For our purposes, we define a trustworthy system as one that does what we expect it to do and not something else, despite environmental disruptions, human and system errors, and attacks from hostile parties. Design and implementation errors must be avoided and/or eliminated, or the system must be built with a degree of robustness such that potential problems are either tolerated or have no operational impact. It is not sufficient to address only some of these dimensions, nor is it sufficient to simply assemble components that are themselves trustworthy. As a consequence, trustworthiness is holistic and multidimensional [2].

The FAA's mission is to ensure safe, secure, and efficient air travel in the National Airspace System. FAA's ability to fulfill this mission depends on the adequacy and reliability of its air traffic control (ATC) system. Faced with rapidly growing air traffic volumes and aging air traffic equipment, the FAA initiated an ambitious ATC modernization program. This program includes the acquisition of a vast network of radars, computers, navigation and communications equipment, in addition to new facilities and support equipment. It also includes deployment of FAA information systems, which are very large and complex, and are increasingly integrated, compounding the risks to the trustworthiness of the system in its entirety. These systems process a very wide range of different types of information including radar, weather, flight plans, surveillance, navigation/landing guidance, traffic management, voice, network management, aircraft certification, inspection, flight standards, regulatory information, and runway status. This information is normally available to be read by a very large user base and is for the most part not considered "confidential" with regards to "read access." These resources reside at, or are associated with, several types of ATC facilitiesair traffic control towers, terminal radar approach control (TRACON) facilities, air route traffic control centers (enroute centers), flight service stations, and air traffic control system command centers (ATCSCC). The challenge for the FAA, then, is to ensure that this vast and complex information centric network, which includes a diverse array of data sources, users, and facilities, remains trustworthy, uncompromised and ready for operation on a 365 x 24 basis.

While the Structural Model of Figure 1 provides a good understanding of key conceptual and systemic actions that need to be taken to implement an effective ISS Program, it does not define how we are going to do it. To describe the "how-to" level, we looked at the problem from an additional perspective and developed a process model to guide our ISS Program implementation. FAA systems, in particular National Airspace subsystems, are generally accessible and physically located in many facilities across the nation. To establish that a facility has an operational capability to protect itself, three threadssystem, personnel, and physicaldepicted in the Process Model of Figure 2 need to be addressed. It is not enough to ensure that individual systems are protected; we must also ensure that each facility as a whole is protected with regard to system, physical, and personnel security.

Since the systems thread is perhaps the newest challenge to the FAA, we will deal with that thread first. The comprehensive system certification process used by the FAA is represented in Figure 3. At the beginning of this process, we conduct a risk and vulnerability assessment. Without a thorough knowledge and understanding of the risks and vulnerabilities, it is not possible to develop adequate protection mechanisms. After this is accomplished, a System Certification and Authentication Package (SCAP) is developed which includes such items as a risk mitigation plan, an ISS plan, an ISS test plan, protection profiles that define the security requirements of the system, and a certification statement. The system developer or owner must provide evidence that the system is ready for certification. Then the Chief Information Officer reviews and provides the certification of the system, after which it can be deployed with the concurrence of the Designated Approving Authority (DAA) of the business unit that is deploying the system.

Beyond the "national" certification of systems, there is also a need to ensure that facility system protection, which applies to the local, site-specific configuration of nationally distributed systems, to local adaptations, and to systems that are under the purview of the facility, is also in place. The primary steps to assure that these systems are secure are taken by local facility personnel.

The approach envisioned by the FAA to protect its systems generally follows the following phases.

• Assessment: The system is identified and its vulnerabilities are analyzed through penetration testing and vulnerability analysis.

• Planning: Risks are analyzed and prioritized and decisions are made on how to address them. Where the decision is made to address a risk by modifications to the system, a plan is developed to remediate the system.

• Remediation: Vulnerabilities are addressed by adding new or modifying existing features and a test plan is developed to prove that vulnerabilities have been addressed.

• Certification and Authorization: The test plan is executed and, if the outcome is positive, the system is certified. The DAA determines, based on the available documentation, whether or not to authorize for operation or continue operation of the system.

• Deployment and Commissioning: Systems that have undergone remediation activities and have been certified and authorized are deployed for operation.

