Streaming video, digital merchandizing and in-flight Wi-Fi. As technology marches on, airlines are being expected not just to connect the world but also to keep their travelers linked to the world. And it’s not just the airplanes themselves, all the other airline public touch points are now almost all electronic systems that interact with a wide array of visitors in a multitude of ways.
The word “Cloud” has taken on a life of its own to mean different things to different industries, but the largely distributed systems running a complex, integrated mix of software managed by several parties certainly fits the term. While this blend of software and access has greatly increased the ability to merchandize and deliver services to customers, airlines and their implementation partners must ensure that these systems are kept secure.
The topic of security in these (and all Enterprise IT) environments is especially critical as attacks are becoming more and more prevalent. Threat vectors can now even include the passengers in your seats! Specific attack examples against airlines include recent instances such as Chris Roberts compromising IFE systems on various airlines from 2011 to 2014 (while potentially endangering his own life and those of others) and the attacks against the flight plan systems of LOT Polish Airlines that grounded 20 flights in June 2015.
The U.S Federal Aviation Administration’s cyber-security initiative and Boeing’s “authorized hacker” certification programs that began this year to develop security protections for airlines are a big step forward for the industry, but airlines should take the initiative to ensure that all systems throughout their environments are secured, not just the planes' systems.
The best practice to ensure system security is to use one of the many risk assessment frameworks to establish the scope of the environments and identify risks. These frameworks all approach the issue in different ways but follow these four steps:
- Define: set the purpose and scope of assessment
- Identify: ascertain threat sources, threat events, and vulnerabilities
- Determine: determine the likelihood and impact of identified events and vulnerabilities
- Calculate: calculate risk as a combination of threats and vulnerabilities against impact and likelihood
See the bottom of this blog for some links to various assessment styles but ISO, ITL, NIST, and COSO all publish industry accepted frameworks for these activities.
Once you have completed your risk assessment, the rest of the risk management processes begins where you plan, implement, and monitor controls put into place to reduce, avoid, transfer, or accept the risks that were found during the assessment. Just like risk assessments there are a multitude of ways to handle risk management but the same organizations listed above also cover management procedures.
A very important point to note in risk management is that no countermeasure should ever be greater in monetary cost than the risk, except in cases of risk to human life. For example: you wouldn’t buy a $100 lock to protect a $1 pen that gets taken only once a month. Instead, you would either accept the potential $12 yearly loss or find a much cheaper lock! This can be harder to apply to more intangible assets (like sensitive data) but that is where a thorough risk assessment comes in.
The modern world of hacking presents immense problems for modern airlines as you have to bring the complex world of IT Security into the already immensely complex environment of commercial aviation. However, by embracing and following through with appropriate cyber-security risk assessment and management programs, an airline can safely and securely navigate the cyber Clouds.
Eric Chapin, CISSP
Technical Services Group
Risk Assessment & Management References:
Security News References: