Two FAA systems, a single cause

Responding to criticism of its policies governing information security, the Federal Aviation Administration says its effort to infuse security measures into every system used for air traffic control is "linked at the hip" with developing an upgraded National Airspace System.

Daniel Mehan, the FAA's chief information officer, is directing the creation of an information systems security architecture and is ensuring that it is linked to the NAS architecture that describes the design and future capabilities of the air traffic control system.

Some of the same people writing the information systems security architecture also are writing the NAS architecture, said Michael Harrison, director of architecture and systems engineering at the FAA.

"The vulnerability of the NAS increases with modernization because of more reliance on software, more reliance on TCP/IP and more reliance on intranet and Internet activities," Harrison said. "As we move toward more modern software, the tools that allow people to attack systems become readily available."

As the NAS evolves into a system less isolated from other FAA systems, individual program directors can use the information systems security architecture to weigh the level of vulnerability of a particular system against existing security methods, such as virtual private networks, smart cards, biometrics and intrusion detection, Mehan said.

Audits by the General Accounting Office and the Transportation Department inspector general last year raised red flags about the FAA's failure to create and enforce policies that protect information inside the NAS and in the agency's administrative systems. The auditors also disputed the FAA's plans to implement a telecommunications infrastructure that would have combined traffic from air traffic control systems with traffic from administrative systems, such as personnel and financial systems.

As part of the FAA's response, Mehan started work on the information systems security architecture to describe the requirements for information security in all agency systems. He and FAA Administrator Jane Garvey also created a policy to assign organizational and management responsibilities in the FAA's different business lines to ensure implementation of the Computer Security Act of 1987 and Presidential Decision Directive 63. The latter requires agencies to secure critical infrastructure by May 2003.

The FAA's approach to the architecture is based on a five-layer pyramid that starts with personnel and physical security and progresses to specific site and systems protection, Mehan said.

The FAA also enlisted the input of the Industry Advisory Council to make sure that suppliers and developers of new air traffic systems were aware of the architecture and could help shape its implementation, he said.

"We want to let people start designing toward it," Mehan said. An updated version will be issued by mid-2001, and after that the CIO's staff will begin looking at the information security needs of non-NAS systems and at the elements of the NAS that interact with them.

The agency also created a three-pronged security certification process involving the FAA's integrated product teams, which supervise new developments. No system can enter the NAS without certification by an information systems security manager on the development team, the CIO and the system owner who will deploy the system, Mehan said.

"It's a good virtual organization that is virtually linked in terms of the common objectives of information systems security," he said.

Although the move to certify systems is growing, most programs do not know what type of testing to conduct, said Alan Paller, director of research for the SANS Institute Inc., a research and educational organization for system administrators and security professionals.

"In most cases, there's no visibility, accountability or measurability," Paller said. The argument that each system needs a different measure will only hinder progress, he said.

The FAA's Harrison acknowledged that it's not easy to get program managers to accept the added responsibilities.

"An integrated product team facing cost and schedule pressures doesn't like to hear about certification and authorization, but [the system] won't be commissioned until it's done," he said.

Locking up air traffic control

The FAA's chief information officer is crafting other policies to secure the air traffic infrastructure:

n An order issued in June 2000 assigns accountability within the agency's business lines for implementing information security measures.

n An order will be issued this year instructing the agency to secure all entry points to its systems.

n Another expected order would direct the agency to secure Web sites, protecting another entry point to its systems.