Hackers Broke Into FAA Air Traffic Control Systems

PL/SQL Guy writes "Hackers have repeatedly broken into the air traffic control mission-support systems of the US Federal Aviation Administration, according to an Inspector General report sent to the FAA this week, and the FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said. Intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities. In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, 'including critical incidents in which hackers may have taken over control' of operations computers, the report said."

That was proposed.

[Ungrounded+Lightning]

Glad they don't have commercial planes with complete remote control. Or do they?

That was proposed after 9/11 as a solution to hijacked planes. Remote control devices that could take over a hijacked plane, remotely, locking out control by those on board and allowing it to be landed safely. Remote devices strategically located at all major commercial airports - or at least those near high-value targets (which is pretty much all of 'em).

When the trial balloon went up it was soon pointed out that, with such a system, hijackers could use it to hijack the planes without even being on board. And the tech would be distributed to many locations (worldwide) from which it could be stolen.

Haven't heard much about it since. B-) Of course that means that it will fall off the mental horizon for decision makers and they might decide to do it after all. B-(

Re:Someone call Jack Bauer

[PolygamousRanchKid+]

Sorry, Jack is in the slammer, for head butting some dude "to protect Brooke Shields' honor," or something like that: http://edition.cnn.com/2009/SHOWBIZ/TV/05/07/sutherland.charged/index.html

Truly bizarre . . . an impromptu alcohol fueled celebrity involuntary nose job.

Event counts for IDS are mostly useless..

[haus]

Anyone who has worked with IDS/IPS systems will realize that unless very carefully managed you will have a large number of events that amount to nothing, even some with some very scary sounding titles.

I am actually surprised to see the count levels so low, even for systems that are believed to be somewhat out of the way.

ATC is not actually a single system within the FAA this function is broken up over several different systems, each with their own silo of responsibility. My understanding from talking with traffic controllers is that the systems are not a requirement for controlling traffic. If the systems are down, or are believed to be unreliable the controllers will simply continue with a more conservative approach, although this can have the effect of gumming up the works as everyone is slowed down and larger gaps are used.

Real danger would be if information was off in some subtle way that was not detected, but as soon as it was determined that something was wrong, the system in question would be taken out of the work flow and further issues with it would not matter.

Crafting such a problem would take not only the IT info to gain access to the system, but at least some level of ATC understanding on how to alter a situation without tipping your hand. While far from impossible, it is not what I would suspect would be a common skill set.

Re:Missing Forest for the Trees?

[haus]

Air traffic controllers are quick to tell you that they do not care about the ATC system that sit in front of them.

If they are unreliable, or go down, they will continue to perform their job, by slowing everyone down, increasing the gaps, limiting the number of new plans onto the grid.

It gums up the works a bit, but everyone gets to walk away.