Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Air Traffic Control System Is Riddled With Vulnerabilities

Posted by Soulskill on from the things-you-shouldn't-read-before-your-flight-today dept.

An anonymous reader writes: A recently released report (PDF) by the U.S. Government Accountability Office has revealed that despite some improvements, the Federal Aviation Administration (FAA) still needs to quash significant security control weaknesses that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). The report found that while the "FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment [...] a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems."

60 comments

  1. Ya Think? by AltGrendel · · Score: 1, Funny

    C'mon now.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

    1. Re:Ya Think? by digsbo · · Score: 3, Informative

      The FAA is one of a very few government agencies that takes its job seriously and focuses on quality. Honestly I hate government, but the FAA has been effective in promoting safety from the mechanical/traffic perspective. I'd trust them to take IT systems security seriously and delegate the work to competent engineers. Almost can't believe I'm saying this, but it would seem they have good workers.

    2. Re:Ya Think? by pete6677 · · Score: 3, Insightful

      Is this why the entire nation's ATC system limped along at a severely reduced capacity when a single Chicago facility was taken offline for 3 weeks due to a single contractor cutting a few cables?

    3. Re:Ya Think? by bobbied · · Score: 1

      A few cables? It was a LOT of cables actually and didn't he set a fire too? Also, didn't everybody get on the ground safely? I think they did their job...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    4. Re:Ya Think? by sumdumass · · Score: 2

      Or when several airports where completely shut down because of a buggy windows update?

      However, i'm not sure the lack of redundancy and failsafes for a specific function is a security issue. I do agre with the question being asked though.

    5. Re:Ya Think? by Lumpy · · Score: 1

      When they dont have the money they need, they cant do squat. The entire ATC system has been underfunded even before the Reagan years.

      --
      Do not look at laser with remaining good eye.
    6. Re:Ya Think? by pete6677 · · Score: 3, Insightful

      Getting everyone on the ground safely is the pilots' job. Keeping planes in the air safely is ATC's job.

    7. Re:Ya Think? by sabri · · Score: 3, Informative

      Getting everyone on the ground safely is the pilots' job. Keeping planes in the air safely is ATC's job.

      Nope. Once an aircraft is moving on the ground under its own power, the flight has started and the pilot in command has the ultimate responsibility and authority over the safety of the flight. A pilot in command can deviate from any rule, clearance or law to the extent necessary to ensure the safety of the flight.

      --
      I'm not a complete idiot... Some parts are missing.
    8. Re:Ya Think? by nonsecurity · · Score: 1

      Sabri, your information is for general aviation flights operating under Part 91. For air carrier flights, that ultimate responsibility is shared between the pilot and the operator company. Safety, in particular separation of aircraft in the appropriate airspace is also a joint responsibility, that includes the air traffic control service provider.

    9. Re:Ya Think? by Anonymous Coward · · Score: 0

      Yeah, yeah, yeah. 14 CFR 91.3. Going by your logic, ATC has no job. Obviously, ATC's job is to safely operate the National Airspace System. 91.3 isn't going to get an airliner into a busy terminal through a layer of weather. When a pilot observes a conflict between an ATC clearance or regulation and the safety of flight, however, the pilot has the authority to deviate.

    10. Re:Ya Think? by sabri · · Score: 1

      Yeah, yeah, yeah. 14 CFR 91.3. Going by your logic, ATC has no job. Obviously, ATC's job is to safely operate the National Airspace System. 91.3 isn't going to get an airliner into a busy terminal through a layer of weather. When a pilot observes a conflict between an ATC clearance or regulation and the safety of flight, however, the pilot has the authority to deviate.

      I don't think you get the idea behind 14 CFR 91.3.

      Pilot makes mistake, pilot dies. Controller makes mistake, pilot dies. Pilot is the ultimate authority and thus has the ultimate responsibility over any flight. But he'll gladly take any help he can get.

      I'm a big fan of ATC. I like flying in Bravo airspace. I like flight following when in Echo airspace. It helps me stay safe. But in the end, when I'm flying, I am flying.

