 All right, welcome everybody. I appreciate you joining us here today. We're gonna have a great talk with the FAA CISO So let me start by welcoming Larry Grossman to DEF CON in the aerospace village. I appreciate having you here Thanks. Thanks a lot Steve. It's a thrill to be here. I'm looking forward to the conversation Absolutely, and we appreciate your time. So for everybody We're going to dig into the government side of things particularly with the federal aviation administration talking with Larry about what the FAA's role is where cyber security is a part of that His role in supporting that overall mission and then his thoughts on The security research work and the things that he deals with so before we get rolling though Let me I will introduce myself also. I'm Steve Luzinski I'm the chairman of the nonprofit board that we have that's running the aerospace village and helping support these activities So again, I appreciate you all being here and joining us today, but those of you don't know Larry Grossman He is the federal aviation administration's director of the office of information security and privacy And the chief information security officer in these roles He provides strategic leadership of FAA's information security and privacy program And this isn't the only role he's been in at the FAA. He's been with FAA for 25 years And I think even more telling is being with the agency that long and as an aviation Enthusiast an avid enthusiast at that. He's a commercial pilot flight instructor certificates both air I'm sorry both land and sea and he travels in his own aircraft whenever he can so I'm very jealous of that So again, I appreciate you being here today, Larry Hearing about your background in both cyber security and the aviation side of things and joining us for this discussion So with that I want to jump into If you would I think, you know, we all think we know what the FAA does We think we know or we have a general idea, but not necessarily the details So I'd be interested in is getting your perspective on the FAA's mission and particularly in the cyber security side of things Sure, sure happy and I'm so I'm a I am the the official Chief Information Security Officer, but only for the last month. I was acting Chief Information Security Officer for the last two and a half years so they finally You know may made made an honest man of me, but So, you know the the FAA's Mission is is very simple. There's basically two pieces to it Safety and efficiency those that's that's the mission the mission of the FAA is the safely move aircraft through the national airspace system And and and to assure that they move as efficiently as possible So from a from a cyber security perspective, you know, there's there's certainly Countless areas that we have to be concerned about the FAA has you know, roughly 360 FISMA reportable systems that FISMA is Federal Information System Security Act It was put in place several years ago It it it'll let it requires us to inventory all of our systems to Perform compliance activities on all their systems. So we have a pretty big inventory You know for a moderate size a government agency You know, we have a fairly large number of systems within those systems We have probably 2,500 or so applications that run. So, you know, so it's a it's a fairly large inventory Certainly a large, you know, attack surface so to speak You know and and to keep all those systems secure, you know, historically FAA has Focused inward on those systems and we've we've looked at the FAA You know just on how we secure our systems and how we secure our services But the you know, the aviation ecosystem is much larger than the FAA specifically, right? There's the and and the FAA only has Yeah, a small piece of it, you know, we we do operate the national airspace system, you know It's critical infrastructure the United States and We move, you know hundreds of thousands of airplanes a day We're back, you know now that we're hopefully on the on the backside of COVID We're back to roughly 90 Something percent of pre-COVID number. So so people are traveling airplanes are moving and they're moving safely you know the The the efficiency piece really is is really where we where we get kind of wrapped around the axle at times You know, how do we keep planes moving of efficiently? And we do that through a number of systems that we have to keep secure and those systems are you know working with airlines working with other partners and Aircraft manufacturers, etc. So there's a kind of a lot of pieces that all work together Absolutely, no doubt there's a lot to deal with in that sense One of the things that comes to mind when I think about the FAA is the regulatory side of things and that's The hammer that comes down that has to impose a fine and punishment But I know from previous work that we've done with you all including last year Last year online with a virtual DEF CON where we had Folks from your engagement office who are externally focused How do you balance the the hammer regulator side of things that has to impose? When a problem happens, but also the need to engage the need to get folks to understand Vulnerability disclosure and addressing these problems. How do you deal with all of that? Well, you know and as a as a commercial pilot who who made his living for a little while as a commercial pilot I I did my best to avoid that hammer as well. So Yeah, so, you know the the The the top that we had last year at the village with our ACI partners You know that's kind of one of the areas that we've just fairly recently moved into and that is as I said earlier We've always focused inward But realizing that the ecosystem is much larger and what pieces of of that ecosystem does FAA own and operate? What pieces do we regulate and what pieces do we really have have either a shared and gate involvement with? like like with respect to airlines and airports and Some that we have just no involvement at all So we formed a team that was working with DHS and DOD The team became the aviation cyber initiative And and their focus really is to is around outreach and and you know around understanding how You know as example airlines are securing their system or or how Aircraft manufacturers are building in you know various components while we do Certify the components of the aircraft we do test the components of the aircraft. There are many pieces parts of pieces