FAA Beefs Up Its Computer Security

By Carole Shifrin, Contributing WriterThe Federal Aviation Administration this month will begin training and certification of up to 250 employees as information systems security professionals.The training will be conducted by the International Information Systems Security Certification Consortium Inc., a nonprofit corporation that specializes in developing certification programs for information systems security workers. The effort is one of many the FAA is undertaking in a stepped-up program to assure that its critical infrastructure, which supports the National Airspace System, is protected from security breaches.Other initiatives include an assessment of existing critical information systems for security vulnerabilities. Scheduled to be complete by the end of fiscal 2001, the FAA already has identified more than 100 critical systems that are being "hardened" to resist attack. An agency goal is to apply cost-effective risk mitigation to at least 70 percent of all critical information systems by the end of fiscal 2002.Another effort involves creating a computer security incident response center to detect, analyze and respond to intrusions and incidents.Information systems security has been a top priority of Daniel Mehan, the FAA's assistant administrator for information services and its chief information officer since joining the agency in February 1999. In May, at Mehan's direction, the agency also established an Office of Information Systems Security within his department to coordinate the agency's security activities. He tapped as director Raymond Long, former director of the FAA's Year 2000 Program effort."The world was very attentive to Y2K," Mehan said, "and Y2K is really just a fraction of the challenge in information systems security."That challenge has intensified in recent years because of the change in the way the agency does business, Mehan said. In the past, the FAA's systems, particularly in its crucial air traffic control role, were considered self-contained. Someone had to be physically present to tamper with the system. "Where you use proprietary systems and where you use languages that are not the most common, you have a natural protection," Mehan said.More recently, however, the growth of global networks, interconnectivity of critical systems and increasing use of the Internet ? which makes more automated information available to air space users ? have all increased the potential threat of outsiders tampering with agency systems and information."When you set up Web sites and places where people can come in and look, you have to be absolutely certain that there are firewalls so that people cannot get from the Web site into the inside network," Mehan said. "We're doing a lot of work in the information systems security area to understand what we need to do to protect our critical infrastructure."According to Mehan, the FAA has developed a way of looking at information security that centers on five layers of protection:? This level is designed to ensure personnel who have key roles or access to sensitive data are trustworthy. This is done through the appropriate vetting of FAA employees and background checks on contractors and subcontractors.? This is designed to ensure the agency's facilities are safe from unauthorized access and physical harm. Those being granted right of entry must be properly screened before unescorted access is allowed.? This refers to the air traffic control system's design, which prevents a breach of one facility from having a negative impact on another. "This simply says that our centers, while they work together, can work relatively independently, too," Mehan said. If there were a problem at one of the 20 en route ATC centers, for instance, air traffic would be routed around it, he said.? This is a concept that refers to adjusting the programs at each facility to the unique requirements of the site. "When programs go into a site, they have to be married with the geography and the special situations of that site," Mehan said.? There are primary, secondary and backup systems. Manual procedures, if they had to be used, might result in delays but would not compromise aviation safety, according to the FAA. The FAA believes there is no single point of failure within the National Airspace System."Those layers of protection have helped us to date," Mehan said. "What we look to do over the next year is retain those layers by using electronic roadblocks and checkpoints where we're losing some of the old protections from the uniqueness of the systems."The five layers of protection concept has been questioned by some key legislators, who asked the General Accounting Office for its assessment. In a report in May to the House Science Committee, Joel Willemssen, GAO's director of civil agencies information systems, gave a measure of support to the five layers idea with some caveats."While this concept is not a generally accepted security framework supported entirely by policies and procedures, it appears to be a logical overview to understanding computer security at the FAA," Willemssen said. However, the GAO report cautioned that there were "known weaknesses within each layer that could negatively affect the operational efficiency" of the NAS.For one, GAO said the FAA has failed to comply with its personnel security policy, thus increasing the risk that "inappropriate individuals" may gain access to its facilities, information or resource. The GAO, however, conceded that the agency has made progress in addressing these shortcomings. The FAA had, for example, by May completed background searches for more than 98 percent of its 48,000 employees.However, GAO complained that the agency did not know the extent of contractor employees lacking the necessary background checks. That task is formidable: The FAA has estimated that it has 28,000-plus contracts and purchase orders under which 38,000 contractor employees were engaged. Background searches have been performed for about 16,000 contractor employees since 1996. The FAA maintains that the risk of intrusion is low because of the five-layers concept, and it is focusing on the contracts that support 435 mission-critical systems. It expects to complete risk assessment activities of all these contracts by the end of September. One of the tenets of a "Security in Information Technology Architecture" document the agency released this summer is the inclusion of "technical security" as a critical functional component in all new systems before their deployment.