      --
      I'm not a complete idiot... Some parts are missing.
    11. Re:Ya Think? by Anonymous Coward · · Score: 0

      I think that it is partially that and partially due to the just in time arrival of planes that everyone has more or less pushed the airlines to do because of costs. If the plane that is scheduled to take you from here to there, is stuck somewhere else, you have problem. There are few to no excess planes available if one has problems or is stuck do to whatever.

    12. Re:Ya Think? by Anonymous Coward · · Score: 0

      And yet as someone who's had a little experience with the industry from the ATC side; no, you're wrong.

      These systems are built on multimillion dollar contracts by people who have very good salesmen, barely acceptable delivery, and no security focus at all. Years later you might find the thing is running without constant fire-fighting, but the security is always lagging, always.

    13. Re:Ya Think? by Anonymous Coward · · Score: 0

      No, sorry, I do get the idea behind 91.3 and you misread what the OP said...

      "Getting everyone on the ground safely is the pilots' job." => the pilot is responsible for the safety of the aircraft.
      "Keeping planes in the air safely is ATC's job." => ATC manages the larger safety picture.

      You're just trying to impress everyone with you knowledge by pulling a regulation out of your hat.

      Yes, under Part 91 the pilot is the final authority on the safety of that aircraft [91.3(a)] and can deviate from a clearance or Part 91 rule in an emergency [91.3(b)]. Neither of those preclude ATC from having any responsibility for the safety aircraft in the air and neither of those mean ATC has zero authority over your flight.

      You actually need a damned compelling reason to exercise 91.3(b), which is why 91.3(c) exists. If you have been denied access to Class B / C / D (yep, they can deny you access), your engine quits, and you go gliding into the primary when you could have easily glided to a perfectly good airport, even a nice soft grassy field, outside the Class B for no reason other than you thought you could do whatever you want under 91.3(b)...you're fucked. In fact, even if that was the only reasonable option (other runway was too short, covered in clouds, mountainous terrain with no fields, whatever), you still better hope to hell no one can ever possibly blame you for the engine failure. You cannot exercise 91.3(b) if the emergency is your fault. If you forgot to switch tanks, cannot show that you were properly performing maintenance (like changing the oil), the FBO where you rented the airplane didn't do a 100 hour, whatever...you're fucked.

    14. Re:Ya Think? by Anonymous Coward · · Score: 0

      As someone from another country, what I don't understand is - wouldn't your National Security Agency (NSA) be a good partner / advisor for other government groups on these types of issues?

    15. Re:Ya Think? by sabri · · Score: 1

      You're just trying to impress everyone with you knowledge by pulling a regulation out of your hat.

      Yes, this actually got me laid last night. Ain't that cool?

      You actually need a damned compelling reason to exercise 91.3(b), which is why 91.3(c) exists. If you have been denied access to Class B / C / D (yep, they can deny you access), your engine quits, and you go gliding into the primary when you could have easily glided to a perfectly good airport, even a nice soft grassy field, outside the Class B for no reason other than you thought you could do whatever you want under 91.3(b)...you're fucked. In fact, even if that was the only reasonable option (other runway was too short, covered in clouds, mountainous terrain with no fields, whatever), you still better hope to hell no one can ever possibly blame you for the engine failure.

      It's not that black and white. First of all, once I utter the words "I declare an emergency", or just squawk 7700, not a single controller will deny me class B clearance. They're trained to deal with the emergency first, handle the rest later.

      Second, if I mess up in flight, that does not mean I deserve a death sentence by ATC denying me the best possible option to get out of my emergency. A very good example of this would be a VFR pilot flying into IMC. It is his own fault for getting in that situation, but ATC will do their best to help him out.

      Yes, you may need to explain yourself to the FAA. But I rather be in the hot seat in front of the FAA than have my wife and kids say their last farewells.

