Kurt Seifried, [email protected]
The airline industry in North America is a critical component of our economic prosperity, and even more than that a vital component to our lifestyle. Have to be in San Diego tomorrow to meet with a client regarding critical issues? Be there in less than 12 hours from virtually anywhere in North America, affordably. The airline industry in the US employs slightly over one million people, and services like air cargo allow many other businesses to function that depend on quick delivery of everything from electronic components to stuffed toys and legal documents. Yet we are coming to understand that security threats can put a quick end to services we depend on and take for granted.
After the tragic events of September 11th the FAA and NavCanada (Canadian equivalent of the FAA) shut down all North American airspace for several days. Unless it was a critical government or military flight it wasn't leaving the tarmac. Everything from FedEx and crop dusters to air ambulance services were grounded. The airline industries in both countries are reeling from this event, with several companies firing hundreds to thousands of employees, and requesting their respective federal governments for bailout packages to avoid declaring bankruptcy.
In security we do not have unlimited amounts of money to spend. We need to look at factors such as risk, threat, vulnerabilities, cost involved in recovery, and long term effects (such as customer confidence). It is obvious that the economic and more importantly the human costs of September 11th vastly outweigh anything that could have possibly been spent on air travel security.
With consumer confidence in air travel severely rattled in North America it is more critical than ever for effective security precautions. Already, physical security concerns have resulted in the presence of heavily armed police in airports and armed federal air marshals on some US flights, and the following, from the FAA website:
"Can I carry my pocket knife on board? No knives or cutting instruments of any size or material will be allowed in the aircraft cabin. Knives may be transported only in checked baggage. Airlines will no longer provide steak knives for on-board food service.1"
But what about protecting air traffic control computer systems and other electronic infrastructure components, which allow the airline industry to run at high capacity with a large margin of safety? Unfortunately on this front it seems the FAA has not done so well.
The FAA is currently in the midst of a major security overhaul, and while this has been under progress since 1998 there are still many problems with the FAA's computer security.
Kenneth Mead, inspector general at the U.S. Department of Transportation, testified at a House Science Committee hearing, regarding the security overhaul. "Under that $1 billion-plus project," Mead said, "the systems that manage air traffic control are due to be linked to administrative systems at the FAA, potentially opening them up to wider access. Until the FAA gives assurances that this integrated network won't compromise data security, we don't think the FAA should go forward with that plan.2" Unfortunately, like many government organizations, the FAA is now paying the price of years of IT deployment without proper security foresight. Numerous issues plague the FAA, from interconnected networks that are not fully documented or understood, to allowing intruders potential avenues of access into critical systems.
"Air traffic control computer systems within the Federal Aviation Administration remain at risk of intrusion and malicious attacks, despite a review last year pointing out the problems, said Gerald Dillingham, director of physical infrastructure issues at the General Accounting Office. Although the FAA is making some progress in addressing 22 computer security recommendations, most have yet to be completed, he said.3"
The events of September 11th show that certain terrorist groups are willing to plan long term and go to great lengths to accomplish their goals. Even with increased physical security it will not be impossible to re-enact terrorist attacks on the scale of those we recently experienced.
Like most security problems inside threats are some of the most potentially damaging. While it is possible to do background checks and so forth on people, these checks are often not done correctly, if at all. There are even reports of people with criminal records being hired after background checks for airport security positions. Insiders know where the vital components are, and typically know how to do the most damage. Instead of simply wiping a system they may be able to subvert the program or data fed into it, resulting in similar levels of damage but with a much higher cost in time and money to solve them (assuming the problem is even identified correctly).
Even with the FAA's plans to implement strong access controls and user authentication it will be difficult to stop people who have been granted access to systems - and access permissions are almost always too broad and usually outdated as well.
Another of the most common failings of access control systems is reporting of failed access attempts, and more importantly of determining why there was a failed access. Was it simply a mistake, someone trying to access the wrong server or resource? Or was there a more sinister intent, perhaps someone trying to gain access to a critical internal system so they could hijack it?
A thorough analysis of flight security must take both physical and computer security equally seriously, as access to computer systems today means access to the flight paths themselves. While we hope that the events of September 11th never occur again, two US generals have been granted authority authorize the shooting down of hijacked aircraft on suicide missions. Of course this depends on air traffic control being able to identify a hijacked plane, and being able to get a location of the plane to the military.
Since civilian "radar" primarily depends on the craft's transponder (which can be turned off) and is not isolated from networks, it is typically not as robust as military systems. In the future, pulling off this type of attack will partially depend upon being able to hijack the air traffic control system, or being able to disable it so as to cause sufficient confusion so that the attack is successful.
Although it seems unlikely that terrorists will seize control of FAA computers and crash planes by rerouting them, certainly access to these systems is as critical as physical access to the planes themselves.
Asked Questions About Air Travel"
2"FAA faces more criticism for computer security failings"
3"FAA floats security options"
Last updated 2/22/2002
Copyright Kurt Seifried 2002