Issue link: https://securitytechnologyexecutive.epubxp.com/i/557126
July/August 2015 • SECURITY TECHNOLOGY EXECUTIVE 31 www.SecurityInfoWatch.com of the nation's air traffic control system at increased and unnecessary risk," noted Grego- ry Wilshusen, director of information security issues at the GAO. W hile the reason to pay special attention to the GAO's FAA security report is clear, the contents of the report show that the FAA isn't much different than many other organizations when it comes to security for their IT systems. The GAO report notes that the "FAA has not clearly and consistently established roles and responsibilities for information security for NAS [National Airspace System] systems" and that the "FAA does not have a strategic plan for information security that is up to date and reflects current conditions." In short, the GAO doesn't feel the FAA has a plan or an adequate- ly coordinated team to make or enforce such a plan. It's likely that many reading this feel pangs of empathy, just as I did. Maybe your organization can't relate to the special position the FAA holds in the overall US infrastructure, but it's certain you will be able to relate to the challenges they face as they tr y to establish secure IT operations. Security Problems Start As People Problems People are always the weakest part of any sys- tem's security. The FAA's security is no differ- ent. This comes through in several ways. There are deficiencies in the blocking and tackling of everyday security. Three of the fourteen recom- mendations the GAO makes to the FAA in the recommended executive actions are focused on training and awareness. They specifically call out contractors, incident response staff, and "all staff with significant security responsibili- ties." Reading between the lines a bit, it's easy to assume that the staff with significant secu- rity responsibilities is administrators. Admin- istrators are one of the hardest classes of user to control from a security standpoint. They've got the security equivalent of a teleporter to make their way around the IT infrastructure, but good security practice wants them to walk the hallways and badge in at every door. While some contractors may need to be made aware of FAA specific policies and incident response folks need constant refreshers to stay ahead of the bad guys, administrators often know per- fectly well when and how their elevated rights pose a risk. However, they may be so busy that they use the shortcuts their powers give them, despite that risk. Where effective security is able to control administrators and keep everyone well educated about policies and trends, you can be sure there is a focused effort centered on up to date secu- rity education and communication. That kind of effort costs money. If you've ever felt that you didn't have the funding for security efforts like this, then you and the FAA are in the same boat. There are several hints that their security pro- gram doesn't get the kind of funding it would need for this proactive security education. In fact, it seems they are in the awkward position of begging for scraps: "According to ATO officials, the NAS inci- dent response organization, NCO, has limited capabilities and avail- a b l e s t a f f b e c a u s e i t i s re q u i re d to o b t a i n funding from other pro- gram units within ATO, w h i c h h av e d i f fe re n t priorities." Even where it's most critical, security is a bud- getar y afterthought. If you don't have enough incident responders to handle the inc ident s , t h e n yo u w o n ' t h av e enough time to rotate those p e ople throu g h the training they need to stay ahead of emerging threats. When you don't control your own budget destiny, then you can't make a plan. The people problems start at the top for the FAA's security program. It's not hard to under- stand why they have issues getting staff in line and paid for once you see the state of leadership in the security program. Page 9 of the report, 318 words, is entirely dedicated to spelling out the complex structure of security leader- ship within the FAA. Like any large organiza- tion, there are many divisions with differing charters at the FAA. Each one seems to have a little piece of the security function. The FAA recently put a "cyber security steering com- mittee" in place as an attempt to unify their approach, but the GAO quickly points out that "roles and responsibilities remain unclear, and AIT (Advanced Implementation Technologies) and ATO (Air Traffic Organization) officials continue to disagree on who should be respon- sible for the security of NAS systems. I would bet good money that the argument isn't both sides insisting that they should own the respon- sibility for critical systems related to national security. If an organization has any hope of get- ting serious problems addressed, they need to "While the reason to pay special attention to the GAO's FAA security report is clear, the contents of the report show that the FAA isn't much different than many other organizations when it comes to security for their IT systems."