      You cannot exercise 91.3(b) if the emergency is your fault. If you forgot to switch tanks, cannot show that you were properly performing maintenance (like changing the oil), the FBO where you rented the airplane didn't do a 100 hour, whatever...you're fucked.

      Total utter bullshit. You can exercise 91.3(b) at any time if the safety of the flight requires you to do so. Feel free to cite the rule that provides an exception for self-induced emergencies.

      That does not say that you can do whatever the fuck you want. It means that the accountability comes afterwards, in the sense of "we have a number for you to call", once you're safely on the ground.

      --
      I'm not a complete idiot... Some parts are missing.
    16. Re:Ya Think? by Zeek40 · · Score: 1

      Over 10 miles of cable needed to be replace, and yes there was a fire. 18 server racks full of equipment needed to be replaced as well. The fire actually only damaged about 1/4 of the hardware mounted there, but the fire hoses took care of everything the fire didn't.

    17. Re:Ya Think? by digsbo · · Score: 1

      I doubt it. The NSA not sharing information with other bureaucracies was part of the reason they created the ineffective bureaucracy known as DHS. Nobody really knows *what* NSA does. CIA: Cause problems in foreign countries to pretext for war. ATF: Escalate conflicts with idiots and get innocents killed in shootouts and fires. FBI: Mostly legitimate law enforcement, with entrapment of idiots in "terror" stings. NSA: No idea.

  2. Oh Goody! by ArhcAngel · · Score: 1

    I like riddles.

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  3. That Die Hard movie is looking pretty accurate now by Anonymous Coward · · Score: 0

    Turns out you can blow up the country from a single terminal.

  4. The obvious solution by Anonymous Coward · · Score: 0

    The most obvious solution applies here and to a host of other ares where security is paramount. Don't run on a system that every hacker and unfriendly group on the planet can access. Create totally free-standing nets running on their on fiber-optics. It may cost more, but its far cheaper than the alternative.

    1. Re:The obvious solution by grimmjeeper · · Score: 1

      And you can guarantee that that fiber can't be tapped between the end points? Just because a network is isolated from the Internet doesn't mean it's completely secure.

    2. Re: The obvious solution by Anonymous Coward · · Score: 0

      This is why there haven't been issues. The article and summary fail to mention that the faa runs on a completely private network and there is no outside access through Internet, in our out. If course is hard to keep software up to date. That is by design.

    3. Re:The obvious solution by bobbied · · Score: 1

      And for the most part, this is what the FAA does, or historically has done. Only recently they have started to phase out the 40 year old system that pre-dated the internet and move to IP based communications.

      Also, I don't agree with your approach of just stringing up your own infrastructure for communications. IP networks can be built with LOTS of redundancy and using a couple of internet connections and routing your traffic over them can add huge redundancy gains with low cost. I think the FAA needs an "all of the above" solution, where it provides secure and redundant communications over as many different paths as they can. Nail up direct links, backup links over the internet, throw some satellites up with data link capacity, and even use direct RF links. Just don't depend on any ONE link for mission critical communications... Of course all these links need to be secure, but there are secure ways to tunnel though public channels, you just have to use them.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    4. Re:The obvious solution by hey! · · Score: 1

      I really don't see that as a the most vulnerable point. Not by a long shot. Tapping a digital fiber link wouldn't be like US submarines tapping Soviet analog telephone cables. The data on the link can be encrypted and authenticated at either end such that it's not really practical to modify or impersonate without the kind of assets in the organization that would make an inside job a lot simpler.

      The real problem is human factors. Air-gapping sensitive systems is a sound idea in principle but in practice it often fails because it's too cumbersome for users who then undermine the system. And Stuxnet showed that it's possible for a sufficiently advanced opponent to target systems of the far side of an air gap.

      So the problem is with the notion that separate parallel systems separated from the outside world are a "simple" solution. They're a potential solution, but if you want to have confidence in that solution there's a lot of work analyzing and policing the behavior of the people who use, maintain, and produce the equipment.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    5. Re:The obvious solution by grimmjeeper · · Score: 1

      To take that a step further, attacking the people who have direct access to the network is harder. Instead, targeting the companies that supply the equipment is an easier vector. I may be wrong (and please correct me if I am) but wasn't Stuxnet infiltrated at the supplier of the computer equipment rather than by a successful compromising of an individual working directly on the system?

