So US Air Traffic Controllers can now work from home?
Because I cannot think of any other plausible reason for these systems to be directly connected to the general internet.
What any ATC organisation does is pretty specific and pretty specialised. Like SCADA systems in utility companies. The bulk of people who have a *legitimate* interest in their detailed operations are similar bodies around the world.
To be fair the quotes "IDS sensors are installed in only 11 ATC facilities" and "What's more, none of the IDS sensors monitor mission critical ATC operation systems" may be misleading. If the truly "Mission critical" systems are on an entirely separate network there would be *no* need for an IDS. Likewise if those 11 sites are the main data centre, and the *only* points of net access they *should* be the only places you need IDS installation. Not saying that is how it is. Merely that it *could* be that way. The tone of the report suggests it is not.
But "ensuring all web apps are configured in compliance with governmental security standards"
This should be a level 1 requirement in the boilerplate for *any* new US Gov. system. And I'm prepared to bet that all of these systems have a *lot* of development doc. attached to each of them. Yes there is probably a big book of stuff to be waded through to ensure this. That's part of the difference between being a professional software developer and a hacker (in the pejorative sense).
The real cost benefit of using internet derived (and open source) standards is the freedom to change suppliers *provided* you follow those standards. Don't like your server farm suppliers deal. Dump them and port it. Tired of browser X's botched rendering engine. Roll out Y. Database not cutting the mustard in response time. Start a new procurement and comment out those xxxx specific macros.You don't *need* to use the *actual* open internet itself to get these benefits.
And not a word on virtual private networks, which would seem an elementary security precaution.
Understanding these questions, and their implications, is the difference between being a Network Architect, a network plumber and a bean counter.
We can hope European ATC organisations are a bit tighter. But who knows?
Mines the one with Die Hard 2 in the pocket. Obviously on the basis of this report they were clueless amateurs.