Information Security News mailing list archives
Experts spar over aviation security
From: William Knowles <wk () C4I ORG>
Date: Mon, 18 Dec 2000 14:40:05 -0600
http://starnews.com/news/articles/airport1217.html By Terry Horne Indianapolis Star December 17, 2000 Hate airports? Nervous about flying? Well, grip the armrest more tightly. The possibilities of computer mischief and microchip terrorism threaten public confidence in the aviation industry. Computer security experts warn that a teen-age hacker could make chaos of air cargo, or a secret laboratory in the Mideast might find a way to bring down a plane by displaying false radar readings on air traffic control displays. But those security experts disagree, often strongly, about the likelihood of such events occurring -- and whether today's computer security measures are adequate to stop such intrusions. BAA, the British company that operates Indianapolis International Airport, says its computer networks are secure from harm. That's not how Josh Bussert sees it. The computer security consultant, whom BAA briefly considered hiring as a consultant, claims the information networks at the airport are so vulnerable that a high school student could hack his way inside and disable the flight information displays. Or route all baggage to Concourse A while sending passengers to Concourse D. "The airport is virtually a wide-open facility for anyone who wants to break into it and mess around," Bussert said. Similar disagreements have flared recently over the nation's air traffic control system. Federal Aviation Administration officials contend air travel remains safe, and that its computer systems have several layers of protection and redundant hardware to protect against outages, whether brought about by a computer failure or a hacker's attack. Congressional investigators, however, contend there are "pervasive weaknesses." According to a General Accounting Office report issued in September: * The FAA still hadn't assessed whether many of its facilities (including those in Indianapolis) meet its most recent physical security standards, ranging from door locks to fencing. * The FAA's testing has revealed numerous vulnerabilities that computer hackers or enemy agents could exploit to gain access to some FAA systems. * The FAA lacked adequate staffing to provide 24-hour monitoring of the devices it had installed to detect attacks on its computers. Raymond Long, the FAA's director of information systems security, says the agency agrees "99 percent" with the GAO's criticisms and recommendations. He insists there's enough redundancy -- equipment such as backup radar and emergency generators -- to negate any threat to passenger safety. Still, he said, "You can spend money forever and never reach a foolproof system. All we try to do is minimize the risk. "Anyone with enough money, time and effort can get into your system." An issue of confidence BAA is one of the largest airport operators, with worldwide revenues last year of about $3 billion. Its operations at Indianapolis International would seem to be a low-level target for computer attack. BAA is, after all, just the company that keeps the floors vacuumed, collects rents from the airport shops, oils the conveyors, heats the terminals, polices the grounds and performs other myriad tasks needed to keep a transportation hub operating. Each airline handles its own operations, including baggage handling and flight information. The FAA runs the radar, the air traffic control screens and the radio. And each has its own computer systems. At other, more modern airports, computer systems are highly integrated -- and vulnerable. The computer systems at Indianapolis International aren't anywhere near as modern, said Tim D. Konopinski, BAA's local director of information technology. That actually could work in their favor. Some computers aren't linked to networks. Airport police have just one stand-alone computer, he said. Other systems aren't computerized enough to be vulnerable to hacking. The airport runway lights, for example, are turned on and off by switches, he said. The baggage-handling conveyors are airport equipment, but the airlines operate them. "There's no interconnection with our system," Konopinski said. Moreover, he said, there's no link between the airport and the FAA facilities located there: the air traffic control tower and the en route center, which oversees thousands of airplanes daily as they fly over parts of Indiana and six other states. BAA's computers contain only internal business records. A teen-ager who hacked his way into the system might be able to alter some bookkeeping entries. But he wouldn't be able to inconvenience travelers, Konopinski said. Earlier this year, though, Konopinski agreed to let Bussert Consulting, a small Lafayette firm specializing in computer security issues, take a quick look at the airport's computer networks. Bussert, the firm's president, said his company spent 80 hours on an initial assessment for the airport, most of that interviewing BAA's computer staff. Konopinski may view the various computers and networks as separate. But the networks are separate only in a programming sense, not in terms of the wiring, Bussert said. "The understanding that I had from talking to the staff at the airport was that just about every airport facility is connected by the same copper system." If that's the case, Bussert said, all of the computers connected to this copper wiring are only as safe as the weakest link and the strength of the firewalls -- the computer programs that protect networks from unauthorized entries. Bussert said economics played a role in BAA's decision not to hire his firm. In June, after completing its assessment, Bussert Consulting offered to do a more extensive