US Air Traffic Control System Is Riddled With Vulnerabilities 60
An anonymous reader writes: A recently released report (PDF) by the U.S. Government Accountability Office has revealed that despite some improvements, the Federal Aviation Administration (FAA) still needs to quash significant security control weaknesses that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). The report found that while the "FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment [...] a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems."
Ya Think? (Score:2, Funny)
Re:Ya Think? (Score:4, Informative)
Re:Ya Think? (Score:4, Insightful)
Is this why the entire nation's ATC system limped along at a severely reduced capacity when a single Chicago facility was taken offline for 3 weeks due to a single contractor cutting a few cables?
Re: (Score:2)
Re: (Score:1)
That "one" facility controls traffic through one of the largest hub cities in the country. For some of the major airlines, if you can't connect through chicago, you can't get to about 75% of the rest of the country. So, yea, there's an argument about that...you dolt.
Re: (Score:2)
That "one" facility controls traffic through one of the largest hub cities in the country. For some of the major airlines, if you can't connect through chicago, you can't get to about 75% of the rest of the country. So, yea, there's an argument about that...you dolt.
Put fault on the airline, not FAA.
Re:Ya Think? (Score:4, Insightful)
Getting everyone on the ground safely is the pilots' job. Keeping planes in the air safely is ATC's job.
Re:Ya Think? (Score:4, Informative)
Getting everyone on the ground safely is the pilots' job. Keeping planes in the air safely is ATC's job.
Nope. Once an aircraft is moving on the ground under its own power, the flight has started and the pilot in command has the ultimate responsibility and authority over the safety of the flight. A pilot in command can deviate from any rule, clearance or law to the extent necessary to ensure the safety of the flight. [cornell.edu]
Re: (Score:1)
Re: (Score:2)
Yeah, yeah, yeah. 14 CFR 91.3. Going by your logic, ATC has no job. Obviously, ATC's job is to safely operate the National Airspace System. 91.3 isn't going to get an airliner into a busy terminal through a layer of weather. When a pilot observes a conflict between an ATC clearance or regulation and the safety of flight, however, the pilot has the authority to deviate.
I don't think you get the idea behind 14 CFR 91.3.
Pilot makes mistake, pilot dies. Controller makes mistake, pilot dies. Pilot is the ultimate authority and thus has the ultimate responsibility over any flight. But he'll gladly take any help he can get.
I'm a big fan of ATC. I like flying in Bravo airspace. I like flight following when in Echo airspace. It helps me stay safe. But in the end, when I'm flying, I am flying.
True on water as well (Score:2)
Re: (Score:2)
Yarg! Now get 'yer booty to my cabin, and put on that frilly thing I be likin' so much.
Oh, evening captain. Mr. Jones, carry on as you were.
Re: (Score:2)
On a ship, the captain and the pilot are two different roles and never the same person. It is the captain who has ultimate authority, the pilot is a person brought in on a case by case basis to help the captain navigate through local waters. Captains might travel the world, pilots stick to a particular stretch of water and have the local knowledge to advise the captain, usually as a requirement of maintaining insurance in case of accident. My grandfather was a ship's captain away from home almost 9 month
Re: (Score:2)
When the pilot comes on board, he becomes the Ace of Trumps. You know, "only one captain on a ship". What would be the point of a local expert coming on board if the non-expert captain was still in charge?
Maybe you are confusing general operation of the ship with the act of "driving it". No doubt while the pilot is aboard, the captain can still order a mate to swab a deck. But when it comes to "Since we're late can we speed up to make up time?" that is only the
Re: (Score:2)
You're just trying to impress everyone with you knowledge by pulling a regulation out of your hat.
Yes, this actually got me laid last night. Ain't that cool?
You actually need a damned compelling reason to exercise 91.3(b), which is why 91.3(c) exists. If you have been denied access to Class B / C / D (yep, they can deny you access), your engine quits, and you go gliding into the primary when you could have easily glided to a perfectly good airport, even a nice soft grassy field, outside the Class B for no reason other than you thought you could do whatever you want under 91.3(b)...you're fucked. In fact, even if that was the only reasonable option (other runway was too short, covered in clouds, mountainous terrain with no fields, whatever), you still better hope to hell no one can ever possibly blame you for the engine failure.
It's not that black and white. First of all, once I utter the words "I declare an emergency", or just squawk 7700, not a single controller will deny me class B clearance. They're trained to deal with the emergency first, handle the rest later.
Second, if I mess up in flight, that does not mean I deserve a death sentence by ATC denying me the best possible option to get out of my emergency. A very good example of this would be a VFR pilot flying int
Re: (Score:2)
Re: (Score:3)
Or when several airports where completely shut down because of a buggy windows update?
However, i'm not sure the lack of redundancy and failsafes for a specific function is a security issue. I do agre with the question being asked though.
I respect the FAA (Score:5, Interesting)
The FAA is one of a very few government agencies that takes its job seriously and focuses on quality.
They're better than that. Surgeons in operating rooms are cribbing from the FAA for techniques and procedures to improve patient safety. The safety record of the airline industry is quite remarkable and the FAA deserves a huge amount of the credit for that achievement. I've worked as a quality engineer and whatever their other flaws might be, the FAA groks quality and safety as well as any organization I've ever seen.
I'd trust them to take IT systems security seriously and delegate the work to competent engineers.
