6 Steps to Aviation Cyber Security Protection
Much is often made by the aviation sector about the safety of the traveling public and this is quite clearly demonstrated by the security and border processes in terminals across the globe.
What is less obvious is how prepared the market is to address the threat of cyber security and it's an issue which has been thrust much further into the public consciousness after the high-profile ransomware attacks in May.
Threats to airports can range from the mischievous – like the bomb hoax tweet, which resulted in a diverted flight carrying the President of Sony Online Entertainment John Smedley, to much more malicious and disruptive attacks.
In the most high-profile airport cyber one such incident in 2013, Ataturk Airport and Sabiha Gokcen International Airport in Istanbul, Turkey, were both the target of a coordinated cyber-attack which impacted the passport control process and resulted in massive queues and considerable delays for passengers.
Airports and the air traffic networks upon which global aviation relies are rightly considered national assets because their importance to transport infrastructure. Allied to the fact that they also have an enormous reliance on computer networks and technology just to operate on a day-to-day basis, the infrastructure is increasingly at an elevated risk of cyber attack.
Thinking about your own operation, how would you be able to respond if, for example, your Wi-Fi system was compromised? Notwithstanding the negative public perception that this might have on your airport when passengers can’t access Facebook, how would this affect ramp operations? How would concessionaires react? Will your airline stakeholder be affected by the loss of service?
On a larger scale, what if your supervisory control and data acquisition (SCADA) systems were disabled and baggage control systems, runway lighting and energy supply management were affected? Or, what would happen if the IP voice system that is used to communicate between the ground and pilots is taken offline? In these scenarios, it’s difficult to foresee any other outcomes outside of airport closure and aircraft grounding - at least for a period. This doesn’t include the concept of attacks on the ATC systems themselves that make use of the new ADS-B system. Long identified as a potential vulnerability this topic I addressed this threat in 2015 as part of the CSFI “Ghost Attack” workshop.
So as an operator what are the foundational steps you need to take to ensure that you are adequately protected against the threat of a cyber-attack?
Step 1 – Perform a Security Risk Assessment
Implement a review of organizational policies, procedures, and the current cyber security design to identify threats, vulnerabilities, and other impacts to system integrity and network communications. Both current and emerging cyber threat scenarios need to be evaluated, findings documented, and remediation recommendations provided. The US NIST has issued a draft 1.1 version of the Cyber Risk Framework which provides an excellent starting point.
Step 2 – Plans, policies and procedures
Develop the framework and processes needed to implement, monitor, and manage security operations and assets. Define standards and write best practices into your airport’s governance framework to make sure cyber security isn't an afterthought in day-to-day operations.
Step 3 – System security design
Design and build a complete security system that provides a layered and adaptable environment for your information technology, operational technology, networks and communications systems, including both electronic and physical security. Ensure that you are getting the basics, what we call cyber hygiene, right before moving on to advanced protections.
Step 4 – Security Operations
Layering effective security operations protocols and support including consulting, staff augmentation, and turnkey security operations such as virus and patch management, intrusion detection and prevention, asset management, change management, incident response, and security help desk operation are all critical. Ongoing security operations are as important as setting the right policies and procedures up in the first place.
Step 5 – Education
Deploy a staff education program that baselines risky behaviors, educates employees on individual responsibility and measures performance. Insider threat - both intentional and unintended - is one of the most prevalent cyber security risks to any business and the aviation industry is no different. Leidos’ American Military University (AMU) certified courses provide an excellent starting point for organization training programs.
All steps and ongoing –
At each stage of the process, you need to proactively test controls and barriers to determine the degree to which sites, systems, and networks are vulnerable and explore mitigation steps.
Why airports need to act now
Aviation trade bodies and law enforcement agencies worldwide have placed cyber security high on their agenda for their members and stakeholders.
ACI Europe has previously issued guidance for airports on cyber security preparedness whilst IATA has a published framework targeted to air traffic control and airline industries. There is no doubt that the threat of cyber attack for operators of critical national infrastructure is a real and imminent threat – one which the sector needs to act upon without delay.
At Leidos, security is more than a core competency. We integrate security into everything we do. Every day we safeguard some of the most sensitive information and mission-critical systems in the world including 60% of the world’s air traffic.