While the system thread which we have discussed thus far is very important, the personnel and physical threads are no less vital. To protect the National Airspace System, each facility is designed and constructed with personnel and physical security barriers. These personnel and physical barriers include security fences, cipher locks, background checks, security clearances, identification badges, and limited access procedures. Security guards that detect threats and take corrective measures to prevent intrusions monitor these personnel and physical barriers. In addition, the new FAA ISS Architecture addresses the cyber barriers that are required for each system/subsystem and their planned insertion as the National Airspace System evolves. Within a facility, personnel, physical, and cyber barriers may be made up of multiple layers of protection. The amount of personnel, physical, and cyber barrier protection at a facility is dependent upon the criticality of service(s) provided. Services directly supporting the National Airspace System require more protection than services supporting the administrative functions of the FAA, but all systems and services are addressed by the ISS Program.

It is not enough, of course, to determine that facilities "in isolation" are certified. After all, FAA systems are configured and operated in a decentralized environment that spans multiple geographic locations and physical facilities. Each facility provides one or more services that support the operation of the FAA in ensuring the safe and efficient movement of air traffic. Because each facility can operate independently, and interdependently, this decentralized operational approach protects the National Airspace System against a widespread failure.

In recognition of this increasing interconnectivity, the FAA has developed an Operational Model that includes layers of security in the form of "boundaries of protection." This Operational Model, as depicted in Figure 4, provides multiple layers or "boundaries" of protection from an overall National Airspace System perspective, as well as protection for the individual services provided at each facility.

Since the operation of the National Airspace System (see Figure 4) is highly dependent on information systems, each facility must create a cyber barrier to address the ever-increasing potential of cyber threats. Because each facility works interdependently, they need to share information electronically through local and wide area networks. They also need to exchange information with other organizations, including other government agencies, the airlines, and the public. Because these communications networks are pipes that cross the personnel and physical barriers, they force the establishment of an additional protection barrier. The cyber barrier will prevent unauthorized or unauthenticated electronic access to the critical infrastructure of the National Airspace System. These cyber barriers include firewalls, encryption techniques, authentication protocols, and Public Key Infrastructure technologies. The strength and depth of the cyber barrier used by the network and by the individual facility will be dependent on the nature of the service and systems that are being protected.

Assuring the integrity and effectiveness of a cyber barrier to a facility's information infrastructure requires constant monitoring and analysis, both at the facility level as well as the national level. If an incident is detected, action is required at both the facility level and possibly at other facilities as well. Cyber threats have the potential to replicate themselves within a facility, as well as over an entire network. To respond to this threat, the FAA has developed both a local monitoring process and a centralized Computer Security Incident Response Capability (CSIRC).

Figure 5 provides the holistic perspective, presenting all three models; structural, process, and operationaland showing how they are interlinked to provide reinforcing elements of protection for the National Airspace System.

The Structural Model, the ISS pyramid in Figure 1, has helped us to focus our ISS efforts. This model is based on five clearly defined layers of protection that have day-to-day meaning to the 48,000 employees of the FAA. In order to maximally benefit from the vast array of work being described in the computer security literature; however, there was a need to map our five layers of security into such standard cyber goals as confidentiality, authentication, integrity, access control and availability. By mapping these goals to the layers of our pyramid to which they were most closely aligned, we found a very natural, almost "isomorphic", relationship between the original structural model and the layered cyber model (Figure 6).

The top level of the pyramid, personnel security, easily maps to the protection mechanism of authentication. In personnel security, we want to assure that each and every user has a background check and/or security clearance and is known as a trustworthy member of the team who is allowed to use the systems. In a cyber-security sense this is equivalent to saying that we have Authenticated or verified not only all the users, but also the processes and tasks executing in the system.

The next level of the original pyramid was physical security. At that level we want to ensure that the FAA facilities are safe from unauthorized access and harm. This relates directly to the cyber-security protection mechanisms called Access Control.

The third level of the ISS Protection Model is called Compartmentalization and Information Systems Security. This level provides the mechanisms to constrain and control the impact of any single security incident. For example, FAA's ATC facilities are resilient when a security incident at one facility cannot spread to another. In cyber-security terminology this is equated to Integrity. By Integrity, we mean that data and systems cannot be altered without detection.

The fourth level of the ISS Protection Model is called Site-Specific Adaptation. At this level, we find that FAA systems have been designed in a general format, however, they have no operational capability until they have been adapted with a "unique" fingerprint of the airspace, geography, equipment, and procedures that makes each facility's ATC system work properly. In some sense, this is the "classified" data of the system that makes it work. So this relates closely to the cyber-security functions of Confidentiality. By confidentiality we ensure that sensitive or classified information is neither available nor disclosed to unauthorized parties.

