WASHINGTON — In a keynote address at the Comnet 2003 conference here Tuesday (Jan. 28), the chief information officer of the U.S. Federal Aviation Administration urged networking equipment designers to add security capabilities to their systems earlier in the design process.
To aid the effort, the FAA is working with manufacturers to define security requirements for the FAA's networks, said Daniel Mehan, assistant administrator for information services and CIO of the federal agency. "We're trying to reach a meeting of the minds so that we can get more security features into initial designs," he said.
The recommendation would require a better understanding of network security issues from equipment designers. For the past 10 to 20 years, they have done a nice job adding reliability features to their architectures, but "there is not as much discipline on the cybersecurity front," Mehan said.
Mehan's request to industry is just one point in the FAA's three-layer approach to bringing higher levels of security to its network, which manages an average of 350,000 flights and two-million passengers per day. While the progression of hacker knowledge has decreased, the strength of their attacks has gotten stronger, Mehan said. "This is an area where you always have to be prepared," he said.
The first layer of the FAA's approach involves personnel security, and is intended to educate and automate the security of FAA personnel. The second involves physical security; Mehan said that job is never done. The final layer focuses on cybersecurity.
To improve cybersecurity, Mehan said the FAA and all business must harden individual network and system elements, isolate elements to avoid viral attacks, and backup elements to support event recovery. "You're going to catch a cold," Mehan said. "The trick is containing the cold."
Having networking equipment developers add security to their designs is one element of cybersecurity, but Mehan also called for the isolation of mission-critical components. The FAA isolates the network-attached storage systems that house vital flight information, for example.
Proprietary trade-offs
The use of open protocols present a big cybersecurity challenge to the FAA. A portion of the FAA's current security architecture is based on proprietary protocols that are not well understood by present day workers, Mehan said. To ease their understanding, the FAA is moving away from proprietary protocols towards open standards, he said.
But this presents a challenge, Mehan said. Proprietary protocols have done well protecting the FAA's systems. In moving to open standards, Mehan said the FAA is concerned about maintaining the level of security of its current system. To address these problems, the FAA will continue to use its multilayered approach, Mehan said.
The efforts seem to be paying off. While many Internet systems around the world were hit hard by the Slammer worm this past weekend, Mehan said the FAA's systems remained relatively untouched. Slammer only affected one of the FAA's administrative boxes, he said.
Even so, Mehan said he couldn't guarantee that FAA systems will counter all unseen attacks. Hackers are continually arming themselves for new attacks, he said. Thus, the FAA and other organizations must remain on their toes and continue to improve their cybersecurity efforts. "This is an area where you always have to be prepared," he said.
