Cyber-security: start with assets, not threats

Back to articles

Cyber-security is both in the spotlight and increasing in importance across the whole of aviation. As we build more systems using common and COTS components, connect more of them together and rely on them more as an integrated system for safe and efficient air travel, we face a large and varied set of cyber-threats. These have evocative names: viruses, session-hijacking, denial of service attacks, phishing, social engineering, insider-threats, advanced persistent threats, and so on. Every day new vulnerabilities and attacks are identified and it can be difficult to keep up with them all.

We give much less time to thinking about what it is that needs protecting in the first place – our assets. This is especially important at the start of a cyber-security initiative when a solid grasp of your information assets is crucial. What are the key data and associated information flows, functions and systems that allow you to operate and deliver value to customers and users? Only by knowing this can you assess the risk that cyber-threats pose, identify the full scope of what needs defending and prioritise the investments needed.

This approach is in line with cross-industry cyber-security standards (eg ISO 27001 for Information Security Management System) as well as aviation-specific documentation such as the CANSO Cyber Security and Risk Assessment Guide.

But in reality identifying your information assets can be hard. Here are just a few of the common difficulties:

  • It is a multi-disciplinary activity: operational, business and technical perspectives are needed to understand the critical assets that underpin an airport, airline or ANSP.
  • It can be hard to value assets: value is determined by the impact of its compromise (sensitive financial information being made public, trusted aeronautical data being changed at random, loss of access to flight information, etc) and this can be a complex and subjective question.
  • Some assets have little intrinsic value but enable critical activities: communication networks, for example, are only as valuable as the information transmitted over them. This can change over time as new concepts and services are introduced.

During our recent security risk assessments for datalink, the asset starting point again proved true. Most of the discussion was over clarifying the information assets and their value. The range of assets that helped enable the end-to-end services was surprisingly broad - extending far beyond the communications and server equipment. Integrity and availability were highly valued by operational users, whilst confidentiality was not a key requirement (sometimes controversially).

Whilst understanding threats (as well as vulnerabilities and risks) is part of the cyber-security process, that process starts with understanding your assets. It's an exercise that involves many people and will spur much reflection, but will provide the firm basis for the rest of your cyber-security processes.

Contact the Author

Matt Shreeve
Tel: +44 1252 451 651

Call us to discuss your next project: +44 1252 451 651

Contact us