Agency Award'Federal Aviation Administration | Protect and serve
2007 GCN Award: FAA takes network security to the next level, in more ways than one
- By William Jackson
- Oct 07, 2007

IN FRONT: Christopher Garcia says FAA's response center is 'ahead of the curve.'
Zaid Hamid

AIR DEFENSE: The CSIRC team network security covers the Transportation Department.
The Federal Aviation Administration's Cyber Security Incident Response Center recently changed its name, home and mission. As of Oct. 1, CSIRC became the Transportation Cyber Security Management Center, providing network security services for the entire Transportation Department from a new 15,000-square-foot facility in Leesburg, Va.
For the complete list of the 2007 GCN Award winners, click here
As the new name implies, the center's new job is about more than just responding to security incidents.
[IMGCAP(1)]'Now we're getting out ahead of the curve' and managing security, said Christopher Garcia, CSMC program director.
The shift to departmentwide responsibility is one step toward the goal of establishing the FAA facility as a federal center of excellence for cybersecurity that could provide services to other civilian agencies on a fee-for-service basis. That would be the culmination of an effort that started six years ago to make a bare-bones incident response team in 2001 into a state-of-the-art security management center.
What began with three FAA employees and six contract support employees monitoring seven network sensors for the FAA administrative network is now an around-the-clock operation with 17 government watch employees supported by 33 contractors from Northrop Grumman. The center has its own testing and evaluation lab, a local-area network test bed and a training lab that uses a security information management tool to analyze data from a suite of network sensors. Center officials have signed memorandums of understanding to share information with Mexico, Canada, Europe and NATO, and would like to sign one with the United Kingdom, said FAA Information Systems Security Director Mike Brown.
'It's the largest thing that I've done in 27 years with the FAA,' Garcia said of the evolution.
[IMGCAP(2)]Garcia credits the arrival of Brown as security director from the Defense Department in 2001 as the catalyst for the transformation. Brown wanted to take the center from incident response to a full range of protection, detection, response and recovery. Northrop Grumman was brought in as an integrator in 2004 to help with the expansion.
As FAA's air traffic control systems evolved from stand-alone systems to a networked enterprise using commercial products, they became exposed to more vulnerabilities, and the need for CSIRC's services grew. CSIRC expanded its staff and moved to a larger, 4,000-square-foot facility in 2002 to provide these services.
But when CSIRC expanded, its analysts became overwhelmed by the volume of incoming information, said Ron Maree, Northrop Grumman program manager.
Data came from intrusion-detection system sensors in the form of logs that analysts would pore over. With thousands of daily alerts, it could take as long as 12 hours to identify a problem and notify the customer. FAA wanted to move CSIRC from this Level 1 analysis to a more sophisticated level to reduce response time.
CSIRC settled on Enterprise Security Management from ArcSight, after an 18-month selection process.
With some other security management tools, the same attack could be run against a tool three times, and it would return three different results. ArcSight consistently got the attacks right, and it handled the high volume of data coming from the IDS sensors. The sensors look at 2.4 million packets per second on each server and generate 95,000 alerts a day that ArcSight ESM analyzed.
Of the 95,000 alerts ESM analyzed daily, only about 15 are passed to human analysts for Level 2 analysis. These in turn produce about two incidents a day that require the attention of someone on the network.
'It has changed our response time from up to eight hours down to eight minutes,' Garcia said.
The center maintains close connections with the department's other information technology security officers and operations and with physical security and workforce offices.
'In the past, we rarely had opportunities to cross those boundaries,' Garcia said.
Faster and more advanced analysis of incidents allowed CSIRC to give its customer agencies advance warning on such virus and worm outbreaks such as I Love You/Melissa and Slammer.
'I'd rather be lucky than good,' Garcia said. 'We were good and had some luck, too.'