Luci Holemans, ATO Cybersecurity Group Manager at the Federal Aviation Administration, spoke about what initiatives the FAA is taking to promote cybersecurity at the 2022 Connected Aviation Intelligence (CAI) Summit in Reston, Virginia, last week. One key change is a shift to a Zero Trust architecture and focusing less on network-based perimeters as a cybersecurity strategy.
Like other U.S. federal agencies, the FAA as part of the broader U.S. Department of Transportation has been tasked with transitioning to a Zero Trust cybersecurity architecture under an executive order issued last year, although has been transitioning to this approach since 2020 when it was discussed during the 2020 FAA Cybersecurity Symposium. A basic premise of the Zero Trust architecture approach to cyber securing air traffic systems or critical infrastructure and assets managed across any industry is to assume networks are compromised and focus on the defense of a given application’s data.
The FAA is exploring multiple strategies to stay ahead of a constantly changing environment and to maintain continued safety and resiliency. It’s necessary, Holemans said, to take into account not only the cloud technologies embedded into this ecosystem, but also unmanned aircraft systems (UAS) and a commercial space that is taking off.
To ensure strong defenses, Holemans said, cyber needs to be integrated into our connected technology, and there must be collaboration between the government, industry, and academia. The cybersecurity environment is so dynamic that it is difficult to keep up with new challenges without collaboration, she said.
Cybersecurity has to be addressed from the start. This means considering the necessary requirements with any new system or service, and making sure that these requirements are embedded early on rather than after the system is deployed. “With legacy systems,” Holemans added, “we ensure that we put those cyber requirements and solutions in place to maintain safety.”
New cybersecurity threats and vulnerabilities are identified on a daily basis. Dealing with this environment, then, needs to include a flexible and efficient approach to finding and establishing solutions.
“Acquisition, especially in a government environment, is typically pretty slow,” she noted. “We can’t take years to address cyber issues that emerge on a day-to-day basis. How do we change acquisition processes and shorten that time frame to deploy a solution?” To meet the needs of today’s cybersecurity environment, a five- to ten-year-long timeline of acquisition no longer suffices; a six-month turnaround time would be more appropriate, Holemans said.
The FAA’s objective is to maintain both safety and resiliency from an aviation standpoint. “We are looking at cyber events 24/7, and have resources dedicated to identifying events that could potentially be cyber related—anything perceived as a system failure, or a service issue,” she remarked. “We are trying to stay on top of new policies that are coming out, new executive orders.”
For recent cybersecurity threats like JetBrains or SolarWinds, the reaction needs to be even quicker than a six-month timeline. When these new vulnerabilities and threats arise, they need to be addressed within weeks, not months. Taking immediate action can be a challenge in the aviation industry, however, says Holemans.
“We don’t change things quickly—and with good reason. You want to test things out before putting anything into the operational environment. At the same time, we try to stay ahead of [these threats].”
There are more threats cropping up now than ever before in the current dynamic landscape of cybersecurity. Technological capabilities like 5G and the evolving Internet of Things (IoT) have led to increasingly sophisticated, malicious cyber-attacks against critical infrastructure and a wider range of potential threat actors.
“It really widens the scope in terms of who is able to potentially do an attack, who else can then take advantage of those new technologies,” Holemans explained. “But we’re also using those same technologies to overcome these challenges.”
The FAA is changing its cybersecurity defense strategy to depend less on network-based perimeters. Holemans shared that the agency is moving towards a Zero Trust architecture that includes authentication and segmentation of users and resources in a network as well as monitoring activity within the network. This strategy of Zero Trust aims to reduce an intruder’s ability to enter the operational environment. If an intruder does get through, Holemans said, the impact on other systems and services is significantly limited.
The Zero Trust strategy includes considering all requests as if they originated from an open network before verifying them. All devices and users undergo dynamic evaluation based on trust scoring. Within the Zero Trust architecture, perimeter boundaries are not eliminated but rather reduced in size. The strategy uses real-time intelligence and analytics that will enable the FAA to promptly address any anomalies.
The FAA is also evaluating multiple enterprise cybersecurity capabilities in order to protect mission critical systems. These capabilities include managed enterprise security monitoring, security enterprise asset management, centralized National Airspace System (NAS) software security management, and managed enterprise security protections.
The NAS software security management provides centralized capability for security patch and protection updates. Holemans explained further: “Instead of having the different systems and programs take something that’s been developed and putting it into an operational environment, we’ve created an environment within the operational area that allows those systems and services to get those new pieces of software where it’s already been tested and checked for any kind of malware.”
Holemans also touched on the FAA’s intentions for ensuring cybersecurity with UAS, an area that is growing rapidly. The agency is still working to determine the best way to incorporate unmanned systems into daily operations in the NAS, she said. “It is more industry driven, but as UAS becomes another target, we are trying to understand how to incorporate those pieces of information into the operational environment. We are involved in some of the requirements for UAS, but in terms of monitoring it, registrations, [the FAA is] still on the outside of that.”