[ISN] FAA air-traffic systems lack cyberprotections, GAO finds

InfoSec News isn at c4i.org
Tue Sep 27 02:10:15 EDT 2005

Forwarded from: William Knowles <wk at c4i.org>


By Rob Thormeyer 
GCN Staff

Air-traffic control systems operated by the Federal Aviation
Administration contain significant cybersecurity weaknesses and 
are vulnerable to attack, according to a recent report [1] from 
the Government Accountability Office.

In the report, GAO concluded that the agency has not completely
implemented information security programs that protect its systems
from cyberattack.

"FAA has made progress in implementing information security for its
air traffic control systems by establishing an agencywide information
security program and addressing many of its previously identified
security weaknesses; however, it still has significant weaknesses that
threaten the integrity, confidentiality and availability of its
systems - including weaknesses in controls that are designed to
prevent, limit and detect access to those systems," the report said.

FAA officials admit the weaknesses exist, but contend that because
parts of their systems are custom-built with older equipment,
special-purpose operating systems and proprietary communication
interfaces, chances for unauthorized access are limited, according to
the report.

"Nevertheless, the proprietary features of these systems do not
protect them from attack by disgruntled current or former employees
who understand these features, or from more sophisticated hackers,"  
the report added.

GAO recommended that the agency address the following weaknesses:  
outdated security plans, inadequate security awareness training,
inadequate system testing and evaluation programs, limited security
incident-detection capabilities and shortcomings in providing service
continuity for disruptions in operations.

In response, FAA officials said they will consider the recommendations, 
but also stated that the report is not indicative of the agency's
security systems.

Meanwhile, Rep. Tom Davis (R-Va.), who chairs the House Government
Reform Committee that asked for the report, said FAA must address the
recommendations. "Given the ever-evolving nature of cyberthreats and
the thought of someone with malicious intent accessing FAA's IT
systems, complacency is not an option," he said.

[1] http://www.gao.gov/new.items/d05712.pdf

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list