In light of recent US airport attacks from Killnet, United Airlines, Burns&Mac’s 1898 & Co., and Armis discuss the Attack Surface of the hyper-connected airline ecosystem.
Leaders of Industry is a series of conversations between operational technology, critical infrastructure (CI), and security experts from Armis and other leading companies and institutions. The series explores critical considerations for protecting the OT and CI assets that keep our manufacturing operations, public and private institutions, and cities humming.
This conversation on securing the hyper-connected aviation industry features the following experts:
- Reynaldo Gonzalez, Principal Cybersecurity Architect, OT Security, United Airlines
- Ali Elnaamani, Managing Director, 1898 & Co., a Burns & McDonnell company
- Keith Walsh, Director, OT Security and Operations, Armis
In Part 1, I discussed with Reynaldo Gonzalez, Principal Cybersecurity Architect, OT Security with the world’s 3rd largest airline, United Airlines, the challenges and their approach to identifying an unseen ‘protect-surface’, its subsequent ‘attack-surface’, all the while having to juggle pending TSA guidance, requirements, and the costs to mitigating risks.
In Part 2, I chat with Ali Elnaamani, Managing Director, 1898 & Co., as we delve into how one of the most trusted architects of airport infrastructure, services, and cyber-solutions manages the digitization of our aero-infrastructure, managing regulations, the evolving risk posture of today’s and tomorrow’s airports, and the steps for airports and airlines to take to deter cyberattacks and ensure cyber resiliency when safety and uptime are on the line.
Welcome to the conversation.
Part 2, with Ali Elnaamani and 1898 & Co.
Keith: Good morning, Ali. 1898 & Co plays a very large role in many of the critical processes involved in not only airport construction but also the services provided to them. Can you give us a brief introduction to some of the roles and services 1898 & Co. provides?
Ali: Good morning, Keith. 1898 & Co. is the consulting arm of Burns & McDonnell, the global engineering, construction, and design firm that services critical infrastructure projects across all industrial sectors. Within aviation, we have designed and built nearly every component from passenger terminals to detailed fueling and ramp services to critical pavement infrastructure and maintenance facilities including sophisticated IT and baggage networks to aircraft overhaul hangars and fire protection systems.
Keith: Thanks, Ali. Rey has some incredibly insightful thoughts on how the 3rd largest airlines in the world approach securing their customers and their employees and much of it centers around understanding the overall risk profile, weighing that risk, then calculating a response to mitigating it. Can you comment on the overall risk posture of our airports? What is the scope of our protect-surface?
Ali: As digitalization continues to be adopted, more IoT devices get integrated and installed, which essentially introduces a new risk called the cybersecurity risk. As more and more IoT devices get integrated into industrial environments, the surface attack grows larger. With over 30 Billion devices connected today and an estimated 56 Billion by 2025, the surface of attack will continue to grow as digitalization and modernization become more and more important. And because of all that, we need to be more cognizant of the cyber risks being introduced into our environment.
Keith: What are your thoughts on the recent Killnet proclamation that Russian sympathizers should focus their efforts even more now than ever, on US critical infrastructure?
Ali: While the attack thankfully didn’t affect flight operations, it did send a message that “Hey, we can get to your IT systems if we want to.” If a nation wants to get into another nation’s critical infrastructure it’s only a matter of when, because they have the time, the resources, and the ability to do it. As far as Killnet’s statements around areas of focus, it’s important to note that there are different types of attacks and different types of bad actors. There are bad actors that exist for monetary gain, executing ransomware attacks. And there are the ones that are considered nation-state attacks, or Advanced Persistent Threats (APT) where one nation attacks another nation’s critical infrastructure looking to cripple them, or stoke fear, uncertainty, and doubt in leadership’s ability to keep the greater population safe and secured. In the U.S., this would be considered an act of war.
Keith: Ali, Rey speaks at length about the foundation of identifying risk, measuring it, quantifying it, and remediating it. It all seems to begin with identification, followed by a contextual understanding of the ‘weight’ of that risk.
