14 DAY TRIAL // The Office of Inspector General (OIG) has released a report (PDF) on the review of Web application security and intrusion detection in Air Traffic Control (ATC) systems operated by the Federal Aviation Administration (FAA). Government-contracted penetration testers have successfully hacked into several critical systems and identified over 200 high-risk vulnerabilities in Internet-facing Web applications used by the FAA during the process.
"We tested 70 Web applications, some of which are used to disseminate information to the public over the Internet, such as communications frequencies for pilots and controllers; others are used internally within FAA to support eight ATC systems," the report notes. More specifically, specialists from Washington-based professional audit company KPMG have identified 212 high-risk vulnerabilities in 35 publicly accessible Web applications and 551 similar flaws in another 35 internally used applications.
By exploiting the identified vulnerabilities, the KPMG and OIG staff have gained unauthorized access to sensitive data located on computers associated with the Traffic Flow Management Infrastructure System, the Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. Furthermore, the Power Monitoring System at en route centers located in Anchorage, Boston, Denver, Oakland, Salt Lake City, and Seattle, has also been compromised.
Auditors have concluded that computers used by the FAA staff can also be infected with malicious programs as a result of an attack that has one of these vulnerable Web applications as a point of entry. Testament to these security oversights are the multiple cyber-attacks that the FAA has sustained in recent years.
A 2008 incident where hackers compromised FAA computers in Alaska, then moved deeper into the network, eventually hijacking its domain controller for the Western Pacific Region, is mentioned in the report. The 2009 FAA data breach incident, which resulted in the compromise of personal information belonging to 48,000 current and former employees, was also given as an example.
The Office of Inspector General has also analyzed how intrusion-detection systems were implemented across the network, only to discover more problems. The FAA relies on the Department of Transportation's Cyber Security Management Center (CSMC) to deploy such sensors and monitor them, however, only 11 were found at a total of 734 facilities. Furthermore, all the 11 deployed IDS sensors were installed on the mission-support network and not on the more critical air traffic control one.
As a result, OIG has made several recommendations, all accepted by the FAA. They include, but are not limited to ensuring that Web applications are properly configured, strengthening the clearly ineffective patch-management process, immediately correcting the vulnerabilities identified during the audit, and better coordinating with CSMC in order to appropriately deploy IDS sensors.