Auditors were unable to penetrate Federal Aviation Administration operational air traffic control systems at two of the agency's high altitude traffic control centers, says a terse synopsis of a Transportation Department inspector general audit.

The synopsis, dated April 15, says that security penetration tests conducted by Clifton Gunderson, of Calverton, Md., did not manage to reach air route traffic control center mission systems via an FAA air traffic control mission and administrative network connected to the public Internet.

But, the tests did reveal vulnerabilities. At one point, security testers were able to access without a password "hundreds of pages of sensitive technical information" describing network configuration and gateways. Testers also found operating systems missing high risk patches and configured improperly, and encountered a communication system at one location "that does not require complex passwords and is no longer supported by the vendor."

The lack of sufficiently complex passwords in particular "could lead to an unauthorized manipulation of the communication system, a total system shutdown, or falsification and impersonation of facility communications," the synopsis states.

For more:
- download the synopsis, QC-2011-047 (.pdf)

Related Articles:
FAA air traffic control systems open to possible cyber attack, says IG
Scovel: ERAM delivered to FAA with missing software code                 
IG: U.S. pilots' medical data at risk from poor FAA cybersecurity