    6. Re:The obvious solution by Phreakiture · · Score: 1

      And you can guarantee that that fiber can't be tapped between the end points? Just because a network is isolated from the Internet doesn't mean it's completely secure.

      It won't be necessary to tap the fiber. Some moron will plug their smartphone in to their computer to charge it and that will be the end of the airgap.

      --
      www.wavefront-av.com
    7. Re:The obvious solution by hey! · · Score: 1

      How it was initially deployed is known only to its makers, but Stuxnet was designed to enter an isolated facility on a USB drive. Once on the LAN it would propagate to other computers, and potentially to other networks via an infected laptop, which is how it ended upon the Internet.

      You can use your imagination as to how they got the USB into the target facility. It might have been as simple as dropping the USB stick in the parking lot of a vendor, but given the resources needed to create the worm itself you can't rule out some kind of black bag job or human asset.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    8. Re:The obvious solution by grimmjeeper · · Score: 1

      That's the trouble with very successful attacks that end up having unanticipated consequences. They leave behind enough evidence that the attack vector is now known and steps are taken to reduce vulnerability (to varying degrees of success). It works the first time but often not ever again, or at least not until people forget about it and get sloppy again.

  5. I respect the FAA by sjbe · · Score: 4, Interesting

    The FAA is one of a very few government agencies that takes its job seriously and focuses on quality.

    They're better than that. Surgeons in operating rooms are cribbing from the FAA for techniques and procedures to improve patient safety. The safety record of the airline industry is quite remarkable and the FAA deserves a huge amount of the credit for that achievement. I've worked as a quality engineer and whatever their other flaws might be, the FAA groks quality and safety as well as any organization I've ever seen.

    I'd trust them to take IT systems security seriously and delegate the work to competent engineers.

    As would I. The only thing I really worry about with the FAA is in keeping Congress from meddling with them too much. They are in my opinion one of the best run agencies in our government. That's not to say they don't have their flaws but on the big picture stuff, especially safety, they do a pretty good job overall even when they don't have all the resources they might.

    Almost can't believe I'm saying this, but it would seem they have good workers.

    Why should it shock you? We have many people in our government who are remarkably competent. I'd be happy to introduce you to some that I know personally. The FAA does not only have good workers but they have a safety first framework and have built a culture and procedures to support that. They also have the advantage of not being a political football for Congress to fight over. A good worker can be put into a system that doesn't work and chances are they will fail. Safety and reliability are NOT about competent people working hard. Those are important things but they will not get the job done unless you also have an organizational framework that supports them properly. The FAA has oversight over the entire process from certifying the airplanes before they even get built, to overseeing the ongoing maintenance and supply, to being able to force private companies to be grounded if they don't do what they are supposed to do when they are supposed to do it. They are able to get into all the corners of the industry that affect safety and they largely do a good job of ensuring that things are done properly like a regulator is suppose to.

    1. Re:I respect the FAA by Anonymous Coward · · Score: 0

      The only thing I really worry about with the FAA is in keeping Congress from meddling with them too much.

      One of those interesting oddities about the United States is that the same Congresscritters that rail against the government running anything also rail against privatizing the FAA or implementing user fees...IF they are also pilots. They maintain the cognitive dissonance in their minds that the government can't do anything right, but the FAA is actually pretty damned good.

      As a result, while most other countries with universal healthcare have privatized air traffic control systems, but we have the opposite.

      Kind of funny.

    2. Re:I respect the FAA by Anonymous Coward · · Score: 0

      Surgeons in operating rooms are cribbing from the FAA for techniques and procedures to improve patient safety.

      80 years after Boeing figured out that complex tasks are made more safe and reliable with checklists, hospitals are finally catching on and forcing them on doctors.

