The report, written by Rebecca Leng, assistant inspector general for financial and information technology audits at the U.S. Department of Transportation, said the FAA is experiencing the same problem many critical infrastructure providers have when they try to interconnect their networks -- in this case, the FAA's administrative and ATC networks.
"While use of commercial IP products, such as web applications, has enabled [the] FAA to efficiently collect and disseminate information to facilitate ATC services, it inevitably poses a higher security risk to ATC systems than when they were developed primarily with proprietary software," Leng wrote. "Now, attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, which is especially worrisome at a time when the nation is facing increased threats from sophisticated nation-state-sponsored cyberattacks."
In one 2006 case, the report said, a virus spread from the agency's administrative networks, forcing the shutdown of some of its ATC systems in Alaska. And during its tests, Leng said the investigators gained access to an ATC system that controlled power supplies at six centers.
The FAA, though, disagreed with the report's claim that ATC systems had been compromised, and that someone could jump to the ATC network via the administrative network.
"They're completely separate networks," FAA spokesman Paul Takemoto told SCMagazineUS.com. "You cannot access one from another. The network that the investigators got into did not involve the actual control of air traffic."
Basing its conclusions on tests of 70 web applications, the report identified 763 "high-risk" vulnerabilities. It said some of these flaws could be exploited to gain unauthorized access to data stored in web-based repositories. Meanwhile, FAA users, which include employees, contractors and partners, could leverage these same bugs to gain access to ATC systems, while attackers could leverage the vulnerabilities to install malware on user machines.
In addition, the report found that of the hundreds of operation centers where ATC systems are located, just 11 have deployed intrusion detection system sensors.
Ryan Barnett, director of application security research at Breach Security, said web applications are one of today's most common attack vectors.
"It doesn't really matter what the vertical market is," he told SCMagazineUS.com on Thursday. "Most people with web apps are sharing the same underlying problems. Everyone's got these issues."
Barnett blamed the FAA's apparent security lapse on a lack of coverage and visibility and poor configuration. He told SCMagazineUS.com that the agency should have installed intrusion prevention systems at all of its ATC locations and that its web applications should alert administrators "when they see known bad traffic."
Despite disputing reports that its ATC systems actually were breached, the FAA said it agreed with the report's recommendations to properly configure web applications, identify vulnerabilities and install patches in a timely manner.
"We have an entire office that is dedicated to monitoring our cybersecurity," Takemoto said. In reference to conventional penetration testing, he said: "They're constantly looking for ways to access our system in ways it shouldn't be."
The report comes roughly three months after the FAA notified employees that a server was illegally accessed to retrieve the personal information on more than 45,000 agency employees and retirees.