Quality Control Review on the Vulnerability Assessment of FAA's Operational Air Traffic Control System
On April 15, 2011, we issued a quality control review report on the vulnerability assessment of the Federal Aviation Administration's (FAA's) operational air traffic control (ATC) system. We conducted this review at the request of the current Chairmen of the House Transportation and Infrastructure Committee and its Subcommittee on Aviation. The objective of this audit was to determine whether the systems can be accessed by unauthorized users from inside ATC facilities through FAA’s Mission Support System Network by assessing systems and networks at two FAA facilities.
Clifton Gunderson LLP, of Calverton, Maryland, completed the audit under contract to the Office of Inspector General (OIG). OIG staff performed a quality control review of Clifton Gunderson's audit work to ensure that it complied with generally accepted government auditing standards. Our review disclosed no instances in which Clifton Gunderson did not comply in all material respects with applicable auditing standards.
Clifton Gunderson concluded that they were unable to gain access to FAA's operational ATC systems. However, they identified the following weaknesses at the Air Route Traffic Control Centers: 1) information disclosure vulnerabilities; 2) inadequate system patch levels and unsupported operating systems; 3) improper network configurations; and 4) communication system vulnerabilities.