    3. Re:I respect the FAA by Anonymous Coward · · Score: 0

      I'm the doctor here! I'm going to cut this patient open, take out the tumor and sew them back up in any damn order I please!

    4. Re:I respect the FAA by Anonymous Coward · · Score: 0

      You've got to be kidding me. Nearly every instructor I've ever had offers different stories about the FAA. The word is very simple: if you ever run into someone who says, "Hi, I'm with the FAA and I'm here to help", you run. Run for your life and don't look back.

      Hasn't anyone noticed the steady decline in the number of licensed pilots over the last decade? It's because the FAA makes it nearly impossible, and therefore unrealistically expensive, to get and keep your private license, instrument rating, and all the type certifications which must be obtained separately for damn near any plane you want to fly.

      On the surface, nobody will disagree with you about how important safety is to aviation. However, if you piss off the wrong FAA guy and he decides to ride you like a pony, you will go broke and enter bankruptcy trying to comply with the specific and individual demands he makes in the name of safety regarding your plane, or you will stop participating in aviation altogether. Remember, if you stand on the ground and never fly again, you are helping to prove what a great job the FAA does making our skies safe. Further, it turns out the only way to make the skies perfectly safe is preventing us from flying at all. The FAA demonstrates as often as it can that it's OK with this approach to the safety issue.

      Part of the FAA's mandate is safety, but the other part is to promote aviation. When they make it extremely difficult or impossible to get started in aviation and keep flying, they are clearly failing at half of their mandate. When they raise the standards for safety so high that pilots and airlines go broke as super expensive FAA certified mechanics throw away perfectly good parts from their planes, the FAA is clearly failing again. Bleeding the industry and GA pilots dry (a.k.a. destroying aviation en masse) is not the way to promote aviation or keep it safe.

      The FAA is the government's weapon of mass destruction that causes ongoing devastation to all of aviation, and excellent proof that we do not live in a free country.

    5. Re:I respect the FAA by k6mfw · · Score: 1

      The FAA is the government's weapon of mass destruction that causes ongoing devastation to all of aviation, and excellent proof that we do not live in a free country.

      I'd also put blame on TSA that makes boarding airlines miserable and they want to expand "security" into GA. Then you have local governments and officials trying to close down GA airports. Lots of examples of elected officials that tried to close Reid Hillview and Santa Monica along with huge following of general public ("why did they put that airport next to a shopping center?"). And there is big business itself expanding into open areas around airports squeezing out the private pilot. And consolidation of airlines of one company buying out others then nickel and diming over baggage, meals, etc. Note that GA and airline travel are two different classes of aviation. In some cases airline travel is expanding but overall GA is going down (I do wonder where future airline pilots will come from, as many got their start hanging out at GA airports which nowadays authorities will look at such lurkers as terrorists).

      --
      mfwright@batnet.com
    6. Re:I respect the FAA by Anonymous Coward · · Score: 0

      Nearly every instructor I've ever had offers different stories about the FAA. The word is very simple: if you ever run into someone who says, "Hi, I'm with the FAA and I'm here to help", you run. Run for your life and don't look back.

      Which is a tired joke about every government agency and sufficiently large private organization. By the way, aside from stories from instructors, a group that tends to bitch about everything (and I'm one), do you have any specifics on how horrible the FAA is?

      Yes, they are really hard on people denied medical certificates, but they are also attempting to eliminate Class III medical certificates to bring Private Pilots in line with Recreational Pilots...a whole certificate level they created along with the Light-Sport certification to make flying cheaper and easier to get into.

      On the surface, nobody will disagree with you about how important safety is to aviation. However, if you piss off the wrong FAA guy and he decides to ride you like a pony, you will go broke and enter bankruptcy trying to comply with the specific and individual demands he makes in the name of safety regarding your plane, or you will stop participating in aviation altogether. Remember, if you stand on the ground and never fly again, you are helping to prove what a great job the FAA does making our skies safe. Further, it turns out the only way to make the skies perfectly safe is preventing us from flying at all. The FAA demonstrates as often as it can that it's OK with this approach to the safety issue.

