Dan Mehan, the CIO at the US Federal Aviation Administration, told a gathering of IT professionals at the ComNet conference in Washington this week that his agency wants to see hardware and software developers spend more time on security upfront. He also outlined a security strategy similar to the Pentagon's Defense-in-Depth approach that may hold important lessons for corporate IT managers. Computerworld's Dan Verton talked with Mehan after his speech. Here's part of what he had to say.
One of your key messages during your keynote speech was that network device developers need to focus more effort on integrating security into their design processes. What was the impetus behind this message?
The main message is that the complexity and size of the FAA infrastructure is such that we really need to use a broad systems approach. To do that, we need an enterprise architecture and multiple layers of protection. We try to harden each network or system element, and then we isolate them from one another and use them as backups. It's very similar to how we do safety — no single failure [aboard an aircraft] can cause an accident. But we need to do it in such a way so that it doesn't impact performance.
Let me give you an example. We had a situation where we had administration terminals on a network that were designed to get update information on operations. What we are doing now is moving that status information to a data mart — hooking the terminals to the data mart rather than the actual network so that if they get infected with a virus we can cut it off at the data mart.
We have a whole industry focused on intrusion detection and patch management that is trying to do after-the-fact what you would like to have done in the design process. In our procurements now, cybersecurity is a major issue, and it's encouraging developers to do that.
We've documented various instances of nonsecured wireless networking technologies in use at individual airlines around the country. What is FAA policy on the use of wireless technologies, and how have you been working with airlines on this issue?
We know it's an emerging technology and something that a lot of people want to use. But we frankly limit the use of it to areas where we feel that it does not create a critical security issue for us. We're using the standards that [the National Security Agency] has suggested [such as 128-bit encryption, nonbroadcasting of SSIDs, MAC address filtering and use of virtual private networks over wireless networks], and we're very careful about our requirements and where we deploy it. It's unrealistic to think that we're going to hold something back. So we're trying to control it and limit it to areas where it's not going to impact critical operations.
You mentioned that the FAA was relatively unscathed by the recent Slammer worm. What was it about your security program or IT program that helped you evade infection?
We've spent a lot of time on awareness and training and emphasising on getting the patches in. On top of that we have a computer security response centre that picked up the activity early. We also have a scanning capability to test for vulnerabilities that haven't been remediated. We only had one administrative system compromised.
With the incessant move away from proprietary protocols and technologies toward open-standards-based Web technologies, how do you plan to avoid developing a homogeneous IT architecture that is even more vulnerable to common exploits?
The key to that is enterprise architecture. For us it's the airspace system, mission support systems and the administrative systems. As we move forward and architect our future network, we're going to keep in mind the rule of: secure each system, insulate them and have a backup. And we're going to have to look at the issue of homogeneity.