Russ Hensley

Consumer Cybersecurity expectations for aviation industry

By Russ Hensley, CEO CISSP

As a Certified Information Systems Security Professional (CISSP) I am asked on a weekly basis by both business associates and personal friends for my advice on how to keep their data and records secure.  Data security is much different today than it was even 5 or 10 years ago.  Data breaches are a daily occurrence by both small and large business as well as personally.  There are many industry standards in place but those standards have not been adopted across the board leaving glaring holes that put businesses and individuals at risk.   We can do better to protect our data in general and business aviation. Let me explain.  

Most corporate aviation flight departments will fall in line with the security of their parent company who owns and manages their own aircraft.   Those will have private networks along with other defenses in place to match the business requirements.  They assess their own risk and might have the same issues in the parent business that I discuss later, but these operators are not the subject of my thoughts in this article.

For those companies that do not fall under the umbrella of a larger corporation, such as fixed base operators and charter operators they often do not have stringent data protection policies in place.  They present themselves to their clients to offer high-touch service at the front door to business travelers or highly affluent travelers.   However, is their data security meeting the expectations of their clients?  

Also for the purpose of this article I need to expand Cybersecurity’s meaning to be inclusive of what could just be considered good data housekeeping and not just fighting off hackers from foreign countries.  For example, are they backing up data off-site, or keeping their software up to date or training staff on how to see a phishing email?  They might not be meeting the same IT housekeeping and security posture as a local restaurant who could be exercising more care and diligence about the financial and other information they just received.

In the past 18 months the United States has experienced much turmoil because of repeated cyber breaches that either steal data for to gain access a banking account or credit card number or ransom essential company data for a hefty price.  This has brought many people and companies to a screeching halt while they scramble to recover their data and business.  This has been brought to the attention of many via the world media.   For example, in the past few months the news has reported about ransomware affecting national gas pipelines and as well as daily reporting about how thousands of American businesses have been exploited. In fact, the current presidential administration is proposing $2 billion for cyber defense grants to government agencies at federal, state and local levels.    This topic is squarely now on the minds of the American consumer more than any time before so you can be assured that it is on the minds of travelers who are passing through FBO and Charter operator doors as well.

When looking at audit and program management documents from industry leaders like NBAA, Wyvern and the FAA, for example they currently do not seem to address data security in the ways that other industries like retail, banking, or healthcare do.  For example, retail organizations that process credit card transactions have to abide by PCI compliance, which is audited on a regular basis additionally business insurance companies are requiring a formal policy program be adopted list the NIST Cybersecurity Framework.  

However, because no one is auditing the actual security posture of places like FBOs, their security may be lacking leaving the business and their client’s data vulnerable.  The scope of the information that needs to be protected includes, for example, aircraft maintenance and operational records, passenger manifest data, and support staff information not limited to personally identifiable information (PII)

In other industries the full embrace of security frameworks like the NIST Cyber Security Frameworks and other standards are a requirement for day-to-day operational integrity coupled with training programs specific to cyber security.   Yet, there is a glaring absence of a discussion about this outside of the airline industry in air travel.    Only one article in NBAA in 2020 addressed the issue, outside of that in a literature search in the past few years, the rest of the information is typically geared toward security avionics systems of the aircraft with no mention of actual good cyber security hygiene to protect consumer information. 

Most FBO and Charter operators also fall into state and local cybersecurity laws outside of obligations to current healthcare laws and other financial contractual requirements they agree to with their credit card merchant accounts.  

The issue I believe lies with the lack of governance and routine inspection from industry peers on implementing best practices.    Some are just simply unaware they are not doing what is an attempt to secure data little less the best practice.  This is however not uncommon as similar bad habits and liabilities open up in other industries like legal and accounting who are likewise holding similar data and not held accountable.

Industry leaders and auditors must pick up the process rapidly and adjust their programs to incorporate a specific and direct approach to information security management programs to help their business members and those audited by them understand the responsibility of the data they hold, where it is and how to protect it.    Otherwise, it’s my opinion that the insurance companies will start to direct these programs as they are doing in other non-regulated industries now.     Things like Multi-factor authentication attestations are in the last 6 months now a commonplace requirement for businesses now seeking data breach insurance or other forms of cybersecurity insurance.

