The Government Accountability, a government watchdog agency, is reporting significant security control weaknesses in the Air Traffic Control System even though the Federal Aviation Administration has taken steps to protect the air traffic system from cyber-based threats. One of the biggest challenges is the ability to prevent and detect unauthorized access to the vast network of computer and communications systems the FAA uses to process and track flights around the world. They have also pointed out inadequate protections to prevent entry into air traffic computer systems from other, less-secure computer systems not directly involved in traffic operations.
“Researchers have already demonstrated multiple ways to attack the air traffic control system, as well as adjacent aviation systems. We’ve seen demonstrations of injecting fake aircraft and compromising flight control systems. My concern is that the regulatory bodies in the industry will respond negatively to these disclosures, and rather than seek a reasonable approach to protect these systems, they will try to stop the research and prevent researchers from publishing this kind of information.
One of the most obvious cyber security challenges in the aviation industry is the increasing sophistication of attacks, and the participation of so called ‘nation-state actors’. It’s hard to get an accurate picture of how many nation state sponsored attacks are out there because there are a lot of unsubstantiated claims and attribution. At the same time, there’s undoubtedly more genuine nation-state activity. It is a challenge for information security professionals to defend against nation-state attackers. How can an IT security analyst at a for-profit organisation expect to keep the NSA, or China, or GCHQ out of their organization’s network?” – Tim Erlin, Director of IT Security and Risk Strategy at Tripwire