to that That you know that that the airlines. I mean that the aircraft manufacturers still in their own airports is another area that you know that FAA Has a really kind of a very interesting relationship with you know within the United States There's over 17,000 public use airports and they go every they you know kind of run everywhere from a grass strip You know in a field somewhere To Chicago O'Hare, you know in Atlanta hearts field and it kind of everything in between And you know we like to say that there's there's 17,000 airports in the u.s And there's 17,000 different airports because each one of those airports is Managed a little different is operated a little differently. Some are operated by airport authority. Some are operated by municipalities And you know some are private actually privately owned but but are allowed to be public use And and so how do we you know, how do we work with those airlines across the board? You know, so the answer the answer is around around outreach around better understanding how they You know how they're implementing cyber security And how we can kind of help them with respect to standards and you know kind of drive Better practices better cyber hygiene because it's really most of it's about around cyber hygiene Absolutely, so thank you. That's the you know when we have talked about and heard others talk about the complexity of the aviation and aerospace Ecosystem hearing 17,000 really hammers home that point. So that's That's not something I knew before so it's good to learn One thing I didn't You know understanding the FAA is overall mission but Also understanding what is your part of that and I didn't mention it before I ask you but I'm interested in hearing what was your path What motivated you to Do both avid pilot and joining the FAA they seem to go together very well But certainly some cyber security thrown in there on top of it. They they do Yes, you know, we all everyone has their their interesting paths to where they get places So I went to school for aviation I was a pilot by you know By training and I I didn't make it into the military. I I wore glasses. So that was the discriminator for me So, you know, I I started working as a pilot Back in the I guess the late 80s ish And and really realized that The path I was taking, you know, the late 80s there there was, you know, at Everything's about timing right life is about timing and and the timing where when I was Trying to get hired by, you know, regional aircraft. I was actually flying Flying checks for a while flying small cargo for a while, you know flying, you know You take off at, you know, one o'clock in the morning and you know It rain and snow and and land at four o'clock in the morning And and so it was really not a lot of fun. It was fun at first But, you know, after six months of that it started to be not a lot of fun In a little airplane by yourself, you know, you're kind of flying along and You know, and so I I had You know an aviation major and a computer science minor And and I found myself Getting hired Actually initially part time by a consulting company for the FAA here where I live in Atlantic City, New Jersey The the the FAA has a A second level support facility here where we support You know all of the air traffic control systems that are deployed Here and so I started working on air traffic control systems kind of part time And flying full time and then the kind of evolved to flying, you know Not quite so full time and working more full time and kind of slid myself over Into working on air traffic control systems You know as a programmer and then moving up as a designer developer then moving up as a Manager of of the the air traffic control systems And then and then 9 11 And you know and and like in october Of 2001 My boss at the time said, you know, we we need what do you know about cyber security eyes? I know enough not to get myself in trouble. That's about it Is it well i'm going to get you some training and we need to figure out how we're going to start securing The the air traffic control Systems we're going to we we don't understand a lot of how we're managing our air traffic control systems We need more we need more of our kind of administrative functions off of the air traffic control side And so I deployed a bunch of programs that that kind of improved our ability to to monitor the the the operational side To move a lot of those kind of administrative functions off of the operations and into our mission support environment You know and kind of one thing led to another and and and so I worked my way around for a while You know, I I worked in cyber for about seven years And then I got got out of cyber for a little bit and did some work for the f a administrator around around data distribution and around improving the way f a a Gives data out you f a gives tons and tons and tons of data We're one of the largest data distribution. You know, we just spew data out if you if anyone ever uses You know flight aware or or any of those applications the f a a outputs, you know Almost a a terabyte a day of data So there's a there's just a ton of data that that we give out But we were at the time We really weren't giving it out in a way that would spur innovation that would drive innovation and our f a administrator at the time Said, you know, they're You know, if we improve the way we're we're releasing data we will spur innovation They'll build better products for pilots to use and it will improve safety and and we'll move you know And so so we did that so I took kind of a break and then I came back into cyber again I missed it and so I came back to the cyber and so and so here here I am And and in no small role because you're dealing with not only the internal f a systems But from what we talked about before you're running the gammon of things that you have to deal with What are some what is the scope and scale of your responsibilities because I know it's extensive Yeah, we I mean we have a lot going on. Um, we have certainly we have our our security operations, you know Organization and and we run uh, we run our own sock. We we um, we're we're You know always moving to improve our stock capabilities um We uh, we have a a pretty big compliance shop compliances. Uh, as I mentioned before A fisma requirement and we we look at every system Um and service um, you know in in the f a a and make sure that you know, look at