In light of recent US airport attacks from Killnet, United Airlines, Burns&Mac’s 1898 & Co., and Armis discuss the Attack Surface of the hyper-connected airline ecosystem.
Leaders of Industry is a series of conversations between operational technology, critical infrastructure (CI), and security experts from Armis and other leading companies and institutions. The series explores critical considerations for protecting the OT and CI assets that keep our manufacturing operations, public and private institutions, and cities humming.
This conversation on securing the hyper-connected aviation industry features the following experts:
In Part 1, I discuss with Reynaldo Gonzalez, Principal Cybersecurity Architect, OT Security with the world’s 3rd largest airline, United Airlines, the challenges and their approach to identifying an unseen ‘protect-surface’, its subsequent ‘attack-surface’, all the while having to juggle pending TSA guidance, requirements, and the costs of mitigating risks.
In Part 2, I chat with Ali Elnaamani, Managing Director, 1898 & Co., as we delve into how one of the most trusted architects of airport infrastructure, services, and cyber-solutions manages the digitization of our aero infrastructure, managing regulations. We also look into the evolving risk posture of today’s and tomorrow’s airports, and the subsequent steps for airports and airlines to deter cyberattacks and ensure cyber resiliency when safety and uptime are of critical importance.
Welcome to the conversation.
In light of the pro-Russian threat group Killnet’s DDOS attacks across dozens of US airports on October 10th, and their further proclamation that US critical infrastructure should be prioritized for target, we dive into the challenges of managing a new digital footprint found within our airports and airlines, compliance with growing federal mandates, and managing the risks across the hyper-connected supply chain responsible for the transportation of over 4B travelers per year.
The first step in any cyber attacker’s playbook is a reconnaissance of the cyber asset attack surface to identify weaknesses and points of entry. The modern airport is no different, yet the attack surface has drastically changed. Today, even one under-managed asset can open the door to operational downtime, ransomware, or even loss of life. In this new reality, assets must be the foundation of security. Optimizing cyber-defense strategies and visibility into every connected asset that makes up our ‘Global Gateways’ is now more important than ever.
So, early in the morning of October 10th, a pro-Russian group, Killnet, claimed credit for a series of disruptions that temporarily knocked the websites of US airports offline. The attack caused intermittent delays in accessing airport websites nationwide. Fortunately, there were no operational impacts on flights or facilities. However, these attacks across dozens of airports remind us that our critical infrastructure is relentlessly under attack.With Killnet’s attacks as a backdrop, I had an opportunity to discuss with Reynaldo Gonzalez, Principal Cybersecurity Architect with United Airlines how one of the largest airlines in the world approaches being under the microscope in such a highly visible industry with seemingly unlimited adversaries.
With Killnet’s attacks as a backdrop, I had an opportunity to discuss with Reynaldo Gonzalez, Principal Cybersecurity Architect with United Airlines how one of the largest airlines in the world approaches being under the microscope in such a highly visible industry with seemingly unlimited adversaries.
Keith: With the explosion of connected assets across seemingly all facets of air travel, what is United’s Area of Responsibility?
Rey: Our responsibility is the safety of our customers and employees. From the OT perspective, security and availability are very important. Yet, we are taking measures to help ensure that the security of our data and how our OT assets communicate are protected, segmented, and access controlled. There are 3rd party services that play a role in our OT space, but we are taking active measures to reassess current and future onboarding services to work with and comply with our cybersecurity requirements when they interconnect with our environment.
Keith: When planning and operationalizing security strategies at United, is there a particular threat or APT (Advanced Persistent Threat) that concerns you most? What are some of the mitigating strategies or actions you have seen United invest in to reduce this risk?
Rey: Well, like any company, cyber attacks against any big company are common and they vary in tactics, techniques, and procedures. However, my biggest concerns are those that could impact customer and employee safety. For those, there are many security controls and requirements. Our strategies align with multiple facets of cyber domains, including but not limited to those dealing with monitoring, access controls, remote and 3rd party access, segmentation, and others.
Another important one is around asset management because we need to make sure we have the right security visibility into our environment. We can get to levels of reducing risk by knowing what we have, what or where they communicate to, and what potential vulnerabilities they could be exposed to. From there, we take action to further remediate and/or segment as required based on various risk factors.
Keith: What regulations are coming that will impact airlines? What will those look like or what should they look like from your perspective?
Rey: The thing about standards is that there are many to work with. Two of which we are working towards, per government regulations and industry standards, are those that pertain to Operational Technology. They would be a cyber amendment from the Aircraft Operator Standard Security Program (AOSSP) and NIST SP 800-82 rev 3. Both of these standards share similar requirements and controls, but we’re ensuring we have all the right areas covered so that our OT space is risk-based protected.
Keith: Rey, as you prepare for Aviation-ISAC this November, I am sure the front and center of many conversations will be how to wrap our arms around the explosion of vulnerabilities and active exploits found in the wild. How does United measure the criticality of vulnerabilities vs the costs of continually patching, or not patching, within OT?
Rey: That’s a great question and one I’m sure many cybersecurity teams deal with. We measure the criticality vs the cost based on what we know about the environment and what we need to do. We can’t protect or reduce the risk we don’t know, so a big push is further asset identification and management. As our knowledge of inventory grows, we gain visibility about what or how these OT components function and the expected behaviors and establish a baseline.
We assess risk and identify what is considered higher risk vs other areas, and determine the operational impact if necessary. Assets are prioritized based on higher risk, taking into account likelihood, impact, threat landscape, vulnerabilities, etc. At the same time, when our security visibility grows, we further understand what our vulnerabilities are, and what we have in place to remediate or take actions to further isolate or segment what is needed. We know we can’t patch everything, so we approach each area strategically to take action to patch if possible or invest based on gaps we can’t address right away, but with compensating controls in mind.
Thanks, Rey for the great insights. What I am hearing is the value of knowing what you don’t know is priceless. In an environment where we need to continually defend, or in my daughter’s collegiate soccer days, it was called ‘parking the bus’, it allows you to identify and assign risk across an identified protect-surface, and therefore assign a ‘cost’ to mitigating that risk, with compensating controls, one protect-surface at a time.
Stay tuned for Leaders of Industry, Episode 2, Part 2: Reactions with United Airlines and 1898 & Co. to Russian hacking group KillNet where we will discuss with Ali Elnaamani of 1898 & Co. the new digital attack surface found within our aviation industry and the steps to implement good cyber hygiene.
Join us in Orlando November 1-3rd where Rey, Ali, and Armis c-founder,Nadir Izrael will join me on stage to discuss Killnet, hyper-connected aviation, and the ever-expanding attack surface we are faced with protecting.
Interested in how Armis can expose your Attack-Surface? Get a Free Trial
Want to know more about how Armis can reveal your Protect-Surface? Get a Demo
Additional information on United Airlines can be found at www.united.com
Sign up to receive the latest news