New York senator Charles Schumer held a press conference this weekend, demanding “immediate action” to improve the security of the Federal Aviation Administration’s computer systems.
His concern? That terrorists could break into national air traffic control systems run by the FAA, and use them to wreak havoc in the skies above America.
The Democratic Senator reportedly didn’t mince his words in how he described the potential threat, and compared the potential damage to the attack which hit Sony Pictures last year:
“FAA computers have system-wide failings that leave the agency’s air traffic control systems vulnerable to hacking, which could expose sensitive aviation data or even shutdown the system while thousands of planes are in the air.”
“If the Sony hacking was bad, imagine how much worse the hacking of the FAA computer system could be with thousands of planes in the air. Sophisticated terrorists could even steer planes into one another. The threat of a cybercriminal taking over this system makes your stomach sink.”
It certainly sounds more like a dramatic depiction of a Hollywood action movie starring Bruce Willis than anything else, but no one can deny that a disruption of the air traffic system would rattle the public’s trust in air flight – whether it was carried out by teenage hackers in their bedrooms or terrorists with a more frightening agenda in mind.
The Senator called for the FAA to implement strategies recommended by a Government Accountability Office (GAO) report, released last week, that claimed “significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace.”
“These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA’s systems.”
Furthermore, the scathing 42-page report claimed, that there existed “significant interconnectivity” between National AirSpace Systems (NAS) and non-NAS systems, increasing the risk that weaknesses could be exploited.
In other words, the FAA could be doing a lot more to make successful exploitation by hackers a lot harder.
And, seeing as there are up to 2,850 flights in the air at anyone time, you can appreciate the importance of air traffic control systems not being tampered with or hijacked by malicious hackers.
In all, the GAO has 168 security recommendations designed to improve the FAA’s network security – although, for obvious reasons, these are not be made public.
The FAA, naturally, is working hard to reassure politicians that the situation is under control and (if you’ll excuse the pub) the sky is not falling.
FAA administrator Michael Huerta told Congress that his agency was implementing changes to security, but that a lot of the points made by the GAO report had been identified and “already remediated”.
You can also see Huerta discuss the issue in a “fireside chat” he gave at a National Air Traffic Controllers Association (NATCA) meeting this past weekend, where he emphasised that his organisation had high standards for safety and security.
It’s easy to recline in your seat, grab a handful of peanuts and enjoy watching the FAA’s discomfort at the GAO report. But rather than that, maybe it makes better sense to ask yourself whether your own organisation can afford to be satisfied with what it’s done about network security so far.
The truth is that none of us can afford to be complacent, and many organisations would find it difficult – as the FAA might – to play catch up when it becomes obvious that there is a serious problem. Many hands make for light work, so create a plan now on how you can raise your organisation’s security to the next level, and not be caught on the hop.
This article originally appeared on the Optimal Security blog.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.