      Really, now? That's interesting. Aside from anecdotal stories that come from people that are less than unbiased in their perception of what transpired, do you have, say, a record showing a pattern of abusive behavior during ramp checks or wherever this is supposedly happening? Maybe you should get with ProPublica and have them investigate it.

      I guess you also don't subscribe to any FAASTeam publications, participate in any WINGS programs, know what NASA ASRS is, or have any involvement at all with FAA Safety. Your description is clearly not their approach to safety.

      Part of the FAA's mandate is safety, but the other part is to promote aviation. When they make it extremely difficult or impossible to get started in aviation and keep flying, they are clearly failing at half of their mandate. When they raise the standards for safety so high that pilots and airlines go broke as super expensive FAA certified mechanics throw away perfectly good parts from their planes, the FAA is clearly failing again. Bleeding the industry and GA pilots dry (a.k.a. destroying aviation en masse) is not the way to promote aviation or keep it safe.

      You must have missed the part where they have been making it progressively easier and cheaper to get into aviation with the Sport and Recreational licenses. The currency rules for Private Pilots haven't changed in forever, so I don't know why you think it is harder to stay current. I don't know what mechanics are throwing "perfectly good" parts out of airplanes or how that is in anyway the FAA's fault. Maybe you just have pilot friends that need a better mechanic. Or, maybe you are angry about the ADS-B mandate?

      I will grant they just made ATP harder. But, I would argue the FAA was caving to pressure from Congress and families of the Colgan Air 3407 deceased more than anything.

    7. Re:I respect the FAA by sjbe · · Score: 1

      You've got to be kidding me. Nearly every instructor I've ever had offers different stories about the FAA.

      So because a bunch of flight instructors don't like dealing with the FAA the organization isn't effective at ensuring airline safety? You can tell stories about stupid things that happen in ANY organization and the FAA is no different. Yeah, not everything the FAA does is perfect - news at 11. Of course the aviation industry has achieved a ridiculously impressive safety record and the FAA has been a huge part of that. Coincidence? Not remotely. Just because an organization does some silly stuff doesn't negate their actual accomplishments.

      Hasn't anyone noticed the steady decline [airfactsjournal.com] in the number [haywardairportnoise.org] of licensed pilots over the last decade?

      For general aviation sure. It's expensive, time consuming, and causes your insurance rates to go through the roof if you are a general aviation pilot. Owning and maintaining a plane is not a cheap hobby.

      If you are a pro the pay for a newbie pilot is ridiculously low and that has nothing at all to do with the FAA. That's simply due to the fact that there is an excess supply of pilot so wages get pushed down. I have a cousin who became a airline pilot. Spent a ton of money getting trained and was making all of about $30K/year in salary to drive the bus in the sky. Gee, wonder why people wouldn't want to become a pilot if the wages are shit and the hours are long.

      However, if you piss off the wrong FAA guy and he decides to ride you like a pony, you will go broke and enter bankruptcy trying to comply with the specific and individual demands he makes in the name of safety regarding your plane, or you will stop participating in aviation altogether.

      So don't piss him off.

      When they raise the standards for safety so high that pilots and airlines go broke as super expensive FAA certified mechanics throw away perfectly good parts from their planes, the FAA is clearly failing again.

      Just because a part is functional and not yet broken does not mean it is inappropriate to take it out of service. I'm sure you can find examples of something silly done by some FAA employee but the fact remains that without them the safety record of the aviation industry would not be anywhere close to what it is today.

      Oh and the airlines industry right now is reporting record profits. Airlines going broke? Only the badly run ones. They've finally figured out that having excess capacity is economically stupid and they've started charging ticket and other fees that are high enough to actually generate a profit. What a concept...

  6. Might make sense to switch from the green screen.. by Anonymous Coward · · Score: 0

    Might make sense to switch from the green screen to something that is less than 30 years old...