the At the NIST controls to make sure that their controls are implemented appropriately That's a huge effort with the number of systems we have We have a governance shop that um, that um, um, you know writes our policy We have a we have a pretty big policy, you know for security and privacy The policy, you know at it has grown because we've we've incorporated all of the NIST controls into our policy and and how We're going to implement those controls and and so um, so that's a kind of a big effort We do training we we have our security awareness and and and role-based training that we We conduct. Um, I run our privacy office um, we you know with all all of the um, the the privacy documentation that's required as well as any breach That may occur Um, we we respond to that Of course SIDS organization that's our our externally facing Um organization and and all the work we're doing around Um, you know, um cbm the continuous diagnostics and mitigation Um effort, um the new executive order Um that that's out You know our work with um with uh with a lot of our partners I work closely with um with other agencies Um and and departments. We have a a a lot of big efforts with do d, you know f a and do d share a lot of commonality with respect to um, um moving aircraft and and and etc Um, and um and that's it You know just that just a couple of things here and there So you mentioned before SIDS group and SID was with us last year and it was great to hear him Talk about that engagement and outreach and that's with our audience in particular So that's an area I wanted to dig into is uh the efforts that you all are making to connect with The security researcher community and so I'm interested in your thoughts of what's driving that and what is y'all's approach to improve those type of engagements Yeah, so what well, we're always looking to to uh improve our engagements with the research community We're we're actually we're doing it on our own with several initiatives that that um that SID is leading We have um a lot of engagements. We're engaged with the aviation ISAC very closely You know around which is kind of focused on aviation But also through mandate by dhs through Through um a directive Um 2001 that that really requires us to um to run a next You know a disclosure program that where we we invite researchers to um to look for vulnerabilities and look for them in a positive manner and report them to us and and so We have a pretty big effort right now ongoing we're we we started with with one um, you know externally facing site Now I think we're at four or five externally facing sites over the course of the the next I think I think 12 or 18 months Uh, I can't remember exactly which all of the externally facing sites at the FAA has and there's there are quite a few um, we'll be open for researchers to look for vulnerabilities and we're certainly we're certainly um Looking forward to that engagement. We've You know, it was funny the the first week we had one website up I think it went live on a friday and by monday We had like five reports, you know and and there were five different reports And you know and some of them were were not Valid but some of them were you know, hey, we found cross-site scripting here. We found you know, um You know, I forget what the other one was but you know, there are um, you know, it's certainly um, you know crowd sourcing Looking for vulnerabilities In a in a collaborative and productive way Is very important to us and and we know we can't find all the all the bugs and all the vulnerabilities So we certainly look forward to uh to folks helping us and the folks that are listed in here Absolutely. So two things came to mind. I know there's we're recording this ahead of time And there's going to be a live question and answer We'll both be on there while this is being recorded. I'm sure folks are going to ask What is that website address? What are all the website address? Sorry, I can't the public ones So I will get those from you when we get done recording and I'll have it ready because I know that's going to come up And that's great because we want to get that out there and share that We've done that before with scissor and their program And the other part of the work that you're talking about all the way back to def con 27 When we the aviation village that was the first time we were there And I know you were part of the behind the scenes with the canvass disclosure that was coordinated through scissor and rapid seven Uh and patrick kiley's search uh research that led to rolling that out at the time So we're very appreciative of that continued the cooperation and somebody like you that has definitely seen behind the behind the scenes What goes into all of it to making that happen? and I think experience with other types of disclosures in the public Whether or not they were coordinated or were just disclosed. So Uh, definitely good to see that experience Absolutely that you got to share for that. We uh, that was my first really my first, um The first work I we did with rapid seven and we've we've had other engagements with them as well So it was uh, it was a great engagement Yeah, you bet How about on the workforce side? I think the you know, the typical thing that you hear is we can't find the right people We can't get the right skills. You're competing with others, especially as a government agency What what are your thoughts on are you seeing the same problems or is faa doing something different to engage and attract Folks with those skills. Well, you know, you know what I like to say the um, the the unemployment rate for cyber security professionals Is is in the negative numbers, right? There's certainly not enough cyber folks to go around so um, we do Compete for the cyber security workforce Um, we and we do it pretty successfully too. I might add I think, you know We're we are a government agency. We but we do have um, you know, flexibilities for hiring that that have been offered to us through through opm of personal management Um, and um, you know, we we have a great mission We I think the mission of the faa is what you know is really what attracts folks to us and we we have Hads folks come from um You know from from a lot of our of our vendor community our contractor A workforce have moved over Um, they you know, some of them have even taken a pay cut to move over not not a lot I mean we could be pretty competitive