In fact, almost every cybersecurity framework, including NIST, TSA Guidelines and Directives, Zero Trust, and Executive orders such as 14028, all begin with identifying assets. What challenges do our airports face in solving this initial use case?
Ali: As both airlines and airports begin to digitize assets and services, operators need to understand what assets they have, which can be a challenging effort with the nature of our new digital footprint. Visibility is key. If you don’t know how many assets you have within your environment, you won’t know how to protect those assets.
Secondly, understanding which assets are the most critical for operations and understanding each asset’s risk profile is important because not all assets impact operations. However, if some were to go down, it could have a major adverse impact on operations. Solving the initial use case of asset discovery is the springboard for virtually all additional use cases, including weighing and mitigating risk, vulnerability assessment, and of course, building stronger boundaries and segments.
Keith: Ali, as you prepare for Aviation-ISAC this November where among other things Killnet and their renewed focus on US critical infrastructure will be a topic of discussion, what are some closing thoughts on both the frequency and intensity of cyber attacks within our transportation vertical and critical infrastructure as a whole?
Ali: Whether new regulations are imposed on the aviation sector or not, it is our duty to protect one of our nation’s most critical infrastructures from external or internal threats. The threats that we are facing today are only the beginning, and they will continue to grow in terms of sophistication and impact as digitalization continues to take its course.
Keith: Ali, as a well-respected consultancy within the aviation space, what does 1898 & Co. see as the starting point and the subsequent steps to take for airports and airlines to deter cyberattacks and ensure cyber resiliency?
Ali: Looking ahead, more wars will be fought via cyber means than the traditional kinetic battles. It is up to us to ensure that our systems are cyber-resilient and can withstand any potential attacks. There are a few steps that can tremendously improve the overall cyber resilience of any infrastructure.
- The initial step is to conduct a sitewide risk and vulnerability assessment. This can provide airports and airlines with a baseline of where they are today with respect to their risk profile, and where they need to be to meet the set requirements. Understanding the protect-surfaces is an exercise that can not be glossed over for it prioritizes where to start.
- The second step is to gain visibility over the entire asset inventory — knowing all of your assets within your environment and recognizing vulnerabilities within these assets is the precursor to mitigating risks and subsequent threats.
- Thirdly, all assets, whether they’re critical or noncritical, should be hardened for any vulnerabilities to improve overall system resilience. Cyberattacks often happen because system software on a connected asset is not up to date, leaving weaknesses for hackers to exploit.
- The fourth step would be to segregate your networks by determining which ones have connectivity to the outside world and which ones don’t, such as your IT and OT systems. Installing a buffer in between, like a firewall or a demilitarized zone, can limit unauthorized access to the critical environment.
- The fifth step involves implementing a threat detection solution to continuously monitor behavior for internal or external threats that could result in a cyberattack. Through an anomaly detection solution, irregular behavior can be identified as a potential threat.
- Finally, have an incident response and recovery plan. If a cyberattack were to happen, what is your response plan? If a plan is in place, has it been tested? If your system goes down, how long would it take for you to recover and safely return to operations? A quick response to any type of attack will be critical to airline industry operations.
In addition to taking the 6 proactive steps Ali mentions above to improve your security posture, I would suggest one final step, as I always do — working together. Tear down the office walls that exist between IT and OT; plan, execute, and plan again together; invest in platforms that share information because it takes a village to be right 100% of the time.
Join us in Orlando November 1-3rd where Rey, Ali, and Armis c-founder, Nadir Izrael will join me on stage to discuss Killnet, hyper-connected aviation, and the ever-expanding attack surface we are faced with protecting.
A big shoutout to Reynaldo Gonzalez, Principal Cybersecurity Architect, OT Security, with United Airlines, and Ali Elnaamani, Managing Director, 1898 & Co. for contributing to our ‘Leaders of Industry’ series.
Stay tuned for our next ‘Leaders of Industry’ episode, where we explore how a pharmaceutical manufacturing giant managed the chaos called Covid-19.
Interested in how Armis can expose your Attack-Surface? Get a Free Trial
Want to know more about how Armis can reveal your Protect-Surface? Get a Demo
Additional information on United Airlines can be found at www.united.com