Agency Award'Federal Aviation Administration | Protect and serve

2007 GCN Award: FAA takes network security to the next level, in more ways than one.

The Federal Aviation Administration's Cyber Security Incident Response Center recently changed its name, home and mission. As of Oct. 1, CSIRC became the Transportation Cyber Security Management Center, providing network security services for the entire Transportation Department from a new 15,000-square-foot facility in Leesburg, Va.As the new name implies, the center's new job is about more than just responding to security incidents.[IMGCAP(1)]'Now we're getting out ahead of the curve' and managing security, said Christopher Garcia, CSMC program director.The shift to departmentwide responsibility is one step toward the goal of establishing the FAA facility as a federal center of excellence for cybersecurity that could provide services to other civilian agencies on a fee-for-service basis. That would be the culmination of an effort that started six years ago to make a bare-bones incident response team in 2001 into a state-of-the-art security management center.What began with three FAA employees and six contract support employees monitoring seven network sensors for the FAA administrative network is now an around-the-clock operation with 17 government watch employees supported by 33 contractors from Northrop Grumman. The center has its own testing and evaluation lab, a local-area network test bed and a training lab that uses a security information management tool to analyze data from a suite of network sensors. Center officials have signed memorandums of understanding to share information with Mexico, Canada, Europe and NATO, and would like to sign one with the United Kingdom, said FAA Information Systems Security Director Mike Brown.'It's the largest thing that I've done in 27 years with the FAA,' Garcia said of the evolution.[IMGCAP(2)]Garcia credits the arrival of Brown as security director from the Defense Department in 2001 as the catalyst for the transformation. Brown wanted to take the center from incident response to a full range of protection, detection, response and recovery. Northrop Grumman was brought in as an integrator in 2004 to help with the expansion.As FAA's air traffic control systems evolved from stand-alone systems to a networked enterprise using commercial products, they became exposed to more vulnerabilities, and the need for CSIRC's services grew. CSIRC expanded its staff and moved to a larger, 4,000-square-foot facility in 2002 to provide these services.But when CSIRC expanded, its analysts became overwhelmed by the volume of incoming information, said Ron Maree, Northrop Grumman program manager.Data came from intrusion-detection system sensors in the form of logs that analysts would pore over. With thousands of daily alerts, it could take as long as 12 hours to identify a problem and notify the customer. FAA wanted to move CSIRC from this Level 1 analysis to a more sophisticated level to reduce response time.CSIRC settled on Enterprise Security Management from ArcSight, after an 18-month selection process.With some other security management tools, the same attack could be run against a tool three times, and it would return three different results. ArcSight consistently got the attacks right, and it handled the high volume of data coming from the IDS sensors. The sensors look at 2.4 million packets per second on each server and generate 95,000 alerts a day that ArcSight ESM analyzed.Of the 95,000 alerts ESM analyzed daily, only about 15 are passed to human analysts for Level 2 analysis. These in turn produce about two incidents a day that require the attention of someone on the network.'It has changed our response time from up to eight hours down to eight minutes,' Garcia said.The center maintains close connections with the department's other information technology security officers and operations and with physical security and workforce offices.'In the past, we rarely had opportunities to cross those boundaries,' Garcia said.Faster and more advanced analysis of incidents allowed CSIRC to give its customer agencies advance warning on such virus and worm outbreaks such as I Love You/Melissa and Slammer.'I'd rather be lucky than good,' Garcia said. 'We were good and had some luck, too.'

Good security depends on people and as technology

Establishing a cybersecurity management operation requires more than just having the right tools in place. You also need the support of those above and below you in the chain of command. The Federal Aviation Administration's Cyber Security Incident Response Center grew from a small operation with limited capabilities into a departmentwide security management center because of the support the center received and the technology it uses.

'We've gotten buy-in from the senior leadership,' said Mike Brown, FAA director of information systems security.

The technology is important, too. Having a good security management tool to correlate the growing volume of information from network sensors is critical if an incident response center is to be useful to its customers, said Ron Maree, Northrop Grumman program manager for FAA's CSIRC.

'If it takes you 12 hours to get to something, you're too late,' Maree said. The task also requires cooperation with other organizations working in the same space, such as the U.S. Computer Emergency Readiness Team. 'Don't try to do it by yourself and be a lone ranger.'

Once these pieces are in place, the most important thing is to provide value to the customers depending on your services. Security is not an end in itself, but an enabler for those who are running and using the network.

It should protect them without unduly restricting them, and it doesn't hurt to let them know when they have dodged a bullet. Go for some low-hanging fruit to show some return on investment.

'We work to gain constituent trust,' said Christopher Garcia, FAA program director for CSIRC. 'And once we get it we have to keep it.'

William Jackson

WHAT: Federal Aviation Administration Cyber Security Incident Response Center

MISSION: Provide the ability to protect FAA networks, detect intrusions and security incidents, respond to those incidents, and recover from them.

CHALLENGE: CSIRC began as a small team with few tools and responsibility for monitoring only the FAA administrative network. The evolution of air traffic control and other FAA operational networks away from stand-alone systems made them more vulnerable to network threats. The FAA CSIRC set out to provide more protection and to become a federal Center of Excellence for cybersecurity, providing services to other agencies.

SOLUTION: Beginning in 2001 with the arrival of Mike Brown as FAA director of information systems security, support from top-level management at FAA enabled CSIRC to build its resources and expand its capabilities with the addition of professional analysts, standardized intrusion-detection tools and a security information management system to provide analysis of data from the sensors.

IMPACT: Response time to security incidents has been reduced from hours to minutes, and CSIRC has become the Transportation Department's Cyber Security Management Center. It provides early warning and response to security problems for the department's networks and assists with vulnerability and configuration management.

COST: This is an ongoing multiyear program that is part of the cybersecurity budgets of multiple agencies in DOT.

IN FRONT: Christopher Garcia says FAA's response center is 'ahead of the curve.'

Zaid Hamid

AIR DEFENSE: The CSIRC team network security covers the Transportation Department.



For the complete list of the 2007 GCN Award winners, click here


































NEXT STORY: ERM and document security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.