Practically speaking, while we wait for the changes to those documents and processes to take place, what can businesses do to protect themselves?  My recommendations come from two standpoints, tactical and strategic.  

From the tactical standpoint security practitioners individually have their own hot-button items, but if you piled the top 5 into one list I think that it would look like this:

  • First – backup, backup and then backup off-site.    Hurricanes, tornadoes, fire, ransomware all have this in common.  Have MULTIPLE backups of data and systems, one of which is Off-site.    
  • Multi-factor authentication to all cloud services and remote access.  Passwords without a random factor (PIN) are just incidents waiting to happen.   
  • Patch everything and patch often.  Applications from your vendors like QuickBooks and computer operating systems need to be on a managed patching platform where you can run a report to check those tasks are being executed. 
  • Endpoint  Detection and Response – In the past this would be called anti-virus.  Now, it’s more computer artificial intelligence protection to see the EDR anticipate malware is working on your machine and about to move to another platform.
  • Train your staff – Security awareness training about what things like hackers and malware want you to do and the steps to report when they see something suspicious are critical. 

From the strategic and long-term business standpoint.  Implement a framework of policies that are based on best practices to get your staff, IT service providers or any other person involved onto the same page.   For this industry and many others, the National Institute of Standards and Technology has created the Cybersecurity Framework (NIST CSF).   This is a very well-organized set of checks on 5 areas: Identify, Protect, Detect, Respond and Recover your businesses data.   The framework is not something that only a technical person should review.  This is a core business document that should at least be reviewed and familiar to the owner or CEO.  It is not tech, rather it covers all business management to check on the policies and if technical tools are implemented correctly.   For this, I recommend a consulting firm with tools in place where they have experience with these areas and helping implement them.    

For the most part, a good managed cybersecurity firm will have the services to perform both strategic and tactical consulting, while most managed IT services firms will be able to complete some of the tactical services.   

About the author – Russ Hensley is a Cyber Security professional with over a decade of direct security experience consulting banks, healthcare entities, flight departments and a lengthy list of other industries.  With over 26 years of general IT experience running one of Kentucky’s largest IT service companies.   He is also a multi-engine commercial instrument airplane pilot, and private helicopter pilot AOPA Life Member, NBAA member, Civil Air Patrol member and avid aviation supporter having served on several airport boards and sub-committees.  Hensley / Elam is an NBAA corporate member.  www.hea.biz

References 

Management and inspection guides

https://assets.nbaa.org/admin/management-guide/nbaa-management-guide-2021-01.pdf?client_id=assets

https://www.faa.gov/licenses_certificates/airline_certification/135_certification/general_req/

https://www.wyvernltd.com/audit-programs/#part-91

https://www.acsf.aero/audit/acsf-industry-audit-standard/

Airline Association Resource 

https://www.iata.org/en/programs/security/cyber-security/

Articles about aviation safety inspections and cybersecurity

http://aviationsafetyblog.asms-pro.com/blog/audit-checklist-10-things-to-do-before-aviation-sms-audits

https://nbaa.org/news/business-aviation-insider/2020-nov-dec/management-best-practices-aviation-cybersecurity/ (2020)

https://nbaa.org/aircraft-operations/communications-navigation-surveillance-cns/connectivity/virtual-maintenance-conference-mitigating-business-aircraft-cybersecurity-vulnerabilities/  (2020)

https://nbaa.org/events/2019-pdp-course-cybersecurity-risk-management-flight-departments/ (2019)

https://nbaa.org/news/flight-plan/dhs-gives-cybersecurity-warning-small-aircraft-owners/ (2019)

https://nbaa.org/news/flight-plan/cybersecurity-tips-protecting-data-flying/ (2019)

Articles on proposed Cybersecurity regulations:

https://www.csoonline.com/article/3626908/18-new-cybersecurity-bills-introduced-as-us-congressional-interest-heats-up.html

Executive Order for Cybersecurity:

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/

https://www.zdnet.com/article/experts-tout-cybersecurity-funding-in-infrastructure-bill/

Cybersecurity Policies for Business that Operators should implement

https://www.nist.gov/itl/smallbusinesscyber

HIPAA – Healthcare Rules

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Banking Rules

https://www.ffiec.gov

Posted in Letter from the CEO.