salary-wise. Um, but we're we're certainly um Can be competitive and they they just love the mission are you know, there's nothing cooler than moving airplanes and and being involved in a system that is as critical to The the us and the global economy we work internationally extensively um And uh, you know down to the technical level of work that we're able to do and the you know, um The the the the high demand that we have for for workforce. So, you know, I think we're we're doing pretty well You know, we're we we do better better than a lot of of my peer uh, sissos that we talked about You know in in addition to the recent legislation I should add Required actually 2018 the fa the 2018 reauthorization act that gave faa its Its authority to to run we're we're a piece of the department of transportation, but we operate under our own authority um, and one of the uh Uh, one of the items on there was that we conduct a uh, we we engage with the national academy of science um to conduct a a study of the cyber security workforce on how to Of attract and retain Um, you know that cyber security workforce that we need because I think the I think congress recognized That um, you know, it's such a critical function. The fa is so critical to to our economy and to to safety of You know of everyone that Um, that that they asked us to do this and you know, the report was just released And so I will also have that the web address of that You know provide that to you too that folks can go read that and You know, it made I think we got 18 recommendations around um around workforce around, um Um, you know moving forward and and most of them were pretty positive. I mean, I believe that we have a A really good workforce, but it's certainly a workforce that is um um You know, it's it's it's an experience workforce and it's you know, a lot of folks Transitioned, you know cyber the cyber landscape is changing so rapidly now It's almost logarithmic changes And you know what what we would love to have Are you know those those next generation of cyber professionals that that want a really cool mission that want to come and make a difference in you know, um You know in the united states in in our security in the critical infrastructure of the united states, you know The fa is the only department Within the government that operates a piece of the critical infrastructure The kind of technologies that we're deploying now Um are really be exciting. I think for for uh for folks that want to get engaged Yeah, you bet. So it sounds like there's no doubt you all are hiring Oh, no doubt bring it on. Absolutely All right, so my last question before we wrap things up here. What Is your biggest concern? What keeps you up at night as the fa scissor looking at internal issues external issues across the breadth And all of that complex ecosystem that we talked about well Um, steve, you were you were siso Fairly recently, you know, if you if you got any sleep when you were a siso you're not doing your job, right? We you give up as part of the job requirements. You don't sleep No, I I think you know We we do there's a lot of things that that um, you know, and I mentioned I mentioned some of them I mentioned the you know, certainly the sophistication of the adversary that we're facing Um has really changed, you know solar winds kind of showed that right solar with the solar winds compromise Showed us all that that these folks um are, you know, um a state sponsor Highly sophisticated highly motivated Can live off the land very easily Go undetected, you know, when you say well, what are the iocs? Well, there are no iocs, right? There's no there You know, but but you but you have compromise and and so You know that that certainly is uh is worrisome to us um the um, you know the fact that we wait we went um almost overnight from uh from average of about 4 000 employees of 45 000 teleworking to 35 000 Teleworking, you know, you know, it's kind of a snap of a finger Um, and it required us to to make some pretty significant changes in how we monitor and secure endpoints Um, you know, how we monitor and secure our systems Um, you know, and you know, we we give all of our employees a a workstation a government issued workstation They they put it on their kitchen table. They work from you know, nine to five and then You know six thirty seven o'clock to like well, here's a computer sitting here I i'm gonna go order some stuff off of uh, you know Target online or i've got to go i want to go watch a movie or i want to go So we've really had a lockdown the workstations. We've locked down all um the the um The services that folks can run, you know, and it's that it's that balance of Of securing the the um, you know, our our equipment our systems our services And user convenience and you know user performance and and I think the last thing that keeps me up at night Well, the last the the last of the top three that keep me up at night Um or you know, the f a a used to own the entire airspace We used to own all the systems and all the services and really we're moving more to Getting a lot of services now. So it's really not a factor of us securing our systems and services It's also securing the system and services that we acquire from our partners And and and how do they secure their systems and services and then how do those folks control? So it's kind of a long road Um, and you know, and that's kind of where sids ecosystem work comes in Um, you know, it's where the work that we do with the other lines of business and staff offices within the f a a so So those are I guess the top three Just just the top three which is plenty enough. Uh, and I know there's lots more so Well, Larry, I really appreciate the time. Uh, I have no doubt our audience, uh, you know, lots of questions coming in I'm sure as we've been talking here and plenty more. So thank you for That's great insight things that again, I thought I had some familiarity with the f a a but learning The full scope and scale of what you all are doing what you personally are doing and again taking time out to share that With our audience. Uh, we're very appreciative of that. So With that, I'll say thank you to everybody who joined us today and we look forward if you're on site to Talking with us in the village Keep an eye out on our website for future events from the aerospace village. So thank you everybody Thanks a lot for having me Steve You bet