[ISN] Transportation agencies called vulnerable to cyberattacks

From: InfoSec News (isnat_private)
Date: Mon Oct 01 2001 - 03:25:48 PDT

  • Next message: InfoSec News: "[ISN] AL Digital Acquires Second Nuclear Bunker"

    By Joshua Dean
    September 27, 2001 
    The Transportation Department and its operating agencies are
    vulnerable to computer attacks, according to a newly released report
    from the departments inspector general.
    This report presents the first big picture on security at DOT, said
    David Barnes, spokesman for the IGs office. The report focuses
    primarily on security deficiencies in the Federal Aviation
    Administrations air traffic control system and on the Coast Guards
    disaster recovery capabilities.
    The report was required under the 2001 Government Information Security
    Reform Act, which mandated an annual independent evaluation of
    agencies information security programs.
    Investigators were most concerned about the FAAs planned upgrade to
    its telecommunications system and its repercussions on information
    The most significant network security issue we identified concerns
    FAAs plans to place its air traffic control systems, which now operate
    on a dedicated network, and its administrative systems on one
    integrated network with direct connections to the Internet, the report
    said. We found that while FAA asked vendors to propose security
    solutions for the integrated network, it did not adequately evaluate
    security for air traffic control systems.
    Of the FAAs 400 air traffic control systems, the IG found FAA planned
    only to certify 40 of those as being secure before awarding a contract
    to connect the agency to the Internet. The IG agreed with the FAAs
    goal of integrating all networks supporting air traffic control.
    However, the report encouraged the FAA to keep its administrative
    network separate from the air traffic control network.
    The FAA has since deferred awarding one contract pending resolution of
    the security issue, the report said.
    The IGs report also concluded that the Transportation Department as a
    whole was deficient in protecting information systems. We identified
    weaknesses in firewall security that allowed us to gain unauthorized
    access from the Internet to about 270 computers located within DOTs
    private networks, said the report.
    The IG also expressed concern about weaknesses in safeguarding access
    to computers at DOT agencies. The report identified numerous access
    weaknesses, such as systems that allowed unlimited password attempts
    or failed to make passwords expire on pre-established dates, a failure
    to prevent unauthorized remote access, a lack of encryption of
    financial data and weak oversight of contractors working on DOT
    information systems.
    Barnes noted that while the FAA has made significant strides in
    conducting background checks on contractors, other Transportation
    agencies have not. The FAA reported it has conducted background checks
    on 85 percent of its contractors, while the departments other agencies
    averaged just 25 percent.
    The report criticized Transportations critical infrastructure
    protection efforts and said its disaster recovery and system
    contingency plans were inadequate. The IGs office singled out the
    Coast Guard as a prime offender. If its main data center experiences
    prolonged service disruptions, [the] Coast Guard would have difficulty
    in recovering its search and rescue system, the report said.
    The IGs office acknowledged that the department has made strides in
    cybersecurity and protecting privacy. However, the report said, as
    evidenced by the recent Code Red worm attack, which caused service
    disruptions to more than 100 DOT computers, including Web sites,
    maintaining Web security and privacy protection remains a challenge.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 01 2001 - 13:34:17 PDT