Agency Award'Federal Aviation Administration | Protect and serve

2007 GCN Award: FAA takes network security to the next level, in more ways than one

Good security depends on people and as technology

Establishing a cybersecurity management operation requires more than just having the right tools in place. You also need the support of those above and below you in the chain of command. The Federal Aviation Administration's Cyber Security Incident Response Center grew from a small operation with limited capabilities into a departmentwide security management center because of the support the center received and the technology it uses.

'We've gotten buy-in from the senior leadership,' said Mike Brown, FAA director of information systems security.

The technology is important, too. Having a good security management tool to correlate the growing volume of information from network sensors is critical if an incident response center is to be useful to its customers, said Ron Maree, Northrop Grumman program manager for FAA's CSIRC.

'If it takes you 12 hours to get to something, you're too late,' Maree said. The task also requires cooperation with other organizations working in the same space, such as the U.S. Computer Emergency Readiness Team. 'Don't try to do it by yourself and be a lone ranger.'

Once these pieces are in place, the most important thing is to provide value to the customers depending on your services. Security is not an end in itself, but an enabler for those who are running and using the network.

It should protect them without unduly restricting them, and it doesn't hurt to let them know when they have dodged a bullet. Go for some low-hanging fruit to show some return on investment.

'We work to gain constituent trust,' said Christopher Garcia, FAA program director for CSIRC. 'And once we get it we have to keep it.'

William Jackson

WHAT: Federal Aviation Administration Cyber Security Incident Response Center

MISSION: Provide the ability to protect FAA networks, detect intrusions and security incidents, respond to those incidents, and recover from them.

CHALLENGE: CSIRC began as a small team with few tools and responsibility for monitoring only the FAA administrative network. The evolution of air traffic control and other FAA operational networks away from stand-alone systems made them more vulnerable to network threats. The FAA CSIRC set out to provide more protection and to become a federal Center of Excellence for cybersecurity, providing services to other agencies.

SOLUTION: Beginning in 2001 with the arrival of Mike Brown as FAA director of information systems security, support from top-level management at FAA enabled CSIRC to build its resources and expand its capabilities with the addition of professional analysts, standardized intrusion-detection tools and a security information management system to provide analysis of data from the sensors.

IMPACT: Response time to security incidents has been reduced from hours to minutes, and CSIRC has become the Transportation Department's Cyber Security Management Center. It provides early warning and response to security problems for the department's networks and assists with vulnerability and configuration management.

COST: This is an ongoing multiyear program that is part of the cybersecurity budgets of multiple agencies in DOT.

IN FRONT: Christopher Garcia says FAA's response center is 'ahead of the curve.'

Zaid Hamid

AIR DEFENSE: The CSIRC team network security covers the Transportation Department.

The Federal Aviation Administration's Cyber Security Incident Response Center recently changed its name, home and mission. As of Oct. 1, CSIRC became the Transportation Cyber Security Management Center, providing network security services for the entire Transportation Department from a new 15,000-square-foot facility in Leesburg, Va.

For the complete list of the 2007 GCN Award winners, click here



As the new name implies, the center's new job is about more than just responding to security incidents.

[IMGCAP(1)]'Now we're getting out ahead of the curve' and managing security, said Christopher Garcia, CSMC program director.

The shift to departmentwide responsibility is one step toward the goal of establishing the FAA facility as a federal center of excellence for cybersecurity that could provide services to other civilian agencies on a fee-for-service basis. That would be the culmination of an effort that started six years ago to make a bare-bones incident response team in 2001 into a state-of-the-art security management center.

What began with three FAA employees and six contract support employees monitoring seven network sensors for the FAA administrative network is now an around-the-clock operation with 17 government watch employees supported by 33 contractors from Northrop Grumman. The center has its own testing and evaluation lab, a local-area network test bed and a training lab that uses a security information management tool to analyze data from a suite of network sensors. Center officials have signed memorandums of understanding to share information with Mexico, Canada, Europe and NATO, and would like to sign one with the United Kingdom, said FAA Information Systems Security Director Mike Brown.

'It's the largest thing that I've done in 27 years with the FAA,' Garcia said of the evolution.

[IMGCAP(2)]Garcia credits the arrival of Brown as security director from the Defense Department in 2001 as the catalyst for the transformation. Brown wanted to take the center from incident response to a full range of protection, detection, response and recovery. Northrop Grumman was brought in as an integrator in 2004 to help with the expansion.

As FAA's air traffic control systems evolved from stand-alone systems to a networked enterprise using commercial products, they became exposed to more vulnerabilities, and the need for CSIRC's services grew. CSIRC expanded its staff and moved to a larger, 4,000-square-foot facility in 2002 to provide these services.

But when CSIRC expanded, its analysts became overwhelmed by the volume of incoming information, said Ron Maree, Northrop Grumman program manager.

Data came from intrusion-detection system sensors in the form of logs that analysts would pore over. With thousands of daily alerts, it could take as long as 12 hours to identify a problem and notify the customer. FAA wanted to move CSIRC from this Level 1 analysis to a more sophisticated level to reduce response time.
CSIRC settled on Enterprise Security Management from ArcSight, after an 18-month selection process.

With some other security management tools, the same attack could be run against a tool three times, and it would return three different results. ArcSight consistently got the attacks right, and it handled the high volume of data coming from the IDS sensors. The sensors look at 2.4 million packets per second on each server and generate 95,000 alerts a day that ArcSight ESM analyzed.

Of the 95,000 alerts ESM analyzed daily, only about 15 are passed to human analysts for Level 2 analysis. These in turn produce about two incidents a day that require the attention of someone on the network.

'It has changed our response time from up to eight hours down to eight minutes,' Garcia said.

The center maintains close connections with the department's other information technology security officers and operations and with physical security and workforce offices.

'In the past, we rarely had opportunities to cross those boundaries,' Garcia said.
Faster and more advanced analysis of incidents allowed CSIRC to give its customer agencies advance warning on such virus and worm outbreaks such as I Love You/Melissa and Slammer.

'I'd rather be lucky than good,' Garcia said. 'We were good and had some luck, too.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above