[Cryptography] Air Traffic Control computers are maintained about as well as most home machines

Jerry Leichter leichter at lrw.com
Tue Mar 3 16:21:55 EST 2015

From http://arstechnica.com/tech-policy/2015/03/us-air-traffic-control-computer-system-vulnerable-to-terrorist-hackers/, quoting from a GAO audit of the ATC system:

"While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses....

Additionally, the agency did not always ensure that security patches were applied in a timely manner to servers and network devices supporting air traffic control systems, or that servers were using software that was up-to-date. For example, certain systems were missing patches dating back more than 3 years. Additionally, certain key servers had reached end-of-life and were no longer supported by the vendor. As a result, FAA is at an increased risk that unpatched vulnerabilities could allow its information and information systems to be compromised."

[T]he FAA "did not always ensure that sensitive data were encrypted when transmitted or stored."  That information included stored passwords and "authentication data."
                                                        -- Jerry

More information about the cryptography mailing list