Twice this week the WSJ has published articles related to the FAA, and cybersecurity in the aviation industry. Although there are yet no documented cases of cyber terrorists bringing down an aircraft, one does have to wonder what the flying public may not know in light of the recent Egypt Air crash which has yet to be explained.
SImilar to how the electrical grid and utilities, once air-gapped systems, are now inter-connected to the Internet, aircraft are also becoming increasingly connected to ground systems and satellites exposing them to cyber threats. It is encouraging to see that the FAA is taking the threat seriously and taking steps to produce recommendations for improving the security of aircraft.
What impresses me the most are two key points:
- The effort is predicated on the assumption that someone will eventually break in to the connected systems.
- The emphasis is being placed on detecting, isolating, and maintaining core safety systems and functions.
These key points are excellent takeaways for any business or even individuals for that matter.
Too often, when speaking with small business owners, I often hear “it won’t happen to me.” To be fair, businesses are bombarded by a security industry and sales teams who often sell by fear and hype. In some ways. I can’t blame them for tuning out the chatter, particularly if they never have suffered a breach; yet. Instead of arguing, I prefer to take the approach of accepting their view and asking the question: “If it did happen, how would you know? What would you do?”
The world is connected and there is no turning back. While the security of systems will eventually be improved, we must accept the reality that all of us are vulnerable and can be hacked while we are connected. Resiliency is the objective we should strive for.
In his book, “Team of Teams,” General Stanley McChrystal speaks of the differences between complicated systems and complex systems. Greatly oversimplified, complicated systems can be broken down to a set of rules and defined steps. Complex systems on the other hand cannot as the number of variables is nearly infinite. Our inter-connected world is a complex system.
When prevention fails, as it sometimes will, early detection and isolation are key while maintaining resiliency. Achieving resiliency cannot be broken down into a finite set of rules as the inter-connectivity has become complex.
What is meant by resiliency? In the business context as it relates to cybersecurity, I would break it down into three things:
- Quickly detect and identify the breach
- Isolate the intrusion preventing further harm
- Ability to maintain safety and continuity of operations during the breach
Along with the questions asked earlier, (How would you know and what would you do?) We can add a third one: Is your business resilient?