  7. News from the 1990's..... by Lumpy · · Score: 1

    Almost everyone that has seen the systems in place have know this for over 2 decades.

    It's a mess, an unholy mess that they really need to dump a couple billion into to do a full upgrade and redesign. The whole ATC system is a giant ball of bandaids.

    --
    Do not look at laser with remaining good eye.
    1. Re:News from the 1990's..... by Overzeetop · · Score: 2

      Given the results of the government's most recent attempt to build a working website, I'm not sure a complete system could be built for any price.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    2. Re:News from the 1990's..... by Anonymous Coward · · Score: 0

      Actually,
              This is only partially true. The NAS has made significant steps forward, and has invested a lot of money to replace/upgrade it's main two traffic control systems. In addition, the FAA is also slowly rolling out fundamental changes to industry. I should know, I'm one of the guys who helps design the NAS. The complexity of this system is staggering at times. Every aspect has to consider safety, security, capacity, and human interaction factors. Air Traffic controllers have to be able to support in-flight pilots navigating very different environments (Taxi, Approach, En Route, VFR, IFR, etc)

      Just read the report, as far as GAO reports go, this isn't too bad at all. Congrats FAA!

  8. You don't see the problem by Anonymous Coward · · Score: 0

    It was a LOT of cables actually and didn't he set a fire too?

    Yep, one facility is all it takes to hamper the US airspace - and there's an argument on how many cables were cut at one facility?

    1. Re:You don't see the problem by Anonymous Coward · · Score: 1

      That "one" facility controls traffic through one of the largest hub cities in the country. For some of the major airlines, if you can't connect through chicago, you can't get to about 75% of the rest of the country. So, yea, there's an argument about that...you dolt.

    2. Re:You don't see the problem by k6mfw · · Score: 1

      That "one" facility controls traffic through one of the largest hub cities in the country. For some of the major airlines, if you can't connect through chicago, you can't get to about 75% of the rest of the country. So, yea, there's an argument about that...you dolt.

      Put fault on the airline, not FAA.

      --
      mfwright@batnet.com
  9. The sky is blue and water is wet..... by DougOtto · · Score: 1

    I wonder how much that study cost.

    --
    Solving Unix problems since 1989...
  10. Re:That Die Hard movie is looking pretty accurate by bobbied · · Score: 1

    Perhaps, but the FAA did actually manage to control physical access to that terminal fairly well.

    All in all, my quick skim though the report tells me that where the FAA does have issues with security (Mostly with, network security, management of users and patches) they don't do that badly given their large size. They have similar problems to just about everybody else that has systems of similar complexity and by my estimation do better than average on just about all aspects of security. Given the "mission critical" nature of what these systems do and how complex the total system is things need to be better, but IMHO they are doing a bang up job now keeping aircraft from bouncing off each other in the sky.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  11. The bigger issue... by MagickalMyst · · Score: 2

    is dealing with the malfeasance regarding 9/11.

    Sure, these technical issues are very important and need to be addressed.

    But all of these issues are moot if the diabolical, elite villains are still in power.

    Even if the systems were patched and secure, they could still let another 9/11 happen if they choose to.

    --
    Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
    1. Re:The bigger issue... by Obfuscant · · Score: 1

      Even if the systems were patched and secure, they could still let another 9/11 happen if they choose to.

      This is insightful? The FAA has no ability to stop another 9/11. They can't reach out from their radar facilities and stop a nut in a plane from flying into a building. They can issue instructions, but have no way of forcing them to be followed. The controllers who had the flights of 9/11 on radar didn't "let" it happen, they watched it unfold without a way of stopping it.

      What DOES happen now is that anything that is deviating in a significant way from ATC instructions is handed to the Air Force for an intercept mission. The Air Force has the authority to shoot down threats, and they practice this mission on a regular basis. But actually doing that means shooting down a planeload of mostly innocent civilians -- an act that cannot be taken lightly.

  12. But you haven't told us what NextGen does by Anonymous Coward · · Score: 0

    http://www.golfhotelwhiskey.com/nextgen-briefing-with-mr-faa/
    20 Billion...

