Cyber-security, and the various terms that preceded it, started out as a very technical field, practiced mainly by the military and governments. It was all about encryption, access controls and redundant systems. Once these technical controls were installed then the system was seen as secure. Today, the cyber-security discipline has increased in prominence across many more sectors, including of course, aviation, and it is no longer purely technical. It has been shown time and time again that technology alone is insufficient and that a broader and more dynamic response is needed. For example:
- Using authentication mechanisms to stop outsiders getting into your system is a good starting point, but if there is poor password policy (eg insufficiently complex passwords or infrequently changed passwords) or culture (eg re-using passwords across systems) then much of the good is undermined.
- Relying on encryption to protect your sensitive information (financial, operational, etc) provides no protection from an insider (staff, contractor, etc) who has legitimate access to that information and who accidentally or intentionally releases it to others.
- Installing the latest intrusion detection system is pointless if you've not also sought to protect your supply chain. It is possible that through your suppliers you have already introduced vulnerabilities (ill-protected equipment, poorly managed remote connections, etc).
Put simply, there is no 'silver bullet' technology that will secure your service or organisation. It is a bit of a cliché to say that a 'holistic' approach is needed, but with cyber-security it is essential. As a basic principle, cyber-security requires people, processes and technology to be involved. For example:
- Staff are trusted assets (in the sense that they are in a position to undermine security) but they should be trustworthy: so vetting processes are needed to check if they might pose a risk, and pastoral care processes are needed to identify early signs of unhappiness that might lead to them becoming the classic 'disgruntled insider'.
- Technology is needed to identify the signs of cyber-attack, but the response and recovery processes determine its real impact and require people to have the right information at the right time to make good decisions in times of crisis.
Fortunately for aviation, safety is a well-established discipline that shares this holistic principle and, whilst cyber-security and safety are different in some important ways, there are opportunities to use safety as a parallel and share lessons. Helios has supported safety efforts for many years, and our expanding work in cyber-security naturally adopts the 'people, process and technology' approach.
The fundamental principles that underpin effective cyber-security are now fairly mature in mainstream cyber-security - even if they are all too often ignored or misapplied. This maturity is good news for the aviation sector, which is reliant on global information and communications systems, increasingly interdependent and waking up to its cyber-security responsibilities. ANSPs, airlines and airports need to develop their protection, detection and response capabilities, but can avoid mistakes made elsewhere when technology was assumed to be the (only) answer. For aviation stakeholders the opportunity exists to achieve better cyber-security faster and at lower cost and risk than other markets.
Contact the author
Tel: +44 1252 451 651
ATM Cybersecurity – what is ‘good enough’?
Revised EASA Basic Regulation – key takeaways for the ATM community
Lower Airspace: a boundary to aviation growth?
Integrated safety risk; time for an oil change!
Performance Management – time for a rethink?
Business continuity in an international ATM environment