The Federal Aviation Administration (FAA) recently reported that its computer systems were attacked by unknown hackers in February. The attack follows a January report expressing concern that the FAA’s air traffic control systems are vulnerable to cyberattacks.
The announcement, which was stuffed in the middle of an interim award notice posted on the Federal Business Opportunities website, was so subtle that it went largely unnoticed.
It stated simply, “Due to a recent cyberattack, the FAA requires additional planning time to determine the impact to the competitive procurement’s requirements.”
The FAA did not immediately respond to a phone call or voice message requesting comment.
Nextgov was the first outlet to catch wind of the announcement. After inquiring about the cyberattack, it reported on April 6 that the FAA discovered “a known virus,” which spread through email on “its administrative computer system.”
The cyberattack allegedly caused no damage to the computer systems. After it was discovered, the FAA blocked the attack, contained the virus, and cleaned the affected computers.
What’s interesting is that the attack only hit the administrative computer system. This, and the fact that it was spread through email, gives it the fingerprints of a spearphishing attack—a cyberattack that often uses official looking emails to infect a targeted computer network.
It is still unknown who the hackers were. Details of how the virus functions were not disclosed.
A breach at the FAA could have broad implications for airlines, however, according to Kevin Kuhlmann, associate chair of the Department of Aviation and Aerospace Science at the Metropolitan State University of Denver.
“If one hub were to go down, it would wreak havoc across the whole nation,” he said, referring to the air traffic control systems, the FAA is responsible for.
If an air traffic control system were to go down at an airport, it would cause severe gridlock with planes trying to land and with planes on the ground. He said, “It would be a chaotic situation.”
Kuhlmann cited an incident from September 2014, when a communications contractor, Brian Howard, 36, at the Aurora FAA radar center in Chicago tried killing himself and set fire to the center.
Howard grounded more than 2,000 flights and forced an evacuation at the Chicago O’Hare International Airport. The center Howard worked at handles all high-altitude flights in parts of the Midwest.
“That wreaked havoc on the national air traffic system,” Kuhlmann said.
There is speculation that by breaching an air traffic control system, a hacker could cause plane crashes, yet it’s all hypothetical.
Kuhlmann, for one, doesn’t believe a breach of air traffic control could cause much devastation. He did say, however, that it would send air traffic control back to the 1950s “where everything is done by voice control, and everything is done with a lot of traffic.”
“I don’t see a scenario like in ‘Die Hard’ where someone gives a fake command and an aircraft hits the ground,” he said. “That’s not going to happen.”
A Vulnerable Network
The cyberattack on FAA took place just a month after a federal audit warned that U.S. air traffic control systems are vulnerable to cyberattacks. It also stated that the FAA did not implement security systems required through a 2002 act.
The January 2015 audit from the Government Accountability Office states in its title: “FAA Needs to Address Weaknesses in Air Traffic Control Systems.”
“While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyberbased and other threats, significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system (NAS),” it states.
Ironically, the audit warns that vulnerabilities in air traffic control are in areas designed to “prevent, limit, and detect unauthorized access to computer resources.”
It states that the FAA was required to implement security program and framework under the Federal Information Security Management Act of 2002, yet its implementation was “incomplete.”
Among the problems, the report said, was that FAA’s current system limits its ability “to detect and respond to security incidents affecting its mission-critical systems.”
The problems with the FAA found in the federal audit, it states, place the “safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.”
The recent cyberattack wasn’t the first time the FAA’s networks were breached. Several similar breaches were outlined in an inspector general report sent to the FAA in May 2009.
In February 2009, hackers breached a FAA computer that gave them access to personal information of 48,000 current and former FAA employees, including their Social Security numbers.
In 2008, hackers took control of one of the FAA’s critical network servers, and “could have shut them down,” reported the technology website CNET. After taking over the network, the hackers got hold of an administrator’s password, installed “malicious codes,” and then used it to access more than 40,000 user accounts used to control another network.
In 2006, an air traffic control system was infected with a computer virus, and the FAA had to shut down part of its systems in Alaska, CNET reported.
The May 4, 2009, memorandum sent to the FAA from the U.S. Department of Transportation states, “An audit of the FAA’s air traffic control cybersecurity protection measures finds them lacking and said there have been several breaches by hackers and a virus.”