Hackers Broke Into FAA Air Traffic Control Systems

PL/SQL Guy writes "Hackers have repeatedly broken into the air traffic control mission-support systems of the US Federal Aviation Administration, according to an Inspector General report sent to the FAA this week, and the FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said. Intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities. In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, 'including critical incidents in which hackers may have taken over control' of operations computers, the report said."

Ineptitude

[s-whs]

increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said.

That's what's usally called ineptitude, but those FAA guys like to spin it round so someone else, or circumstances beyond their control, are the problem.

From what I've read about air-industry people in the US they are no different from in the Netherlands: People who almost invariable have a superiority complex and think they're doing tremendously important work while not having justify why they make so much noise, are so inept at sound calculations (dBA which is pointless for noise as related to annoyance, contrary to Sone for example), produce reports with incorrect units (upper and lower case wrong showing they don't have a proper education in elementary physics) etc.

Recently small aircraft were prohibited from flying near Schiphol. Reason was transponders are now in all of them, the LVNL (dutch airtraffic control) couldn't handle all those signals. A tremendous display of ineptitude again as they had plenty of time to prepare their systems (software), but being the sort of people they are, this is actually logical. Because they feel superior, they don't actually consider they might be doing things badly or need to change. In other words, despite them feeling they are superior, they are in fact amateurs...

You can find more on the web on this (in dutch).

Re:Ineptitude

[GooberToo]

That's what's usally called ineptitude, but those FAA guys like to spin it round so someone else, or circumstances beyond their control, are the problem.

Their not happy until your not happy! You can't blame them for living their moto.

In all seriousness, the FAA is in the middle of a huge political game right now, which is actually very complex to explain. They are working overtime trying to get out from under Congressional oversight. I wouldn't be surprised if they're looking the other way in an attempt to juice their lobbying. Obviously they can't secure things if their budget isn't drastically increased. And the only way they can do that is to be empowered to both raises taxes and collect them any means they see fit while endangering the skies for everyone. Basically everyone credible (both Rs and Ds) has stepped forward and stated the FAA's proposal is bad for everyone and they can't even make their current funding with their proposal. Only the FAA and *cough* the major carriers support the FAA's plan.

http://www.aopa.org/advocacy/articles/2008/081002faa.html
http://www.aopa.org/advocacy/articles/2009/090507trustfund.html

Do some searches. Its actually pretty scary. The FAA is working hard to become their own taxing authority, independent of Congressional oversight, while becoming buddy-buddy with the major carriers. Mmmmm....isn't that a good recipe for safety. And did I mention every year they are unable to account for millions even with oversight. Even worse, Obama is demanding legislation be put forward which supports this disastrous model. And worse yet, such legislation would be horrific to our economy; more accidents: fewer fliers; cost to fly, from drastically higher taxes, goes through the roof: less revenue at airports; less revenue at airports means fewer jobs; fewer jobs: loss of up to hundreds of millions to local economies (even loss of hundreds of thousands to millions at smaller airports) all over the country.

Missing Forest for the Trees?

[PK+Tech+Guy]

from the CNET article "Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network, the report said"

"However, Brown dismissed the notion that hackers could get access to critical air traffic control operational systems."

It's OK everybody, the hacker's have shut down the network but they havent gained any critical access.

Re:Question

Trust me, any NAS equipment doesn't remotely come close to the public network. This article is misleading as they are talking about websites that 'aid' in landing aircraft. Trust me, these websites don't land aircraft.

Re:I usually laud hacker hijinks

[pjt33]

Hacking into government computers is old hat. I'm more concerned that someone seems to have hacked /. and changed the front page to be an RSS feed.

I'm not suprised.

[fhage]

I worked as a engineer for NCAR, building and installing high-tech weather systems for the FAA (AWRP) for over a decade in the mid-90's-00's. I found the FAA leadership is filled with bunches of Republican partisan hacks who spent their time telling AL Gore Jokes in their technical meetings rather than getting things done. It literally takes them 10 or more years to get technology to their employees in the trenches. (officially). Because of upper mgt incompetence, the local level tech is a free-for-all, running in the closet. When I installed our sanctioned equipment in the Long Island FAA TRACON, I found a shift supervisor had brought his old PC in and got an AOL account so that the "super secure war room" could see what the weather was like outside as they managed 40% of the air traffic in the US. The FAA literally watches the weather channel with the sound off and competes with all the every day Joes for Nexrad images on accu weather. One of our (NCAR) systems under rigid performance evaluation at the FAA Technical Center (NJ) kept "hanging" several times per week, and we received poor evaluations and threats of funding cuts. I finally discovered that the reason for the failures was one of their staff had opened a shell terminal, ran Mosaic (remember that) and went porn surfing.(up our dedicated 64kbps line back to NCAR in Boulder and out through our .edu POP). The FAA has lots of ad-hoc systems installed everywhere. Can anyone say "Pass your USB key over here Bob - Ya gotta watch this". Maybe Obama's administration will clean the rot out of the FAA. I lost any hope many years ago.

Re:Question

[boaworm]

Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?

I'm honestly not sure. I work with ATC, although not in the US. The systems I have installed (Europe and Asia) have all been closed systems, there are very few physical connection between the servers and software working on radar- and flight data, and any equipment used to communicate externally.

Almost all communication is done via VCCS equipment (radio etc), so the controllers have screens with radar- and flight data, and separate screens and terminals for external data, such as flight plan processing terminals.

But since the US is large, and one authority is in charge of it all, I guess they saw the need for interconnectivity. Still, many things don't need to be interconnected anyway, and the networks are often easily fragmented so that the few systems being exposed to public networks are isolated from the important ones.