GAO: ATC soft for attackers
A recent report from the Government Accountability Office (GAO) asserts that certain FAA ATC systems are vulnerable to attack by “disgruntled current or former employees who are familiar with these (proprietary protection) features, nor will they keep out more sophisticated hackers.”
While noting that the FAA has made progress in implementing information security, the GAO stated that it had identified “significant security weaknesses that threaten the integrity, confidentiality and availability of the FAA’s systems–including weaknesses in controls that are designed to prevent, limit and detect access to these systems.”
The GAO also reported that in its view, other security controls such as physical access by individuals, background investigations, segregation of personnel duties and individuals’ knowledge of system changes also increased the risk that “unauthorized users could breach the FAA’s ATC systems, potentially disrupting aviation operations.”
The GAO’s main focus seemed to be on certain legacy systems the agency is still using as part of the nationwide Host ATC computer network. Many of the Host’s early programs were written in the now-obsolete Jovial computer language, causing one senior FAA official to comment that this could actually enhance National Airspace System security, since it would frustrate all but the most elderly of computer hackers.
The FAA points out that the GAO reviewed three air traffic systems of the more than 80 separate systems the agency runs, adding, “We don’t believe [that] is an adequate sample. We run a secure and reliable system, as evidenced by an operational reliability rate that is above 99.9 percent availability at all times.
“We’ll take the GAO’s recommendations under consideration and apply them where they’ll help us make a secure system even more secure. Nonetheless, we believe the GAO report…failed to take into account the several layers of redundant systems and special access that we have built into all of our systems’ architecture.”