Experts spar over aviation security

[William Knowles <wk () C4I ORG>]

http://starnews.com/news/articles/airport1217.html

By Terry Horne
Indianapolis Star
December 17, 2000

Hate airports? Nervous about flying? Well, grip the armrest more
tightly.

The possibilities of computer mischief and microchip terrorism
threaten public confidence in the aviation industry.

Computer security experts warn that a teen-age hacker could make chaos
of air cargo, or a secret laboratory in the Mideast might find a way
to bring down a plane by displaying false radar readings on air
traffic control displays.

But those security experts disagree, often strongly, about the
likelihood of such events occurring -- and whether today's computer
security measures are adequate to stop such intrusions.

BAA, the British company that operates Indianapolis International
Airport, says its computer networks are secure from harm.

That's not how Josh Bussert sees it.

The computer security consultant, whom BAA briefly considered hiring
as a consultant, claims the information networks at the airport are so
vulnerable that a high school student could hack his way inside and
disable the flight information displays.

Or route all baggage to Concourse A while sending passengers to
Concourse D.

"The airport is virtually a wide-open facility for anyone who wants to
break into it and mess around," Bussert said.

Similar disagreements have flared recently over the nation's air
traffic control system.

Federal Aviation Administration officials contend air travel remains
safe, and that its computer systems have several layers of protection
and redundant hardware to protect against outages, whether brought
about by a computer failure or a hacker's attack.

Congressional investigators, however, contend there are "pervasive
weaknesses."

According to a General Accounting Office report issued in September:

*  The FAA still hadn't assessed whether many of its facilities
   (including those in Indianapolis) meet its most recent physical
   security standards, ranging from door locks to fencing.

*  The FAA's testing has revealed numerous vulnerabilities that
   computer hackers or enemy agents could exploit to gain access to
   some FAA systems.

*  The FAA lacked adequate staffing to provide 24-hour monitoring of
   the devices it had installed to detect attacks on its computers.

Raymond Long, the FAA's director of information systems security, says
the agency agrees "99 percent" with the GAO's criticisms and
recommendations.

He insists there's enough redundancy -- equipment such as backup radar
and emergency generators -- to negate any threat to passenger safety.

Still, he said, "You can spend money forever and never reach a
foolproof system. All we try to do is minimize the risk.

"Anyone with enough money, time and effort can get into your system."

An issue of confidence

BAA is one of the largest airport operators, with worldwide revenues
last year of about $3 billion. Its operations at Indianapolis
International would seem to be a low-level target for computer attack.

BAA is, after all, just the company that keeps the floors vacuumed,
collects rents from the airport shops, oils the conveyors, heats the
terminals, polices the grounds and performs other myriad tasks needed
to keep a transportation hub operating.

Each airline handles its own operations, including baggage handling
and flight information. The FAA runs the radar, the air traffic
control screens and the radio.

And each has its own computer systems.

At other, more modern airports, computer systems are highly integrated
-- and vulnerable.

The computer systems at Indianapolis International aren't anywhere
near as modern, said Tim D. Konopinski, BAA's local director of
information technology. That actually could work in their favor.

Some computers aren't linked to networks. Airport police have just one
stand-alone computer, he said.

Other systems aren't computerized enough to be vulnerable to hacking.
The airport runway lights, for example, are turned on and off by
switches, he said. The baggage-handling conveyors are airport
equipment, but the airlines operate them. "There's no interconnection
with our system," Konopinski said.

Moreover, he said, there's no link between the airport and the FAA
facilities located there: the air traffic control tower and the en
route center, which oversees thousands of airplanes daily as they fly
over parts of Indiana and six other states.

BAA's computers contain only internal business records. A teen-ager
who hacked his way into the system might be able to alter some
bookkeeping entries. But he wouldn't be able to inconvenience
travelers, Konopinski said.

Earlier this year, though, Konopinski agreed to let Bussert
Consulting, a small Lafayette firm specializing in computer security
issues, take a quick look at the airport's computer networks.

Bussert, the firm's president, said his company spent 80 hours on an
initial assessment for the airport, most of that interviewing BAA's
computer staff.

Konopinski may view the various computers and networks as separate.
But the networks are separate only in a programming sense, not in
terms of the wiring, Bussert said. "The understanding that I had from
talking to the staff at the airport was that just about every airport
facility is connected by the same copper system."

If that's the case, Bussert said, all of the computers connected to
this copper wiring are only as safe as the weakest link and the
strength of the firewalls -- the computer programs that protect
networks from unauthorized entries.

