Hackers Broke Into FAA Air Traffic Control Systems

PL/SQL Guy writes "Hackers have repeatedly broken into the air traffic control mission-support systems of the US Federal Aviation Administration, according to an Inspector General report sent to the FAA this week, and the FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said. Intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities. In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, 'including critical incidents in which hackers may have taken over control' of operations computers, the report said."

Then use IPv6.

[jd]

It's non-proprietary, the applications should work just fine, but most skript-kiddies don't have any idea on how to set up the necessary tunnels. It's also designed from the start to be secure, IPv4 has had all security back-ported in.

Also, use Active IDS, not passive. It's no good telling the operators that the last three planes crashed into a mountain because a system cracker decided it would be fun to use the radar computer for a game of Netrek. You're much better off by detecting the intrusions in real-time and countering them right then. Particularly if actual mission-critical systems are being broken into.

Third, Stop Using Windows! Gaah! The chances are that the software can be modded to work under Linux or OpenBSD just fine.

Re:Then use IPv6.

[raddan]

Air traffic control systems should not be connected to the Internet. Period. Use of IPv4 as a messaging system in that case should be fine-- because all that address space will be private.

I love OpenBSD. We use it everywhere at work. But our computers do not control airplanes. A general-purpose OS is appropriate in the kind of environment where you have hard real-time limits and where bounds-checking errors have the potential to kill lots of people. This is a case where rolling-your-own is actually a good idea, and worth the money.

If you're trying to decide what kind of IDS to put on your air-traffic-control net, you need to back up and undo some of your decisions.

I usually laud hacker hijinks

[Taibhsear]

As it tends to enlighten people to the necessity of better computer security... but when it involves things like airport control towers and hospital equipment and files it is totally not cool.

Re:Question

[Rich0]

I believe in defense in depth. Even though the guards inside the castle may be trained to password challenge everybody walking around and check coats of arms, it never hurts to raise the drawbridge when there isn't anybody using it and there is a besieging army.

Sure, have firewalls all over the place, but any route into and out of the network itself needs to be HIGHLY secure. NOTHING goes IN or even OUT without a reason. Nothing wrong with the airport having a flight status board, but you have the ATC central database polled by some central server which generates an xml digest of the important info and have it dump that data across a serial line (transmit only) to another server which then puts it onto a webserver which the airports can parse. Flight plan requests come into some intermediate server on the internet (but well secured). That server validates the requests and sends xml files to some intermediate server (perhaps over serial) which otherwise isn't on any network. That server re-validates the input and then makes it available to a more trusted server that then does the application logic.

Of course the internal network has a firewall at every WAN connection that only passes the minumum defined data to make the system work. That still doesn't mean that you shouldn't keep the actual traffic on the mission critical network down to the minumum necessary. There shouldn't be a single packet on that ATC network that doesn't originate from an FAA-validated piece of software. Any connection to the outside should be sanitized, and they should be few in number.

This isn't about being smarter than the hackers - it is about being thorough and having a fully specified architecture.

"The Good Ole Days"

[erroneus]

Being a programmer meant you could make a lot of money, not because you could make something that could be sold, but because you make programs that were useful for a purpose. Bill Gates and people like him turned computing into a software industry and this is more or less the result of that.

There was nothing "wrong" with systems maintained by professional programming teams and for those people to work at the same job for their entire lives earning a good wage. "Industry" has not only weakened systems everywhere with their homogenous nature, but cheapened the industry and lowered wages for everyone in the profession.

Re:"The Good Ole Days"

[phantomfive]

You can still make a lot of money. $80k for a programmer is pretty normal, and if you manage to specialize in something you can easily swing a six digit salary.

If you want to look at it a different way, look at starting salaries for college graduates. Computer Science graduates on average make $49,000 right out of college. This is compared to English majors who make $31,000 right out of college, or psychology majors who make $28,000 right out of college. Ouch. Keep in mind that the per capita GDP in the US is $47,000.

So I'm not sure where you're getting the idea that programmers don't make a lot of money, and I'm also not sure why you see the software industry as a problem. I have benefited greatly from it, and use software from that industry nearly every day.

On the other hand if you're thinking about job security, yeah, software is the wrong industry. The best job security as a programmer is developing the ability to find a new job quickly.

Comment removed

[account_deleted]

Comment removed based on user account deletion