security analysis and inventory of the airport's computers for about $47,000, which included some preliminary remedial work. "Their reaction really caught me off guard. It was, 'Oh, well. We don't really have the money to do this right now. We were only planning on spending a couple thousand dollars to do this,' " he said. Konopinski denied that cost was a factor. He said the airport was more than willing to spend $2,000 on computer security, and it did. At Indianapolis International, BAA uses Microsoft programs, among others. "We have a process where we stay up-to-date with all the Microsoft security patches," Konopinski said. That, in itself, is not so reassuring. In October, Microsoft admitted a hacker had broken into the company's computer system for 12 days. At some point, the hacker gained access to the company's jealously guarded source code, which for software programs is much like a building's blueprints. Defenses are eroding The computer systems that directly affect passenger safety are part of the FAA's National Airspace System, or NAS. These are the computers that control the radars, the radio communications, the controller display screens and all the other pieces needed to route planes safely. It's not integrated like a computer network. Instead, it's made up of thousands of pieces of specialized hardware run by custom-designed software. Until very recently, the security of this system depended on two concepts: isolation and obscurity. Isolation meant there weren't any connections between the air traffic control equipment and the outside world. Obscurity meant the FAA's system was too antiquated to penetrate. Until about two years ago, traffic control across the United States was handled by relatively old mainframe computers controlled by customized operating systems and software written in a source code specifically developed for the FAA. So even if a hacker found a connection into the air traffic control system, he wouldn't be able to do anything. This defense, which became known as "security by obscurity," was pretty effective, said Jeff Moss, a renowned West Coast hacker known as "Dark Tangent" and one of the organizers of an annual hackers convention, Def Con. "All the new-generation hackers have never played with that system." Yet many of the older hackers never tried, he said. "I've never even heard of anybody even joking about going after an airport," Moss said. "I think it's one of those protected industries, that it's not something kids decide to go after." Long, whose job it is to protect the FAA's computers, isn't so confident that's true. The FAA won't reveal how many times someone attempted to get into its computers. But, Long said, the FAA and other government agencies only recently installed the kind of equipment that detects hacking attempts, deliberate or accidental. "We've probably been getting a significant number of hits for years and didn't know about it," he said. As the FAA modernizes its equipment, its traditional defenses are breaking down. Newer software, sometimes even off-the-shelf programs, is being used. "It's going to increase our susceptibility to these attacks," Long admits. And the national airspace system was never so isolated as sometimes claimed. Software contractors, for example, can and do upload program changes directly into computers. It's Long's job to make sure the FAA knows about these links and that security is adequate. One contractor, for example, changes the links and passwords each time the company connects into the system, Long said. What worries him are the links he doesn't know about. In March 1997, for example, a Massachusetts teen hacked into a telephone company computer system and accidentally disrupted normal air traffic communications for six hours at a Worcester, Mass., airport. The tower was connected to its main radio transmitter by telephone lines. During the outage, air traffic controllers used battery-powered radios to direct planes. Long also worries about unauthorized connections to the air traffic control system -- an employee, for example, who has hot-wired his desktop to the system. He said he doesn't believe someone could hack their way into one of BAA's computer and, from there, enter one of the FAA's computer networks. He also can't say it's impossible. It's for that reason, he said, that the FAA has set up a voluntary working group with the airlines and airports "to make sure that all of our interfaces are not a trapdoor." Drawing attention Officials often point out that pilots still fly planes and know how to land them even when air traffic systems fail. Gene Spafford, a Purdue University computer science professor, is not so sure the FAA's air traffic control computers wouldn't be a tempting target for a saboteur, even without the certainty of being able to bring a plane down. "What an interesting statement to make, to tie up all the air traffic in the United States for a day, coupled with some kind of press release," said Spafford, who directs Purdue's Center for Education and Research in Information Assurance and Security. Yet at least the government is beginning to pay attention to such security issues. For many corporations, he said, security is usually an afterthought. Bussert's assertion that BAA's computers are vulnerable doesn't surprise Spafford. There may be a security problem. Or maybe Bussert, whom Spafford doesn't know, has misunderstood the network. But, he said, "If they were to bring in an expert consulting company, do a survey and fix the problems that need to be fixed, I would feel much relieved about it." Contact Terry Horne at (317) 444-6082 or via e-mail at terry.horne () starnews com *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Experts spar over aviation security William Knowles (Dec 18)