FAA technologist urges better security in network boxes

[InfoSec News <isn () c4i org>]

http://www.commsdesign.com/news/OEG20030128S0031

By Robert Keenan 
CommsDesign.com
Jan 28, 2003 

WASHINGTON -- In a keynote address at the Comnet 2003 conference here
Tuesday (Jan. 28), the chief information officer of the U.S. Federal
Aviation Administration urged networking equipment designers to add
security capabilities to their systems earlier in the design process.

To aid the effort, the FAA is working with manufacturers to define
security requirements for the FAA's networks, said Daniel Mehan,
assistant administrator for information services and CIO of the
federal agency. "We're trying to reach a meeting of the minds so that
we can get more security features into initial designs," he said.

The recommendation would require a major change for most network
equipment designers. For the past 10 to 20 years, most have fallen
short of their corporate counterparts in adding reliability features
to their architectures, Mehan said. "There is not as much discipline
on the cybersecurity front," he said.

Mehan's request to industry is just one point in the FAA's three-layer
approach to bringing higher levels of security to its network, which
manages an average of 350,000 flights and two-million passengers per
day. While the progression of hacker knowledge has decreased, the
strength of their attacks has gotten stronger, Mehan said. "This is an
area where you always have to be prepared," he said.

The first layer of the FAA's approach involves personnel security, and
is intended to educate and automate the security of FAA personnel. The
second involves physical security; Mehan said that job is never done.  
The final layer focuses on cybersecurity.

To improve cybersecurity, Mehan said the FAA and all business must
harden individual network and system elements, isolate elements to
avoid viral attacks, and backup elements to support event recovery.  
"You're going to catch a cold," Mehan said. "The trick is containing
the cold."

Having networking equipment developers add security to their designs
is one element of cybersecurity, but Mehan also called for the
isolation of mission-critical components. The FAA isolates the
network-attached storage systems that house vital flight information,
for example.

Proprietary trade-offs

The use of open protocols present a big cybersecurity challenge to the
FAA. A portion of the FAA's current security architecture is based on
proprietary protocols that are not well understood by present day
workers, Mehan said. To ease their understanding, the FAA is moving
away from proprietary protocols towards open standards, he said.

But this presents a challenge, Mehan said. Proprietary protocols have
done well protecting the FAA's systems. In moving to open standards,
Mehan said the FAA is concerned about maintaining the level of
security of its current system. To address these problems, the FAA
will continue to use its multilayered approach, Mehan said.

The efforts seem to be paying off. While many Internet systems around
the world were hit hard by the Slammer worm this past weekend, Mehan
said the FAA's systems remained relatively untouched. Slammer only
affected one of the FAA's administrative boxes, he said.

Even so, Mehan said he couldn't guarantee that FAA systems will
counter all unseen attacks. Hackers are continually arming themselves
for new attacks, he said. Thus, the FAA and other organizations must
remain on their toes and continue to improve their cybersecurity
efforts. "This is an area where you always have to be prepared," he
said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.