If you are an airport executive, you may be wondering what it takes for your organisation to become completely cyber secure.
Well, the first thing to understand is that you can never be completely cyber secure. And, even if you could figure out how to do it, it would be short-lived as your airport’s technology environment changes daily at the same time that new vulnerabilities occur, and new threats emerge.
So now you may be wondering how you can effectively manage the continual investment your technology department is requesting and/or making in new cyber security tools.
Fortunately, there is an approach that you can take to give yourself at least some level of confidence that you are taking the steps necessary to address this formidable issue that has become an important part of your management challenge.
Two key concepts
To begin, there are two quick concepts to understand. First, cyber security includes a number of concerns not always considered. Think of the acronym CIA, which stands for confidentiality, availability and integrity. When protecting your organisation, you need to consider all three.
Confidentiality is the most straightforward and is the protection of your most sensitive, private and critical data. Availability is ensuring that your systems are running whenever you need them, especially your mission-critical systems. Integrity is assurance that your data has not been tampered with, altered and is complete and accurate. All three are necessary to have a cyber secure environment.
The second concept is that your technology environment follows the second law of thermodynamics, which basically states that everything, without exception, will deteriorate unless additional energy is provided.
Your cyber security environment will deteriorate in the face of inaction. As said above, new threats emerge, your environment changes exposing new vulnerabilities and your risk picture degrades. You must actively continue to manage the environment, take the needed actions, and assure yourself (and your Board and the public and everyone else who has a stake in your airport) that you have taken due care in managing this difficult question.
So, what do you do? The most common reaction is to give your IT department a pot of money with the direction to ‘fix’ the issue.
I call that ‘attacking the middle’, and the result is that you have made an investment and you really don’t know if it was effective or not. And, more than likely, the IT department will be back the next year asking for another investment and, if provided and the dollars spent, you still won’t know how your investment has changed your risk position.
Clear and present danger
Before we go any farther, let me dispel the idea that a cyber security attack cannot happen to an airport. It can. It has happened to airports all over the world and the attacks have taken the form of malware, data breaches, denial of service attacks, advanced persistent threats, and disruption of critical operations.
Furthermore, there are bad actors out there who don’t even care that you are an airport. They are simply looking for unguarded IT environments to steal your processing resources for their own purposes, including your computer power, to launch attacks against other organisations.
Back to the solution. As already stated, the traditional approach has been to attack the middle, which may cost a lot of money and time, with no measuring stick as to how effective the expenditure may have been. Here’s an alternative, which I call the ‘top-down’ or ‘bottom-up’ approach.
In this approach, you should take nine steps ‘top-down’ and nine steps ‘bottom-up’ which are either free or low in cost, with one exception. Most of them are IT best practices for any environment, even if cyber security was not an issue and should be practiced by every modern organisation using technology in the operation of its business.
The ‘top-down’ approach starts at the top. Not the head of the IT department, but the airport director or chief executive level. Reponsibility for cyber security is shared by every airport department and all have a stake in ensuring that cyber security priorities are achieved.
Governance – every single department from human resources, risk management, accounting and security are at risk from cyber crime, so the heads of each have something to gain if cyber security is carried out well, and to lose, if it is not. The creation of a cyber security governance committee is a simple, free way to get all of your key managers on the same page regarding cyber security. Maybe the first year you meet quarterly and, after that, semi-annually is usually sufficient unless something unusual has occurred which needs addressing.
Education – The governance group is not going to become cyber security experts, but they need to understand the threats that their own organisation is facing and some of the general trends occurring in the cyber security world. Some party, typically the IT department, should be charged with providing regular updates on organisational cyber security activities as well as a periodic update on what is happing in the technology world. Another free step.
Framework – This sounds ‘exotic, but it is not. There are numerous cyber security frameworks in existence, most commonly the ISO 27000:27013 series. In the simplest terms, it is a target which your organisation can use to measure its own cyber security activities, practices and status. The value of a framework is that you can use the entire framework, just the elements that apply to your organisation, or a more limited sub-set when you begin. It has best practices that will help you take the necessary steps to improve your cyber security environment. Choosing a framework and applying it to your own IT practices has no cost.
Risk Management – This is the only one of the 18 steps being provided that may have more than a nominal cost. A risk assessment can be done internally and be very effective, if you have personnel with the required expertise. However, an internal assessment may also suffer a ‘blindspot’ where certain internal practices are just considered acceptable when, in reality, they are not. One of the most important decisions the cyber security governance committee should consider is how to best conduct an objective, comprehensive risk assessment of all airport systems, its network environment, its organisational policies and procedures, and every other aspect of its operation that has a bearing on its cyber-safety. The typical risk assessment ranks potential threats and vulnerabilities to provide a clear, easy-to-understand risk picture.
