Hackers have breached air traffic control (ATC) systems multiple times, a report conducted by the Department of Transportation [1]informed the Federal Aviation Administration.

Two attacks stand out.

In February, hackers breached an FAA public-facing Web site and gained unauthorized access to the personal information of 48,000 current and former FAA employees. In 2006, a Web-based viral attack infected ATC systems and ultimately led the agency to shutdown a portion of its ATC system in Alaska.

The vulnerabilities, according to the report prepared by Rebecca C. Leng, assistant inspector general for financial and information technology audits at the DOT, stem from the FAA's embrace of commercial software to modernize their operations.

While use of commercial IP [Internet Protocol-based] products, such as Web applications, has enabled FAA to efficiently collect and disseminate information to facilitate ATC services, it inevitably poses a higher security risk to ATC systems than when they were developed primarily with proprietary software.

Now, attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, which is especially worrisome at a time when the Nation is facing increased threats from sophisticated nation-state-sponsored
cyber attacks.

Leng's report adds that Web applications are not properly secured to prevent attacks or unauthorized access and that the FAA does not have the adequate intrusion-detection capability to monitor and respond to breaches at ATC facilities.

According to PC World:

Penetration testers found 763 high-risk vulnerabilities in 70 Web applications used for functions such as distributing communications frequencies for pilots and controllers to the public and other applications used for internal air traffic control (ATC) systems within the U.S. Federal Aviation Administration (FAA), the report said.

A high-risk vulnerability is classified as one where an attacker could take control over a computer, modifying systems or stealing data. Testers also found 504 medium-risk and 2,590 low-risk vulnerabilities, such as the use of weak passwords and unprotected critical file folders, the report said.

FAA spokeswoman Laura Brown told The Wall Street Journal that the report's fear that hackers could wrest control of critical ATC operational systems [2] through its administrative systems were unfounded.

"It's not possible to use the administrative and mission support network to access the air-traffic control network," she said. "We have specific orders that prohibit them from being directly connected."

The report disagreed.

So far most attacks have primarily disrupted FAA’s ATC mission-support function. However, it is important to understand that attacks can spread from the mission-support network to the operational network—where real-time surveillance, communications, and flight information is processed to separate aircraft—because of network connections ...

The report also criticized the FAA's intrusion detection capabilities, noting that only 11 of 734 operational facilities have intrusion detection sensor systems in place.

The FAA agreed with all of the report's recommendations, including securely configuring its Web applications, patching security vulnerabilities identified in the report, and installing additional intrusion detection sensor systems.