLP, of Calverton, Maryland, completed the
audit under contract to the Office of Inspector General (OIG).
OIG staff performed a quality control review of Clifton
Gunderson's audit work to ensure that it complied with generally
accepted government auditing standards. Their review disclosed
no instances in which Clifton Gunderson did not comply in all
material respects with applicable auditing standards.
Clifton Gunderson concluded that unauthorized users were unable
to gain access to FAA's operational ATC systems. However, they
identified the following weaknesses at the Air Route Traffic
Control Centers: 1) information disclosure vulnerabilities; 2)
inadequate system patch levels and unsupported operating
systems; 3) improper network configurations; and 4)
communication system vulnerabilities.
Information disclosure vulnerability, information disclosure
vulnerability during testing at one ARTCC that allowed them to
view, without using a password, hundreds of pages of sensitive
technical information describing network configuration, gateways
and other devices. This sensitive information may provide a
rogue employee or contractor sufficient understanding to
identify and exploit weaknesses in the ATC security structure.
Patch management vulnerabilities on FAA's MSSN revealed several
critical and high risk Common Vulnerabilities and Exposures
(CVE) related to missing or outdated system patches or the
running of operating systems no longer supported by their
vendors. System patch levels and operating systems that are not
kept current not only may result in system unavailability, but
may also create a risk of exploitation of security holes for
access to ATC systems and data. Any of these systems could be
compromised, and allow the attacker to use the system to hide
his or her identity in order to launch more attacks.
System configuration vulnerabilities on FAA's MSSN revealed several critical and high risk CVEs related to improper system configurations. An attacker could leverage these vulnerabilities to gain total control of the systems. Furthermore, the systems could be used to compromise other systems that depend on the same network management and configuration services.
|©AvStop Online Magazine Contact Us Return To News|