As would I. The only thing I really worry about with the FAA is in keeping Congress from meddling with them too much. They are in my opinion one of the best run agencies in our government. That's not to say they don't have their flaws but on the big picture stuff, especially safety, they do a pretty good job overall even when they don't have all the resources they might.
Almost can't believe I'm saying this, but it would seem they have good workers.
Why should it shock you? We have many people in our government who are remarkably competent. I'd be happy to introduce you to some that I know personally. The FAA does not only have good workers but they have a safety first framework and have built a culture and procedures to support that. They also have the advantage of not being a political football for Congress to fight over. A good worker can be put into a system that doesn't work and chances are they will fail. Safety and reliability are NOT about competent people working hard. Those are important things but they will not get the job done unless you also have an organizational framework that supports them properly. The FAA has oversight over the entire process from certifying the airplanes before they even get built, to overseeing the ongoing maintenance and supply, to being able to force private companies to be grounded if they don't do what they are supposed to do when they are supposed to do it. They are able to get into all the corners of the industry that affect safety and they largely do a good job of ensuring that things are done properly like a regulator is suppose to.
Re: (Score:2)
The FAA is the government's weapon of mass destruction that causes ongoing devastation to all of aviation, and excellent proof that we do not live in a free country.
I'd also put blame on TSA that makes boarding airlines miserable and they want to expand "security" into GA. Then you have local governments and officials trying to close down GA airports. Lots of examples of elected officials that tried to close Reid Hillview and Santa Monica along with huge following of general public ("why did they put that airport next to a shopping center?"). And there is big business itself expanding into open areas around airports squeezing out the private pilot. And consolidation of
Re: (Score:2)
You've got to be kidding me. Nearly every instructor I've ever had offers different stories about the FAA.
So because a bunch of flight instructors don't like dealing with the FAA the organization isn't effective at ensuring airline safety? You can tell stories about stupid things that happen in ANY organization and the FAA is no different. Yeah, not everything the FAA does is perfect - news at 11. Of course the aviation industry has achieved a ridiculously impressive safety record and the FAA has been a huge part of that. Coincidence? Not remotely. Just because an organization does some silly stuff doesn'
Re: (Score:2)
When they dont have the money they need, they cant do squat. The entire ATC system has been underfunded even before the Reagan years.
Re: (Score:2)
Oh Goody! (Score:2)
Re: (Score:2)
Perhaps, but the FAA did actually manage to control physical access to that terminal fairly well.
All in all, my quick skim though the report tells me that where the FAA does have issues with security (Mostly with, network security, management of users and patches) they don't do that badly given their large size. They have similar problems to just about everybody else that has systems of similar complexity and by my estimation do better than average on just about all aspects of security. Given the "missio
Re: (Score:2)
Re: (Score:2)
I really don't see that as a the most vulnerable point. Not by a long shot. Tapping a digital fiber link wouldn't be like US submarines tapping Soviet analog telephone cables. The data on the link can be encrypted and authenticated at either end such that it's not really practical to modify or impersonate without the kind of assets in the organization that would make an inside job a lot simpler.
The real problem is human factors. Air-gapping sensitive systems is a sound idea in principle but in practice
Re: (Score:2)
Re: (Score:2)
How it was initially deployed is known only to its makers, but Stuxnet was designed to enter an isolated facility on a USB drive. Once on the LAN it would propagate to other computers, and potentially to other networks via an infected laptop, which is how it ended upon the Internet.
You can use your imagination as to how they got the USB into the target facility. It might have been as simple as dropping the USB stick in the parking lot of a vendor, but given the resources needed to create the worm itself
Re: (Score:2)
Re: (Score:2)
It won't be necessary to tap the fiber. Some moron will plug their smartphone in to their computer to charge it and that will be the end of the airgap.
Re: (Score:2)
And for the most part, this is what the FAA does, or historically has done. Only recently they have started to phase out the 40 year old system that pre-dated the internet and move to IP based communications.
Also, I don't agree with your approach of just stringing up your own infrastructure for communications. IP networks can be built with LOTS of redundancy and using a couple of internet connections and routing your traffic over them can add huge redundancy gains with low cost. I think the FAA needs an
News from the 1990's..... (Score:2)
Almost everyone that has seen the systems in place have know this for over 2 decades.
It's a mess, an unholy mess that they really need to dump a couple billion into to do a full upgrade and redesign. The whole ATC system is a giant ball of bandaids.
Re: (Score:3)
Given the results of the government's most recent attempt to build a working website, I'm not sure a complete system could be built for any price.
The sky is blue and water is wet..... (Score:2)
The bigger issue... (Score:3)
Sure, these technical issues are very important and need to be addressed.
But all of these issues are moot if the diabolical, elite villains are still in power.
Even if the systems were patched and secure, they could still let another 9/11 happen if they choose to.
Re: (Score:2)
Even if the systems were patched and secure, they could still let another 9/11 happen if they choose to.
This is insightful? The FAA has no ability to stop another 9/11. They can't reach out from their radar facilities and stop a nut in a plane from flying into a building. They can issue instructions, but have no way of forcing them to be followed. The controllers who had the flights of 9/11 on radar didn't "let" it happen, they watched it unfold without a way of stopping it.
What DOES happen now is that anything that is deviating in a significant way from ATC instructions is handed to the Air Force for an in
Anyone Remember Chicago? (Score:1)
The Cybernet and ATC systems .. (Score:2)
Just who in their right minds connect an Air Traffic Control system to the Cybernet?