Tag Archives: #SecureByDesign

airplane taking off

Mayday: The Call for Cybersecurity Reform in Aviation

If the first big cybersecurity breach of 2018 has taught us anything, it’s that even multinational tech companies need help navigating the realm of cybersecurity. Intel knew about Spectre and Meltdown since June of 2017 and eight months of inactivity is not sufficient post-breach protocol.

If the tech industry is struggling to grasp cybersecurity’s severity, what does this mean for other industries? As tech and financial institutions recognize the importance of cybersecurity, other industries need to address the digital elephant in the room.

If we think about the most vulnerable industries to cyber-attack, the answer may both figuratively and literally fly over our heads. The aviation industry is one of those most influential industries in the global economy and one of the most susceptible right now to cyber-attack. As the number of digital components in the cockpit has increased, so too has the attack surface of all aircraft and air traffic control systems.

In the United States alone, the civil aviation industry accounts for over five percent of the US economy generating $1.6 trillion in economic activity per year. While a cyber-attack impacting the economy is frightening enough, the most alarming notion is that hackers have the ability to make airplanes vanish from radar systems or even crash. Even smaller scale cyber attacks can have a significant impact. A simple Denial-of-Service for airport services or flight delays can have massive cost implications and impact goods, people and information. With dollars and lives at risk, it’s important to understand where and why certain threat vectors in the aviation industry exist.

Mind the ‘air’ gap.

Traditionally, component parts and systems in aviation have been made up of air gapped technologies making them near to impossible to breach. As society has evolved and shifted to a more connected digital environment, we’ve seen a similar paradigm shift in aviation. Even critical components such as engines, hydraulics and flight management systems are now being monitored using IoT approaches to services. While this has made flying easier for pilots and cozier for passengers, it has also made systems exponentially more vulnerable to cyber-attack – specifically after switching from fly-by-wire to fly-by-wireless systems.

With fly-by-wireless technology, aircraft are controlled with fewer, more centralized units by

using higher throughput multicore, multiprocessor computers and commercial off-the-shelf components. While this increases efficiency, it also means that the aircraft, cockpit, cabin crew and passengers are using many of the same communications constituents. Wi-Fi, passenger information, avionics and more are all controlled by a centralized system making a single cyber-attack easier and all the more catastrophic. Not only that, but since aircraft parts are manufactured by different sources, malware could infiltrate these systems as early their journey through the supply chain.

As aviation security measures struggle to keep up with aviation technology, a number of threat vectors have surfaced. The most common in the industry include: air traffic control, aircraft IP networks, aircraft communications addressing and reporting systems (ACARS), aircraft interfaces, reservations, document control, electronic flight bags (EFB) and baggage handling. Since all airline and airport operations differ slightly, determining to what level these vectors exist and how to protect them requires a Threat & Risk Assessment (TRA) and Risk Registry (RR). With a TRA conducted and RR in place, organizations can prepare cybersecurity methodology for both pre- and post- breach conditions.

Keep airways breach-free.

You can summarize an effective cybersecurity policy in two words: be proactive. Setting up pre-breach methodology is equally as important as having post-breach methodology in place. The greatest victory is the battle not fought and there is too much at stake for the aviation industry to wage war with cyber criminals.

The harsh reality is that airlines need to prioritize as it is too expensive to protect all assets from all threats. While a TRA and RR provide the framework for an airline’s individual security needs, the mercurial nature of cyber threats requires ongoing monitoring and maintenance of the methodology in place. Pre-breach methodology should follow international standards and consider the full breach picture by understanding the risk of data exposure, breach prevention and incident response.

In an ideal world, incident response wouldn’t be a part of breach methodology, but hackers are a cunning bunch. Defenses are sometimes broken and airlines need to be prepared. Post-breach methodology is about timely mitigation and since it takes businesses an average of 100 to 200 days to detect intrusion, timeliness seems to be a widespread issue.

The key to prevention and detection is ensuring technical controls are in place and that policies and procedures governing security practices are well communicated to protect and secure assets. The ability to detect and perform an incident response that follows a breach aids greatly in tightening security practices by identifying methods that will prevent further compromise in the future.

Airlines need to realize that this can’t be done alone. Whether it’s through the public or private sector, airlines need to partner with experts that understand the ever-changing cybersecurity landscape. The best security partner helps you implement procedures to handle this swiftly and independently and can also be called to assist in emergency situations.

A commercial plane wouldn’t take off without landing gear nor would it fly without a channel connected to air traffic control. Whether it’s physical or digital, a preflight checklist is required to ensure safety of both the flight crew and passengers. Cybersecurity isn’t a risk the aviation sector can afford to take.

Facebooktwittergoogle_plusredditpinterestlinkedin

IoT is Active and Moving. Are you?

IoT is Active and Moving. Are you? 

The U.S. Department of Commerce recently cited that 200 billion connected devices will be deployed by 2020 with an accompanying economic impact in the trillions by 2025. This Internet of Things (IoT) represents a major transformation in a digital world that has the potential to affect everyone and every business.  As a result many companies are moving ahead on IoT projects with little consideration to the security or privacy issues that accompany IoT.

Many companies however do not have a specific solution in place to secure IoT devices, and some may not know if they have security policies on their devices. ForeScout® Technologies, Inc. recently announced the findings of its new “Enterprise Internet of Things (IoT) Survey.” This survey of 350+ Information Technology (IT) professionals assessed their organizations’ IoT security practices. The research revealed that while the majority of respondents acknowledge the growing number of IoT devices on their networks, they are unaware of how to properly secure them. Moreover, 85 percent of survey respondents lacked confidence in their ability to see connected devices as soon as they joined their networks, and almost a quarter of survey respondents said that they weren’t confident at all. When connected devices are left out of the security sphere, an organization’s attack surface becomes that much more vulnerable. The excuses for this scenario are many and the users of these companies solutions are potential digital crime victims; many of whom are never notified or even aware of the risks and dangers.

Today there is an added risk: spying.  As the Internet of Things (IoTs) become more commonplace more valuable data will be accessible through an ever-widening selection of entry points. Not only to hackers alone, but also to spy agencies like the National Security Agency (NSA).  So what is a developer or solution provider to do? Well it starts at the concept stage of considering how data is collected, processed, stored and destroyed. This is not only a software consideration but also hardware. At a high-level here is where you need start:

  1. What does your company policies and procedures state about your systems development life cycle (SDLC)?
  2. Does your SDLC provide at design/concept stage allocations for a Privacy Impact Assessment (PIA)  and Technical Risk Assessment (TRA) ? 
  3. Are your developers/programmers given security training?
  4. Do you perform background checks on developers/programmers?
  5. Where do you store your source code? And who has access to it?
  6. Where are your components sourced from and have you validated the firmware on these components and integrated circuits?
  7. Have you assessed the Third Party libraries for security issues and coding practices?
  8. Did you perform “threat modelling” of the proposed solution?

All of these aspects need to be considered as they are a benchmark for all of your solutions and must become part of your business culture. This also includes documenting all aspects of these elements, especially for meetings that deal with design decisions. Maintain a decision log/registry that is tied to the project. This can be referenced if and when a breach happens. It can also save your a$$ to provide you did the due diligence at design time. Your dev-ops, designers, and testers need to eat, think and breath private and secure design. Doing this up front will not only greatly reduce costs in the back end for support but also help avoid possible lawsuits.

At TwelveDot our goal is to help companies that are struggling to secure their mobile, cloud and IoT solutions. Connect with us to see how we can help you solve your security challenges.

Facebooktwittergoogle_plusredditpinterestlinkedin