  13. Anyone Remember Chicago? by freak0fnature · · Score: 1

    I don't think we needed a report to know this. Last Octobers arson in Chicago was evidence that there are serious vulnerabilities with the FAA.

  14. The Cybernet and ATC systems .. by lippydude · · Score: 1

    "Cyber-based threats to federal information systems such as those that FAA relies on for its ATC systems are evolving and growing .. Further, the growing interconnectivity among different types of information systems presents increasing opportunities for such attacks."

    Just who in their right minds connect an Air Traffic Control system to the Cybernet?

    1. Re:The Cybernet and ATC systems .. by Anonymous Coward · · Score: 0

      "Cyber-based threats to federal information systems such as those that FAA relies on for its ATC systems are evolving and growing .. Further, the growing interconnectivity among different types of information systems presents increasing opportunities for such attacks."

      Just who in their right minds connect an Air Traffic Control system to the Cybernet?

      The GAO, apparently. If you read all of the released report you'll notice that close to half of it is the GAO complaining that the FAA has a lot of network switches in the field that are physically isolated rather than connected to a uber-management LAN. Seems that the GAO thinks that physically isolated networks are inherently less secure than networks which depend on a firewall for protection.

      Certainly physical isolation makes it harder for a CISO to stay in a comfy chair in Washington and check whether things are properly configured, but it can also be more secure than connecting your ATC system up to a Cybernet if you trust your field folks to follow written directions.

  15. True on water as well by justthinkit · · Score: 1

    True on water as well. The ship's pilot is absolute commander.

    --
    I come here for the love
    1. Re:True on water as well by gstoddart · · Score: 1

      Yarg! Now get 'yer booty to my cabin, and put on that frilly thing I be likin' so much.

      Oh, evening captain. Mr. Jones, carry on as you were.

      --
      Lost at C:>. Found at C.
    2. Re:True on water as well by QQBoss · · Score: 1

      On a ship, the captain and the pilot are two different roles and never the same person. It is the captain who has ultimate authority, the pilot is a person brought in on a case by case basis to help the captain navigate through local waters. Captains might travel the world, pilots stick to a particular stretch of water and have the local knowledge to advise the captain, usually as a requirement of maintaining insurance in case of accident. My grandfather was a ship's captain away from home almost 9 months a year, my uncle was a pilot on the Panama Canal and slept at home almost every night.

    3. Re:True on water as well by justthinkit · · Score: 1

      One thing wrong, or at least muddled...

      When the pilot comes on board, he becomes the Ace of Trumps. You know, "only one captain on a ship". What would be the point of a local expert coming on board if the non-expert captain was still in charge?

      Maybe you are confusing general operation of the ship with the act of "driving it". No doubt while the pilot is aboard, the captain can still order a mate to swab a deck. But when it comes to "Since we're late can we speed up to make up time?" that is only the pilot's call. Who, of course, would not speed up.

      Since we're playing the "my dad is better than your dad" game, it was one of my closest friends who was both a ship's captain (for decades) and a ship's pilot (for years more). Pilots make more, while doing less, so he retired at that position.

      --
      I come here for the love
  16. AirGaps are nice, but inconvenient by Anonymous Coward · · Score: 0

    It would seem that a controller might need to be on the public web to get information useful for NAS safety.
    (For example weather and news.)
    Displaying a public web page gives that web page quite a bit of autonomy in accessing the user's network.
    Which says that network firewalls are not all that useful, because that autonomy is running behind the firewall.

    Putting the NAS on on an airgapped private network would help this, but make it difficult to merge information between the public and private machines.

    What if the controller's computer had separate public and private ip interfaces and a separate browser for each network.
    If you could trust the kernel to keep the two network stacks separate, then maybe the only connection between the two would be cut and paste.
    Would this be an achievable, good enough compromise between function and security?

    If the FAA were to make this work it would be useful in many other environments as well.
    (A littler different than the usual FAA is follower model.)