Digital security weaknesses in U.S. air traffic control systems as simple as using unencrypted networks enable attacks from terrorists and foreign nations that could prevent the safe landing of more than 7,000 commercial passenger and cargo flights.
The national airspace system, the Federal Aviation Administration network that guides the country’s airplanes and includes air traffic control systems, is dangerously open to outside attacks because of lax cybersecurity, according to a Government Accountability report.
“These weak controls are mirrored in weak security management processes, such as incomplete policies and procedures for incident response and insufficient testing of security controls,” the report said.
“The growing threat of cyber-based attacks is particularly concerning for our nation’s transportation infrastructure,”said Rep. John Katko, R-N.Y., chairman of a House Homeland Security subcommittee and one of the report’s requesters.”A small lapse in cybersecurity in our air traffic control system could have devastating effects on American travel, commerce and national security.”
Government officials can’t always detect and prevent unauthorized access to the air traffic control systems because of deficiencies as simple as using passwords with expiration dates and unencrypted networks, not training employees and contractors in basic information security measures, and neglecting security software updates for as long as three years.
“It shouldn’t be this easy for attacks,” said Center for Strategic and International Studies senior fellow James Lewis. “Unfortunately, that’s true for most places. This is what you call basic cyber hygiene.”
The ease of attacks, however, vital for a system as critical as air traffic controls are to the health of Americans and the nation’s commerce.
“This is one of America’s elements of its critical infrastructure,” said Heritage Foundation national security expert Peter Brookes. “I worry about somebody taking advantage of access to the system during a time of crisis. If we go to war with somebody, would they see that as a target?”
Brookes, a congressionally appointed member of the U.S.-China Economic and Security Review and a former CIA official, warned that”it doesn’t have to be a nation-state that does this, it could be a group like [the Islamic State of Iraq and Syria].”
Lewis doubted that digital attackers would be able to cause plains to crash into each other. Other dangers, however, do exist.
“You could maybe find ways to hide airplanes coming into the U.S.,” Lewis said. “You could affect the ability of the [aviation administration] to track flights.”
This could be particularly significant if all 7,000 airplanes flying at any given time needed to land quickly in the instance of an emergency, such as during the Sept. 11 attacks when FAA officials ordered all flights to stop.
“Imagine if that system went out during a national emergency,” said Brookes. “You would have serious safety concerns.”
Losing the national airspace system alone, however, shouldn’t allow another Sept. 11-style attack or to let planes go missing like last year’s Malaysian airline, thanks to other networks.
“There’s still military radars out there,” Brookes said.
However, a shutdown of the aviation administration’s system “would still cause a crisis, because there wouldn’t be enough capacity on the military side,” Brookes said.
To correct the issues, the accountability office made 17 public recommendations, as well as an additional 151 in a classified version of the report.
The issues stem from the FAA’s failure to fully implement a security program as required by the 2002 Federal Information Security Act. Aviation officials declined to comment.