Reasonable Response – Once the risk assessment is completed and submitted to the cyber security governance committee, decisions need to be made on the highest rated risks. It is not necessary or even possible to address all vulnerabilities at once. A well-planned approach identifies the necessary personnel to address the vulnerability, determines a time frame to complete the mitigating work and allocates the necessary funding. The actions taken by the committee usually amount to one of the following. Mitigate the risk by taking the necessary actions to reduce the impact. Avoid the risk by changing business practices which result in the risk no longer being present. Accept the risk when the cost outweighs the impact. Transfer the risk by giving it to a third party who then becomes fully responsible for the process.
Business Continuity and Disaster Recovery – This is a simple one for cyber security governance committee. Executive management’s role in these two critical functions is support. The IT department must do the heavy lifting to ensure that, in the face of a cyber-attack, the business has a plan to quickly recover and continue to operate. Of course, the cyber security committee must also ensure that these plans exist and are routinely practiced.
Data Governance Policy – This is another easy step. All data is not equal. The cyber security governance committee needs to ensure that all of the data in the organisation is classified in a manner that prioritises security on data which has a sensitive or personal nature. It needs to specify how the data is stored, when it may be disposed and the manner in which it is destroyed. It should also detail all of the proper uses of the information, internal and external to the organisation.
Forensics Response – Another fairly simple step. Every organisation needs a policy which states what happens when a cyber security incident is suspected or verified. There are specific steps that must be taken based on the nature of the incident. Internal administrative violations may involve human resources and public safety. Anything of a serious nature, especially incidents which may be a crime, must immediately be referred to law enforcement. In either case, the most critical step is a detailed step-by-step approach on how to gather and preserve crucial forensic evidence.
Cyber Insurance – Simply put, consider whether or not you need cyber security insurance to protect your organisation and to protect third-parties that may have been impacted by your cyber security incident.
The ‘bottom-up’ approach focuses on the lower echelons of the organisation and the day-to-day functions and best technology practices that everyone should carry-out. However, even though they are ‘bottom-up’, these activities still need to have visibility with airport management.
Cyber security Awareness Training – this is perhaps the easiest recommendation. Every employee in the organisation needs annual cyber security training, which stresses the importance of basic cyber security safeguards and reminds personnel of the dangers associated with social engineering – a common threat vector of the bad guys.
IT Employee Training – While the above step recommends basic cyber security awareness training for the entire organisation, this step stresses the need for training of the IT department itself. The concept that you only need one expert in cyber security is antiquated and ineffective. Every technology employee must understand how to practice cyber security in the execution of their normal daily duties.
Empower Cyber Security Team – If your organisation is large enough to have a dedicated cyber security team, don’t waste them. Instead, empower them and give them the freedom to be objective in evaluating every aspect of your airport’s cyber security practices – even outside the IT department.
Lock Down Exercise – I recommend that you set aside one day every year, usually during National Cyber Security Awareness Month in October, where one day of the IT department’s time is dedicated to reviewing all of their internal practices, policies, procedures and activities to ensure that they meet the standards of the cyber security framework which the organisation has adopted. Each IT employee should provide a report of their findings, activities, and promised actions to address any deficiencies that were found.
Asset Inventory – This is an easy one in concept, but often proves to be a challenge in reality. You must have an asset inventory of all of your hardware, software and firmware. You cannot possibly ensure yourself that you have addressed every potential vulnerability unless you know everything that makes up your IT environment.
Formal Patch Programme – With the inventory in hand, you must beware of any published vulnerabilities as soon as they occur and implement patches, practices, or, in the case of zero-day threats, take you systems off-line until they can be operated safely. A successful patch programme requires proper testing, timing the patch at a time when the operating environment can best accept the change into the environment, and, finally, test the result of the applied patch to be sure it doesn’t have any unintended consequences.
Review Data Sets – You have already created a data governance policy. Now check that they are being followed. Review all databases and systems against the data governance policy to ensure that all data is being handled in accordance with the policy.
Change Management – Remember the Second Law of Thermodynamics? You must have a system that records every change made in your IT environment. The simplest changes can have the most disastrous impacts if not properly conceived or executed. The only way to correct unexpected errors is to have a complete record of everything that has been changed to determine the root cause of the issue.
Secure Physical Space and Systems – The availability of your data systems is based on them being maintained in secure, environmentally safe settings with redundant power and protection against any natural or man-made threat. In this final step, cyber security and physical security are blended to ensure your IT environment is always available when it is needed.
So, you now have nine ‘top-down’ and nine ‘bottom-up’ practices that are the foundation of your cyber security programme. Once implemented, you will have a far better idea of how cyber secure your environment is and where to make future investments. Then, you can ‘attack the middle’.