[ISN] FAA technologist urges better security in network boxes

From: InfoSec News (isnat_private)
Date: Wed Jan 29 2003 - 00:22:13 PST

  • Next message: InfoSec News: "[ISN] Cryptography Contest: Cracking an Algorithm bit by bit."

    By Robert Keenan 
    Jan 28, 2003 
    WASHINGTON -- In a keynote address at the Comnet 2003 conference here
    Tuesday (Jan. 28), the chief information officer of the U.S. Federal
    Aviation Administration urged networking equipment designers to add
    security capabilities to their systems earlier in the design process.
    To aid the effort, the FAA is working with manufacturers to define
    security requirements for the FAA's networks, said Daniel Mehan,
    assistant administrator for information services and CIO of the
    federal agency. "We're trying to reach a meeting of the minds so that
    we can get more security features into initial designs," he said.
    The recommendation would require a major change for most network
    equipment designers. For the past 10 to 20 years, most have fallen
    short of their corporate counterparts in adding reliability features
    to their architectures, Mehan said. "There is not as much discipline
    on the cybersecurity front," he said.
    Mehan's request to industry is just one point in the FAA's three-layer
    approach to bringing higher levels of security to its network, which
    manages an average of 350,000 flights and two-million passengers per
    day. While the progression of hacker knowledge has decreased, the
    strength of their attacks has gotten stronger, Mehan said. "This is an
    area where you always have to be prepared," he said.
    The first layer of the FAA's approach involves personnel security, and
    is intended to educate and automate the security of FAA personnel. The
    second involves physical security; Mehan said that job is never done.  
    The final layer focuses on cybersecurity.
    To improve cybersecurity, Mehan said the FAA and all business must
    harden individual network and system elements, isolate elements to
    avoid viral attacks, and backup elements to support event recovery.  
    "You're going to catch a cold," Mehan said. "The trick is containing
    the cold."
    Having networking equipment developers add security to their designs
    is one element of cybersecurity, but Mehan also called for the
    isolation of mission-critical components. The FAA isolates the
    network-attached storage systems that house vital flight information,
    for example.
    Proprietary trade-offs
    The use of open protocols present a big cybersecurity challenge to the
    FAA. A portion of the FAA's current security architecture is based on
    proprietary protocols that are not well understood by present day
    workers, Mehan said. To ease their understanding, the FAA is moving
    away from proprietary protocols towards open standards, he said.
    But this presents a challenge, Mehan said. Proprietary protocols have
    done well protecting the FAA's systems. In moving to open standards,
    Mehan said the FAA is concerned about maintaining the level of
    security of its current system. To address these problems, the FAA
    will continue to use its multilayered approach, Mehan said.
    The efforts seem to be paying off. While many Internet systems around
    the world were hit hard by the Slammer worm this past weekend, Mehan
    said the FAA's systems remained relatively untouched. Slammer only
    affected one of the FAA's administrative boxes, he said.
    Even so, Mehan said he couldn't guarantee that FAA systems will
    counter all unseen attacks. Hackers are continually arming themselves
    for new attacks, he said. Thus, the FAA and other organizations must
    remain on their toes and continue to improve their cybersecurity
    efforts. "This is an area where you always have to be prepared," he
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 04:10:20 PST