US Government audit shows Air Traffic Control systems security lacking

The study was deemed necessary to carry out due to the increasing use of commercial software and Internet Protocol based technologies by the FAA for its support systems. KPMG carried out the audit looking specifically at vulnerability assessment and penetration testing on selected Web applications used in supporting ATC operations. Their work was supported by the Deprtment of Transport's own records of reported cyber security incidents in the recent past. The DOT also carried out the second objective of the audit which was to look into the FAA's capability of detecting security breaches and it's effectiveness in monitoring ATC cyber-security incidents. The audit concluded that "Web applications used in supporting ATC systems operations are not properly secured to prevent attacks or unauthorized access. In addition, FAA has not established adequate intrusion-detection capability to monitor and detect potential cyber security incidents at ATC facilities." 70 web applications were tested, some used for public information i.e AIS applications and some supporting internal ATC systems. The report discovered a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities. You can view the complete report at the following link Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems