Cyber-security: what can we learn from the FAA and NextGen?

Three interesting reports have been published this year about cyber-security at the FAA and their NextGen modernisation programme: two from the Government Accountability Office (GAO) (one on the FAA, one specifically on NextGen) and one from the National Academies (looking at system architecture for NextGen). Whilst the really sensitive findings, including specific vulnerabilities, have understandably been kept internal, the public findings do reveal some lessons for approaching cyber-security. Here are five that will benefit all aviation stakeholders:

1. Cyber-security is not easy: Put frankly, the reports are pretty damning. The GAO concludes that "significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system". This is not because the FAA has been lax, or has been notably hacked, unlike Sony or the security firm Kaspersky Lab, or indeed Poland's LOT airline. This conclusion is made despite a concerted, multi-year effort, including an information security program and agency-wide risk management function. Building an effective cyber-security capability does not happen overnight, and the effort should not be underestimated.
2. Cyber-security needs to be based on enterprise architecture: The GAO assessed that the "FAA has not yet fully established an integrated, organization-wide approach to managing information security risk" seeing that complex relationships among missions, business processes, and the supporting information systems requires such an approach. The National Academies report believes that cyber-security "requires a system-wide approach that is managed architecturally and cannot be addressed piecemeal by each contractor separately". Both point to an approach based on enterprise architecture. The FAA did not start with one, but is now developing it.
3. Cyber-security is through-life risk management: The GAO gave credit to the lifecycle approach taken to cyber-security, and more generally risk management. The National Academies report notes that "reasoning about risk assessment will become increasingly thorough and definitive as development proceeds through architecture, design, and eventual implementation, although there will always be significant uncertainty". Cyber-security will never be over: the risks evolve and need continual attention.
4. Security and safety need compatible approaches: Safety and security are inter-related, but are also different disciplines. The GAO highlighted concerns about the impact of excluding safety functions on the FAA's ability to achieve a coordinated and holistic approach to cyber-security. The National Academies report noted that "safety properties themselves are dependent on a resilient, trustworthy, secure system, so careful integration of cybersecurity models and processes into safety analysis will become increasingly important". It is notable that there are no mature approaches for doing this at present.
5. Auditing is effective: Effective cyber-security requires auditing in many guises. Auditing brings to light whether policies are being implemented, whether controls are in place and processes are being maintained. Audits are often onerous and can be sensitive, but invariably offer learning opportunities. These reports themselves are a good example of how auditing and scrutiny is a necessary part of an effective management system, providing the feedback and accountability that ultimately drive success.