The final level of the pyramid is called Redundancy. At this level, the system provides a degree of robustness that ensures that FAA systems perform as expected even if parts of the systems or sensors become unavailable or become corrupted by some means. Again, this relates directly to the cyber-security functional level of Availability that ensures that a resource is accessible and usable on demand by any authorized party.

The Cyber Model and the original Structural Model (shown side by side in Figure 6) provide the FAA with important and easy to understand perspectives for its ISS Program, and we believe they will be useful in explaining our objectives to a variety of audiences. The structural model has meaning to the lay people of the FAA; the cyber security view permits us to benefit from the efforts of the ISS experts at the cutting edge of this field.

Although public awareness of the need for security in computing systems is growing rapidly, current efforts to provide security are unlikely to succeed if the goals and objectives for security are not well defined and prioritized. Many current security efforts suffer from the flawed assumption that adequate security can be provided in applications based upon one concept of security, based on the principal of "Need to Know." When we started to address our needs and priorities at the FAA, we noticed that the primary goals of "Need to Know" were for confidentiality and access control, rather than the FAA's needs to assure the integrity of our data and processes and at the same time assure availability of service. These needs are important to every system designer, but the current models for building trustworthy systems are derived from an earlier mathematical model called the Bell-LaPadula model, which addressed primarily the confidentiality of information. This model is described in many books on computer security and formed the foundation for the original "Orange Book" on Trusted Computing Systems [3].

Of growing concern with regard to controlling critical infrastructures are denial-of-service attacks, which compromise availability, and attacks on the integrity of the systems and their information. Experience has taught that systemsin particular complex systemscan be secure, but there will always be residual vulnerabilities. The question one should ask is not simply whether a system is secure, but how secure that system is relative to some perceived threat. Thus, notions of absolute security, based on correspondence to formal models, have to be enhanced to deal with the current environment where security relative to perceived threat is paramount.

The FAA has developed a holistic and multidimensional approach to ISS. The perspectives of our approach embrace multiple viewpoints including Structural, Process and Operational models. The models are all interrelated and are critical to the overall success of an effective ISS Program. As is the case in any rapidly developing field, these models and our approaches to them will change with time and with the threats. Additionally, we have noted that existing procedures based on the commonly used "Need to Know" model do not fully address the highest needs and priorities of the FAA. We are currently addressing these in several studies and will provide a more detailed mathematical and engineering analysis of these findings in the future.

Dr. Mehan joined the Federal Aviation Administration (FAA) in February 1999 as its first Chief Information Officer (CIO). He is the agency's principal advisor on information technology and directs strategic planning for information technology across the agency. Dr. Mehan also oversees the implementation of the FAA's Information Systems Security Program.

Before joining the FAA, Dr. Mehan held positions at AT&T for 31 years. At the time of his retirement, he was International Vice President of Quality and Process Management, leading efforts to align and optimize the processes and systems of AT&T's global operations. Prior positions held within AT&T included International CIO and Commercial Market Services Vice President, Product and Market Management Vice President for General Business Systems, Material Management and Customer Service Director. He began his AT&T career as a member of the technical staff at Bell Telephone Laboratories.

Dr. Mehan graduated from Drexel University with a bachelor's degree in Electrical Engineering. He holds a master's in systems engineering and a Ph.D. in Operations Research from the University of Pennsylvania. He has served on the boards of the U.S. Telecommunications Training Institute, the North American Telecommunications Association, and the Japan-U.S. Telecommunications Research Institute.

Biographical Summary

1995-1998 - International Vice President-Quality and Process Management, AT&T

1992-1995 - International Chief Information Officer (CIO) and Commercial Market Services Vice President, AT&T

1987-1992 - Product and Market Management Vice President for General Business Systems, AT&T

1984-1987 - Material Management and Customer Service Director, AT&T

1979-1984 - Division Manager Strategic Planning and Product Technical Support, AT&T

Author Contact Information Dr. Daniel J. Mehan Chief Information Officer, AIO-1 FAA Headquarters, Room 725 Federal Aviation Administration 800 Independence Ave, SW Washington, DC 20591 [email protected]

---