Bussert said economics played a role in BAA's decision not to hire his
firm. In June, after completing its assessment, Bussert Consulting
offered to do a more extensive security analysis and inventory of the
airport's computers for about $47,000, which included some preliminary
remedial work.

"Their reaction really caught me off guard. It was, 'Oh, well. We
don't really have the money to do this right now. We were only
planning on spending a couple thousand dollars to do this,' " he said.

Konopinski denied that cost was a factor. He said the airport was more
than willing to spend $2,000 on computer security, and it did.

At Indianapolis International, BAA uses Microsoft programs, among
others.

"We have a process where we stay up-to-date with all the Microsoft
security patches," Konopinski said.

That, in itself, is not so reassuring.

In October, Microsoft admitted a hacker had broken into the company's
computer system for 12 days. At some point, the hacker gained access
to the company's jealously guarded source code, which for software
programs is much like a building's blueprints.

Defenses are eroding

The computer systems that directly affect passenger safety are part of
the FAA's National Airspace System, or NAS.

These are the computers that control the radars, the radio
communications, the controller display screens and all the other
pieces needed to route planes safely.

It's not integrated like a computer network. Instead, it's made up of
thousands of pieces of specialized hardware run by custom-designed
software.

Until very recently, the security of this system depended on two
concepts: isolation and obscurity.

Isolation meant there weren't any connections between the air traffic
control equipment and the outside world.

Obscurity meant the FAA's system was too antiquated to penetrate.

Until about two years ago, traffic control across the United States
was handled by relatively old mainframe computers controlled by
customized operating systems and software written in a source code
specifically developed for the FAA.

So even if a hacker found a connection into the air traffic control
system, he wouldn't be able to do anything.

This defense, which became known as "security by obscurity," was
pretty effective, said Jeff Moss, a renowned West Coast hacker known
as "Dark Tangent" and one of the organizers of an annual hackers
convention, Def Con.

"All the new-generation hackers have never played with that system."

Yet many of the older hackers never tried, he said.

"I've never even heard of anybody even joking about going after an
airport," Moss said. "I think it's one of those protected industries,
that it's not something kids decide to go after."

Long, whose job it is to protect the FAA's computers, isn't so
confident that's true.

The FAA won't reveal how many times someone attempted to get into its
computers. But, Long said, the FAA and other government agencies only
recently installed the kind of equipment that detects hacking
attempts, deliberate or accidental.

"We've probably been getting a significant number of hits for years
and didn't know about it," he said.

As the FAA modernizes its equipment, its traditional defenses are
breaking down. Newer software, sometimes even off-the-shelf programs,
is being used.

"It's going to increase our susceptibility to these attacks," Long
admits.

And the national airspace system was never so isolated as sometimes
claimed. Software contractors, for example, can and do upload program
changes directly into computers.

It's Long's job to make sure the FAA knows about these links and that
security is adequate.

One contractor, for example, changes the links and passwords each time
the company connects into the system, Long said.

What worries him are the links he doesn't know about.

In March 1997, for example, a Massachusetts teen hacked into a
telephone company computer system and accidentally disrupted normal
air traffic communications for six hours at a Worcester, Mass.,
airport. The tower was connected to its main radio transmitter by
telephone lines.

During the outage, air traffic controllers used battery-powered radios
to direct planes.

Long also worries about unauthorized connections to the air traffic
control system -- an employee, for example, who has hot-wired his
desktop to the system.

He said he doesn't believe someone could hack their way into one of
BAA's computer and, from there, enter one of the FAA's computer
networks. He also can't say it's impossible.

It's for that reason, he said, that the FAA has set up a voluntary
working group with the airlines and airports "to make sure that all of
our interfaces are not a trapdoor."

Drawing attention

Officials often point out that pilots still fly planes and know how to
land them even when air traffic systems fail.

Gene Spafford, a Purdue University computer science professor, is not
so sure the FAA's air traffic control computers wouldn't be a tempting
target for a saboteur, even without the certainty of being able to
bring a plane down.

"What an interesting statement to make, to tie up all the air traffic
in the United States for a day, coupled with some kind of press
release," said Spafford, who directs Purdue's Center for Education and
Research in Information Assurance and Security.

Yet at least the government is beginning to pay attention to such
security issues. For many corporations, he said, security is usually
an afterthought.

Bussert's assertion that BAA's computers are vulnerable doesn't
surprise Spafford. There may be a security problem. Or maybe Bussert,
whom Spafford doesn't know, has misunderstood the network.

But, he said, "If they were to bring in an expert consulting company,
do a survey and fix the problems that need to be fixed, I would feel
much relieved about it."

Contact Terry Horne at (317) 444-6082 or via e-mail at
terry.horne () starnews com



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".