FAA: Slammer didn't hurt us, but other attacks coming

The Federal Aviation Administration survived last weekend's Slammer worm attack with only one administrative server compromised, and the agency that controls commercial air traffic in the U.S. is taking a multipronged attack to network security, said Daniel Mehan, assistant administrator for information services and chief information officer at the FAA.

Mehan, speaking to the media at the ComNet Conference and Expo Tuesday, said no "mission-critical" computers were compromised by the slammer attack, which shut down Internet service in some parts of Asia and slowed connections worldwide. A combination of keeping up to date with patches, keeping workers trained and using a variety of antihacking strategies kept the FAA's important computer systems running during the Slammer attack, he added.

But Mehan is not gloating because he knows more cyberattacks will come. "In no way do we taunt or challenge people to have another run at us," he quickly added. "We were quite successful in dealing with this worm, but there's always the next one."

The FAA uses several security measures to fight cyberthreats, and the agency is especially focused on such attacks since the Sept. 11, 2001, terrorist attacks on the U.S., Mehan said in his ComNet keynote address. The agency isolates its Web-enabled administrative computers from its mission-critical flight control machines; it uses multiple firewalls; it uses intrusion-detection and several packages of antivirus software; it completes an internal security audit on all new software; and it actively scans for vulnerabilities.

"We can't promise you'll never get a cold," he said of the agency's computer security. "But we have to make sure it doesn't spread to pneumonia."

All those strategies are needed, he said, because he sees a progression of "less and less hacker knowledge required for more and more sophisticated attacks."

The FAA controls 35,000 commercial flights a day in the U.S. and owns 40,000 pieces of computer equipment, Mehan said. The agency is working on updating some legacy, proprietary equipment to more open, "off-the-shelf" technology, he said, and since 2001, it has offered a series of employee meetings and computer-based training focusing on information security.

"This is an effort that will never end," Mehan said of security training. "You'll never do enough of it."

The FAA is also working with several IT vendors to build in better security procedures in their products, Mehan said. He's not blaming IT vendors for security problems, he said, but more needs to be done to build security into systems before they're sold. "We have a whole industry looking at intrusion detection, scanning, hacking etc., all trying to do the information security after the fact, when a lot of it should've been done in the design," he said. "To their credit, the industry realizes that mistakes that were made to get where we are, but we need to work with them."

The FAA faces some of the same information security challenges from hacking as the U.S. Department of Defense, Mehan said, but the FAA has the additional challenge of being an agency that's trying to release a lot of information, instead of keeping it close to the vest.

The IDG News Service is a Network World affiliate.