Digitized aircraft operating and maintenance data is great for efficiency, but all those Terabits expand the target for cyber attackers. Thales’s Data Security Summit in Washington on May 31 provided some guidance on how managers can counter the cyber threats:
1. Know your data, stressed Nick Jovanovic, vice president of Thales eSecurity Federal. The first step is discovery to learn all the data generated and stored by your firm, where it is, who ‘owns’ it, how valuable it is and where and how often it is backed up. You need all this to set your data-protection priorities.
2. Know the threats. Amateur hackers are less dangerous than professionals. These can be criminal hackers who want to steal or extort money by hacking into your data. Or they can be terrorists who want to do damage, but may also want to steal or extort to finance other terrorism.
3. Go on Offense. The best defenses must be complemented by a good offense. Artificial Intelligence tools can detect probes of data before a successful cyberattack.
4. Look For Vulnerabilities. The top IT giants pay staff bonuses to discover ways in which data can be hacked. You can afford to incentivize some clever people in your IT department to think like hackers every once in a while.
5. Perimeter Defense Is Not Enough. Fifteen years ago, firewalls and other fences may have been enough. No longer. “Firewalls are Swiss Cheese now,” Jovanovic observes. Important data must be protected by layers of security, and the final layer should be data-centric encryption.
6. Encrypt All Data. “Encrypt everything, structured, unstructured, data in motion, data at rest, data on mobile platforms,” Jovanovic advises. Encryption is affordable now in terms of performance. It is the final and essential layer of defense for the data that really matters.
7. Keep Your Keys. You should retain physical control of all encryption keys. These are too important to delegated or outsourced to others.
8. The Cloud Is Great, But. The cloud can be very efficient and provide some minimal security protections. But you must still control the security of your data in the cloud, you cannot delegate this to the cloud provider.
9. Know Your Clouds. Major aviation organizations are likely to use several clouds, public, private and industry. Someone in the firm should know each of these clouds thoroughly, their security strengths and vulnerability.
10. Pay Attention To Data Moving To Or From The Cloud. Data security applies to both data in motion and data at rest, emphasizes Frank Tycksen, Thales global VP for solution architects. Data can be hacked in transmission as well as in storage.
11. Don’t Neglect Physical Security. You should control who and what enters and exits your data center. Devices are available that can detect flash drives or other storage media moving through doors.
12. Mobility is Great, But. Everyone wants access to their data wherever they are, in offices, hangars on the ramp or even at home. Be careful how you satisfy these needs. Access on company devices must be controlled by a solid Mobile Device Management system. Access in the Bring Your Own Device world is much riskier. Remember, you have to be able to trust the device, the app and the person accessing data. Two out of three is not good enough.
13. Know Your Suppliers. Malware can be embedded in systems coming new out of the factory. You are depending on the cybersecurity of your suppliers and should make that one criterion in selecting vendors.
14. Communicate And Enforce Data Security. A meticulous data-protection policy is useless unless it is followed by everyone involved with data. You must communicate the policy in terms that are persuasive to engineers, clerks and mechanics, not just lawyers, CFOs or IT specialists. Explain how data breaches will wreak havoc with their work lives, not just cost the company money. Hold managers accountable for compliance in their departments.
15. Don’t Rest. Your cyber security strategy must continue to evolve as threats, data and operations change. The Department of Homeland Security, which watches over U.S. government data, calls this Continuous Diagnostic Mitigation. “Threats are always morphing,” says Jim Quinn, lead systems engineer in DHS’s cybersecurity office.