This page contains a Flash digital edition of a book.
“…interconnected airspace and reservation systems, crossing regional and national boundaries, pose a significant opportunity to a cyber terrorist…”


Does your organisation hold information that is of value to others?


The personal details of your customers and your staff, details of commercial discussions with potential suppliers or customers and contractual arrangements are all of interest to groups outside your business. The aviation industry is a large diverse industry with many vested interests. Other industries have seen significant and coordinated attacks designed to steal intellectual property or information that will provide others with a competitive advantage. There is an acceptance now across many organisations that have been attempting to defend against an ongoing barrage of increasingly sophisticated attacks, that organisations need to have a much clearer understanding of what information they need to keep and how long it needs to be protected for. Assuming all the data you have ever collected needs to be protected in the same way is inefficient and places undue financial burdens on the organisation. For the most sensitive of data, related, for example, to a potential acquisition, a range of stand alone systems and physical security approaches might be used to limit access and control the distribution of information. Applying the same approach to general daily communications is not practical or necessary.


“…airport operators may find themselves targeted because of the activities of an airline operating from their airfield…”


There is an additional element to this question: do any of your suppliers hold information of value to others? For example, does your outsourced Occupational Health service have details of all your staff and is it adequately protected? Are your car parking systems connected to the internet providing useful sources of identity (names, addresses, e-mail addresses, credit card information, etc), and if so are they appropriately protected? Systems need to be protected from external threats and also


from employees who due to negligence or malicious intent, reveal critical information or provide access to your systems. Their motivation may be to cause disruption or to degrade service, or simply to steal the vast amount of personal information, banking details and intellectual property that airlines, airports and aviation companies will have on their systems. Staff engagement and security culture all give indications of the likelihood of a disgruntled or careless employee's activities going unchallenged or unchecked, and are important additional defences to software or hardware solutions.


36 Download your FREE ASI "iPad/iPhone APP" NOW


How well protected am I from the threat? In the aviation industry there is an understanding that there is no such thing as 100% effective security. Security needs to be delivered but it also needs to be delivered in such a way that it does not shut down the business or place an unacceptable financial burden on it. As with all Critical National Infrastructure businesses, organisations in the aviation sector need to have a mature, robust cyber risk assessment and mitigation programme in place if they are to stay ahead of those seeking to disrupt or damage their business. Consideration should be given to data available on the internet through blogs and social media sites. Intelligence gathering exercises have revealed airport staff giving away information through such sites, the consequence of which has resulted in system compromise. Organisations should prepare for the consequences of an attack. A physical attack on infrastructure can be observed. Damage from a blast will be restricted to a certain area and organisations and emergency services have practised their response. A cyber attack could be far more confusing; indeed, one of the factors that makes it so attractive as a form of attack is that it can take organisations weeks to identify and clean their systems even when they have finally detected the attack. Has information been taken by an insider? Has it been accidently leaked? Has someone gained access to your system? If sensitive high level commercial organisational data is being leaked, it will not be immediately clear if it has been leaked by someone on the Board or if someone has gained access to a Board member’s system. You can expect mistrust, uncertainty and doubt as the team try to continue to run the business and manage the forensic investigation into the incident. These are not factors traditionally associated with highly effective teams. In the event of a physical attack you can expect a degree of the organisation pulling together to overcome, a ‘business as usual’ approach. You will not get the same result when the only visibility of the attack is that some of your systems seem slow, data appears in some cases to be inaccurate, staff cannot tell the difference between a real e-mail and a threat e-mail and your customers and the Press are demanding immediate, clear explanations as to what has happened. This level of uncertainty and distrust should be taken into account when planning scenarios and running crisis management exercises. We have focussed in this article on examples of where


organisations have already experienced attacks or the loss of data. The aviation sector implicitly relies on systems which require a safe, secure environment in which to operate. Looking to the future, the next generation aircraft will be significantly more interactive, with not just fly-by- wire flight controls but whole ranges of systems connected electronically, with data being updated in real-time rather than the existing static update mechanisms. The separation between systems (flight control, entertainment, auxiliary


April 2012 Aviationsecurityinternational


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52