FAA Air Traffic Control System Open to Hackers

Here’s some bad news for white-knuckle fliers: The US Government Accountability Office (GAO) has found that there are “significant security control weaknesses” in the nation’s aging air traffic control system.

Rep. Peter DeFazio, D-Ore, one of the lawmakers who requested the GAO report, said at a House Transportation subcommittee hearing that a breach by terrorists could lead to physical hijacking, evoking the horror of 9/11.

"We know there is an enduring interest in terrorist groups in aviation; they've used our aviation system as weapons,” he said. “One can imagine they might be interested in hacking the system and perhaps could facilitate a midair collision."

In that same hearing, FAA Administrator Michael Huerta said that the agency is implementing changes to boost cyber-safety and that "the system is safe.”

According to NPR, the GAO report nonetheless found that while the FAA is indeed making investments in the area, there are still issues when it comes to preventing hacker access. Specifically, it said that the FAA is incapable of adequately controlling, preventing, and detecting unauthorized access to computer resources; identifying and authenticating users; and encrypting sensitive data. Taken together, the FAA has "not fully established an integrated, organization-wide approach to managing information security risk that is aligned with its mission."

Huerta said that many of the problems identified by the GAO have been "remediated already,” and that the agency is working with a steering committee to address the rest of the GAO’s recommendations.

But ultimately, this is a lackluster response, said one security researcher. "The GAO said there are ‘security control weaknesses’ in the air traffic control system,” said Jonathan Sander, strategy and research officer for STEALTHbits Technologies, in an email. “The FAA says it’s responding with a steering committee for cybersecurity that will improve governance. The GAO knows that technology is always [at] risk, but seems to be pointing out that a lot more could be done to put in processes to oversee and control the people involved with the air traffic control system. The people in any system are always the biggest weakness. It’s people that click on emails brimming with malware. It’s people that have – and abuse – administrative and other privileged access. Control the people in the system and you have gone very far to having the most effective controls possible.”

What’s Hot on Infosecurity Magazine?