Report: Air traffic system vulnerable to cyberattacks

The investigative arm of Congress says the Federal Aviation Administration's control system is vulnerable to a cyberattack -- a scenario that could trigger chaos in the air given there are more than 7,000 airplanes flying at any one time over the United States.

The Government Accountability Office report (GAO-05-712), released Monday, said the FAA has set up an agency-wide information security program to address previously identified security weaknesses, but has yet to fully establish an information security program to effectively protect its vast network of computers and communications equipment.

"The agency's ability to fulfill its mission depends on the adequacy and reliability of its air traffic control systems," the report noted. The FAA is charged with managing the nation's airspace to ensure safe, orderly and efficient air travel for the millions of flights every year.

Air traffic exceeded 46 million flights and 647 million passengers last year, and thousands of military and commercial aircraft traverse the United States at any given time, according to the FAA.

GAO found FAA's computer network remains exposed to disgruntled former employees and sophisticated hackers. The investigators found the agency is not adequately managing its networks, system patches, user accounts, passwords and user privileges.

It also operates with outdated security plans, does not sufficiently test and evaluate programs and was not meeting standards for training employees to detect security breaches. More than 36,000 employees work at the agency.

House Government Reform Committee Chairman Tom Davis, R-Va., whose panel requested the report, urged the FAA to move quickly to strengthen its computers.

"Given the ever-evolving nature of cyber threats, and the thought of someone with malicious intent accessing FAA's IT systems, complacency is not an option," said Davis.

The FAA responded that the "implications of the findings in this report should be tempered by the understanding that individual system vulnerabilities are further mitigated by system redundancies and separate access controls that are built into the overall air traffic control system architecture."

GAO countered that the FAA's complex air traffic system relies on several interconnected systems and as a result, the identified weaknesses "may increase the risk to other systems."

GAO also found weak physical security around air traffic control towers and other FAA facilities. That, GAO said, puts the agency at "increased risk of unauthorized system access, possibly disrupting aviation operations."

More than 480 air traffic control towers manage and control the airspace within about five miles of an airport, directing departures and landings as well as ground operations on taxiways and runways, said GAO.

The report included a dozen recommendations to bolster the FAA's IT and physical security, including making risk assessments, testing and evaluating critical control systems, blocking Internet access to sensitive information and deploying intrusion detection technology for exposed parts of the computer network.