Aviation safety and cybersecurity: learning from incidents


The aviation safety industry is the study and practice of aviation risk management. It is a solid concentration of regulations, legal documents, accident investigations and aviation near misses. Above them are lessons learned and knowledge shared; reports, facts and statistics forming a cognitive super vitamin, which the aviation community uses to ensure the health and safety of its business.

The above concept is successful. People trust the aviation industry and regard it as the safest mode of transportation. Unfortunately, when it comes to cybersecurity, the community feels quite exposed and vulnerable. Unavailable stats, dark corners, and a lack of lessons learned from cyber incidents are some of the aspects clouding its reputation. Wouldn’t it be better if companies and organizations adopted the successful “how to” of the aviation security industry to increase their level of cybersecurity and community trust?

The idea behind

Recent cyberattacks have renewed interest from industry, academia, and the US government in some form of consultancy that could investigate cyberincidents. In the spring of 2021, a workshop was held on building a cyber incident investigation capability modeled after the National Transportation Safety Board (NTSB). The NTSB is considered the most robust set of aviation security programs. It acts as an independent federal agency charged by Congress to investigate aviation accidents and major transportation incidents. The NTSB investigates the causes and issues safety recommendations to prevent future disasters.

The workshop examined the feasibility of whether aviation security procedures can be adopted by the cybersecurity industry to improve its posture. The result was a report in which the main results were highlighted, the research questions were recorded and a roadmap of recommendations was proposed. The report concluded that the cybersecurity industry lacks authoritative and independent processes or investigations aimed at publishing lessons learned from cyber incidents and enabling improvements.

Policymakers in the cybersecurity industry have called for the creation of an agency that will investigate cyberattacks and incidents, identify leaks and gaps in security controls, and inform the community. From this perspective, the NTSB’s transportation security paradigm is frequently used as an analogy, as it lends body, maturity, and substance to this concept.

The “cyber NTSB” conceptual approach

The workshop brought together 70 expert minds who worked for four months on the concept of creating a “Cyber ​​NTSB”, an idea born in 1991. The problem given to the participants was the same as in the 2014 NSF report: “A critical problem in cybersecurity is a lack of reliable and consistently reported data on security incidents. Lack of data prevents others from learning from these attacks and leads to misplaced priorities.”

The workshop was based on assumptions, all of which argue that the current cybersecurity security system is insufficient and needs to be adjusted to match the performance of the aviation security industry. What participants observed is that cybersecurity lacks information, knowledge and wisdom, not data; these are abundant.

Main conclusions of the workshop

First, the workshop looked at how a council can be alerted to incidents to determine if they merit investigation. Unlike aviation, cyber incidents are not kinetic like plane crashes and are shrouded in secrecy as companies fear liability and damage to brand reputation, making discovery difficult. The conclusions of the workshop were as follows:

  • The Council can make effective use of existing reporting mechanisms by bridging the gaps between them.
  • Cybersecurity and IT lack incentives for voluntary reporting, although it is made clear that information sharing does not violate antitrust laws.
  • Board awareness can be enhanced by individual reporting, even though this may be seen as a corporate weakness and low investment in security.

In the presence of an adequate reporting system, the following question arose: which incidents require an investigation? The workshop emphasized that there should be quantitative and qualitative criteria that will trigger the inquiry procedure. Furthermore, it would be extremely useful if the Committee could investigate not only incidents but also trends. If it could track the cybersecurity ecosystem, identify common failures and trends in attack patterns, and associate best practices for defending against those trends.

Next, the steps for a successful survey were discussed. How should investigations be carried out, what exactly should be investigated and what techniques should be used? The Council concluded that:

  • Fact-finding should be a collaborative process; independent analysis. As is the case in air incidents, many parties provide expertise related to the investigation, but they are excluded from the analysis and do not contribute to the final report.
  • Slow and careful investigations give value to the effort. Probing and detailed questions help build knowledge about the incident. Deficiencies in affected products, tools and controls are significant and should be investigated.
  • The independence of the NTSB allows the Board to assess regulators and regulations.

The publication of reports of incidents and “near misses” is essential. The workshop concluded that in the absence of reliable data, records and history of cyber incidents that can be used to develop policies and response plans based on what happened, the defender community struggles often cases that they do not fully understand.

Finally, the reporting system should use stories and figures, as this will enhance the concept of “learning and sharing”, but should share knowledge in a meaningful way. There may be sensitive data, such as “last words from pilots to families”, which should be released with discretion.

The next steps

If security were a fashion show, there is no doubt that aviation security would be the flagship model; delicate but robust, where the maturity of time would add more charm to it. The challenge is whether cybersecurity can walk brilliantly on the same tracks as aviation security. The workshop proved that this is feasible if all parties cooperate to integrate knowledge at the highest level of security possible.

To this end, the workshop summarizes several research questions regarding the adaptation of aviation lesson learning systems, and key findings for further investigation. Finally, it offers a series of recommendations for the Cyber ​​Safety Review Board (CSRB) and Congress to move the “Cyber ​​NTSB” concept into reality; an entity that can learn from its mistakes and its successes, by generously sharing its knowledge.

About the Author:Christos Flessas is a communications and information systems engineer with over 30 years of experience as an officer in the Hellenic Air Force (HAF). He is a NATO Accredited Tactical Evaluator in the area of ​​Communication and Information Systems (CIS) and the National Representative (NatRep) to the CIS Signal Intelligence and Navigational Warfare Task Forces (NavWar). Christos holds an MSc in Guided Weapons Systems from Cranfield University, UK. He has also taken many online courses such as the Palo Alto Networks Academy Cybersecurity Foundation course. His experience covers a wide range of assignments, including radar maintenance engineer, airborne radar software developer, IT systems manager and project manager implementing major armament contracts.

Christos is intrigued by new challenges, open-minded and enthusiastic about exploring the impact of cybersecurity on the industrial, critical infrastructure, telecommunications, finance, aviation and maritime sectors.

Editor’s note: The views expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.


Comments are closed.