November 11, 2020

Cybersecurity in Aviation's Digital Transformation

Cybersecurity is often the specter that comes with any digital transformation, and it’s natural for aviation executives to be concerned. There’s never a dull moment:

It’s also natural for executives to feel overwhelmed by what cybersecurity entails; it’s an esoteric field often left to IT departments. The challenge, however, is that it’s becoming increasingly crucial for executives to have a cybersecurity strategy.

Fortunately, aviation executives aren’t starting from scratch; they have decades of experience with physical security that can be translated into cybersecurity.

they [aviation executives] have decades of experience with physical security that can be translated into cybersecurity

As the CTO of FetchyFox, I’ve built the following framework to help me grapple with cybersecurity and I hope it can help.

What is Stealing in the Digital Age?

Consider these three scenarios where I take something from you:

  1. I made an exact copy of all your furniture but left your original furniture untouched.
  2. I made an exact copy of your house keys, credit cards, and IDs.
  3. Scenario 2, but it turns out the keys are from an old apartment, the credit cards are expired, and the IDs are fake.

It would be reasonable for me to argue in scenario 1 that I didn’t steal anything from you and you wouldn’t notice. In scenario 2 you didn’t lose anything but there’s a stronger sense of you being “robbed” of something. Scenario 3 is fundamentally the same as scenario 2 in terms of what I physically took but there’s no sense of you being robbed of something.

These three scenarios outline what “stealing” is with digital assets. Traditionally, theft is seen as you losing access to something but scenario 2 seems to contradict that. What happens in scenario 2, and not scenario 3, is that even though you didn’t lose access to anything, someone else gained access to something.

It’s inevitable that data will be stolen, copied, or leaked during an organization’s life. The challenge for data security teams and leaders is not how to prevent all unauthorized access to data, but how quickly unauthorized data access can be detected and how quickly that data can be made useless.

Attack Surfaces and Threat Vectors

IT, data security, and ops teams have a lot on their plate when it comes to securing data and information. There are hard threats like brute force password attacks, security holes in cloud architectures and systems software, and bad coding practices. As well as soft threats like social engineering and poor operating procedures. This is called a large attack surface, a vast collection of physical and virtual assets that need to be defended.

An attacker on the other hand just needs to breach a single spot, a single threat vector, like stealing a company laptop when an employee goes to the restroom at a cafe. Because of this asymmetric nature, it’s a poor use of organizational resources to defend the entire attack surface and instead focussing on mitigating likely threat vectors, detecting active threats, and neutralizing successful attacks. In practice, this usually means defining where along the attack surface can be minimally secured and where should be heavily monitored and protected.

Impact and Visibility

Not all threat vectors are equal. How should your organization prioritize potential threats? One approach is to look at a potential attack’s impact and visibility. The former refers to how many organizational resources have to be diverted to resolve the attack and the latter refers to the attack’s perception by customers and stakeholders. If your organization is brand-sensitive then it makes sense to ensure no data breaches with any potential visibility occur. If your organization is resource-constrained then it might make sense to only address potential breaches with high visibility and hope smaller breaches just blow over.

Whatever your situation is, a framework for managing potential threats and triaging active threats will help your organization best deploy resources.

Effort and Impact

With a map of the threat space, your organization can ask the next important question. Are there any high impact threats that can be prevented with relatively small effort?

Complex problems don’t necessitate complex solutions.

I’ve spent most of my career leading engineering teams for startups and these are some very low-effort high-impact actions:

  1. Enforce rotating passwords and enable two-factor authentication everywhere.
  2. Define standard procedures when dealing with sensitive organizational information.
  3. Discuss security and privacy early on whenever data is part of a new product or line of business.
  4. Document all the sensitive and PII data being collected, define how they’re stored, how long they’re stored, and the reason the organization needs to store them
  5. Keep tabs on your organization’s cybersecurity technical debt.
  6. Hire white hat hackers to audit your IT systems.
  7. If you’re using cloud services, then hit those checkboxes for encrypting data on-disk and in-transit, collecting data access logs, and monitoring public endpoint usage.
  8. Design and use APIs that use tokenization for handling PII data.
  9. It’s 2020 so I can’t believe I still see this and have to say it: don’t 👏 store 👏 sensitive 👏 data 👏 as 👏 plain 👏 text 👏.

So, whether it’s leading internal efforts to build new cloud, IoT, and 5G technologies or integrating with technology partners it’s clear that leadership must have an understanding of the cybersecurity landscape.

The Modern Digital Marketplace

Legacy companies in the aviation e-commerce space that brag about years of experience and mature products are actually showing one of their weaknesses when it comes to modern cybersecurity threats, technical inertia:

"Technological inertia is the propensity of incumbent firms with expertise in one generation of technology to continue development of that generation and not effectively develop and commercialize products based on a new generation of technology" (source).

It's more important than ever that leaders in aviation look to modern solutions that inherently mitigate, detect, and neutralize attacks. At the same time, secure and familiar solutions build confidence and trust with all travelers on the road to the next normal.