To view this site you need Adobe Flash Player and your browser must allow javaScripts. Go here to get the latest Flash Player. AGENCY SPOTLIGHT Getting there from here BY HANK HOGAN, HSTODAY IT CORRESPONDENT TO UPDATE AN OLD PHRASE, THE US DEPARTMENT OF TRANSPORTATION (DOT) MAKES THE PLANES RUN ON TIME. IN ADDITION TO THE FEDERAL AVIATION ADMINISTRATION (FAA) OPERATING THE NATIONAL AIR TRAFFIC CONTROL SYSTEM, THE AGENCY ALSO IMPACTS THE TRAVEL OF TRAINS, CARS AND SHIPS WITHIN THE UNITED STATES. WHAT’S MORE, IT OVERSEES THE MOVEMENT OF HAZARDOUS MATERIALS AND THE 64 PERCENT OF THE NATION’S ENERGY THAT IS TRANSPORTED THROUGH PIPELINES. However, there are other pipelines besides those that carry fuel to worry about. While DoT doesn’t control these data conduits, the agency has taken—and is taking— steps to ensure the security of its networks and the safety of US transportation. result of such measures, the availability of the configuration is said to be 99.9999 percent, with the number confirmed in part by monitoring the response when offline systems are brought back online. As for other FAA cybersecurity activities, Brown reported that plans call for implementing Homeland Security Presidential Directive (HSPD) 12, the smart card initiative, in a total access control fashion. Thus, the card will allow logical access not only to such things as e-mail and networks but also to needed applications. Brown noted that audits have shown e-mail access can linger long after an employee leaves, and so using a card to eliminate that can improve security. Furthermore, surveys have revealed that the average FAA employee has to remember 18 separate passwords. The card will cut that number down, reducing calls to the help desk and speeding up the enrollment of new employees. These benefits should be available when the HSPD-12 rollout is done. Brown said the goal is to select an implementer of the technology this year. NORTHROP GRUMMAN DEPARTMENT OF TRANSPORTATION An unusual operation Another protection enhancement can be seen in DoT’s Cyber Security Management Center, which started off in 2002 as an incident and response group focused only on the FAA. It has grown from something that looked like it belonged in a college dorm room to a 15,000-square-foot facility, with 18 federal employees and 40-plus contractors. The response time for incident detection has dropped from hours to only a few minutes. “It’s a unique operation in that it takes a corporate approach to how this center is managed,” noted Brown. There’s a board, which is composed of the chief information officers and chief information security officers within the department. It meets quarterly to discuss policy, strategy and funding. The model may be working, as the center now contracts with the Department of Education to monitor its networks. Dan Mintz, a political appointee who left with the change in administration at the beginning of this year, sat on the center’s board when he was chief information officer for DoT. He said there had been dramatic improvement in the visibility and closing of incidents, partly as a result of the center. The center has helped cut down on the impact of the 3 million or so attempted intrusion and other events experienced by the DoT’s computer networks each month. However, there are other changes being made internally that will make the systems less vulnerable. Plans call for the deployment of a common operating environment, with centralized control of desktops. The use of an approved and controlled desktop core configuration should help lower vulnerability, as will ongoing, governmentwide efforts to reduce the number of connections to the Internet. In looking at the future, Mintz noted that standardization and other security efforts often focus on protection, which he said is only part of the challenge presented by intruders. “How do you find them when they get in, which is very difficult? Equally important, how do you make sure the critical systems run no matter what?” Because of the growing difficulty in achieving protection, there’ll be a change in the focus toward these other challenges in the future, he predicted. “You’ve got to spend an increasing amount of emphasis on these other things,” said Mintz. HST HSToday Magazine | April 2009 Look, up in the sky A case in point can be seen at the FAA. Michael Brown, director of information systems security for the FAA, noted that several years ago the agency changed its telecommunication infrastructure, splitting it in two. One network carries administrative functions, such as payroll, finance, human resources and connections to the wider world. The other carries air traffic control, and Brown said the two don’t intersect. “There is an air gap, not a logical separation, between the admin systems and the national air space air traffic control systems,” he told Homeland Security Today. The control setup includes redundancy, with automatic switchover to backup systems as primary ones go down for scheduled maintenance or unplanned events. As a The FAA has changed its IT structure to split housekeeping operations from air traffic control. Here, Michael Brown, FAA's IT security director, receives a lesson on the use of a TouchTable from Northrop Grumman executive Jammie McCoy. Register online today for exclusive online content and eNewsletters 17