Podcast: Cyber Threats on Aviation - Know The Vulnerabilities

Understand the internal and external cybersecurity threats to aviation companies—as well as the weakest links. Nirav Shah, Republic Airways’ VP information technology, and John Janachowski, AAR’s chief information security officer and VP IT security, talk with Aviation Week’s Lee Ann Shay about these very real concerns.

Don't miss a single episode. Subscribe to Aviation Week's MRO podcast in iTunes.

Rush Transcript.

Lee Ann Shay:            Welcome to Aviation Week's MRO podcast. I'm Lee Ann Shay, Executive Editor, MRO and Business Aviation for the group. And today we're going to be talking about cyber security in a post COVID 19 world. Protecting critical data across the aviation supply chain is a responsibility of epic proportions. And cyber vulnerabilities, in any link in the chain, exposes the entire ecosystem to security threats. This session will cover what you need to know to protect your company from constantly evolving cybersecurity threats. Joining me today are Nirav Shah, who is Republic Airways VP of Information Technology and John Janachowski, AAR's Chief Information Security Officer, and VP IT Security. Welcome Nirav and John.

Nirav Shah:                 Hey, thank you very much, Lee Ann. Thank you for having me on the show.

John Janachowski:     And I would second that. Thank you, Lee Ann and happy to be here.

Lee Ann Shay:            Thank you, gentlemen. So let's start out with, of all the types of threats, including ransomware, what are you most concerned about?

Nirav Shah:                 I think one of the answers that I was going to give to this question Lee Ann, was already in the question, which is ransomware and malware. So I thought about, cybersecurity is a very interesting paradigm and how about we focus on the top three, that at least we are seeing currently from the Republic Airways perspective. The first one on our mind is obviously ransomware malware. We have seen... I've read articles around 360% increase in ransomware related attacks in 2020 over the previous year. And it's definitely number one for us, specifically when it comes around the operational impact it could have for an airline of Republic's size.

                                   The second one on our list is around credential theft. What we have seen is an increased attempt in phishing and social engineering attempts in the last year, specifically post COVID. In fact, 80% of the security incident worldwide have actually started from either credential theft, which is through a phishing attempt or a social engineering attempt. So it continues to stay in our top three and then denial of service used to be on the top three, it's now moved to four for us.

                                   What has entered the third is something really unique that we have seen in the recent few months and that's what we call is a third-party risk where the sophisticated attackers exploit our vulnerability in a software product, and then using the trust that we have on this software that we're using in our ecosystem, to access our networks or our resources or our data. So an example is a recent hack around SolarWinds or FireEyes where the vulnerability existed inside a product which was in our ecosystem, which we trust because it's part of our ecosystem and then they used the product to gain access. So those would be probably the top three for us, ransomware, credential stuffing, and then a third-party risk that we are recently seeing.

Lee Ann Shay:            Thanks Nirav. John, what do you think about that?

John Janachowski:     So, I echo a lot of what Nirav says as well, and we see similar statistics but I would also add as one of my top concern is the nation-state threat. While we can't ignore the independent mal actor that is opportunistically looking for a payday through phishing campaigns or ransomware attacks or other threat factors, the nation-state attack in that particular threat is on the rise, especially since nation-states have almost unlimited resources at their disposal. So what we've taken to do is start leveraging the MITRE attack framework. The matrix is a comprehensive list of tactics and techniques and procedures used for our threat hunts and defenders to classify attacks mounted by advanced persistent threat groups.

                                   And essentially the purpose is to improve a post-compromised detection of our adversaries and better understand the actions and the TTP's, the tactics, techniques and procedures that attackers may take. How they get in, how they are moving around, if they are, and using that as a framework to identify holes and defenses and prioritize mitigations based on risk. That's just one aspect of DCO or Defensive Cyber Operations, but at minimum, organizations should have a comprehensive vulnerability management program and risk remediation based on CVSS or common vulnerability scoring system. And it's the old adage of scan, patch, scan. And while that seems rather pedestrian, it is one of the best defenses that you can mount against some of these threats.

Lee Ann Shay:            Certainly a lot to think about. Nirav, how do you protect customer data, so there are no breaches?

Nirav Shah:                 Yeah, great question. So the good news for us is, we are a regional airline, so we fly on behalf of three of the main line airlines here in North America. And we don't have a lot of customer and individual passenger information that we have, or we get into our system. So, that's the good news. The good news is we don't have too many PI information for our customer. However, we do have information around our main line partners, as well as our own employees and their PI information. So we absolutely have to protect the data. We use a layered approach. John touched on this a little bit, but we do follow a framework like a CIS or a NIST. Over the last few years have absolutely matured a lot of our basic cybersecurity principles and tool sets around email, web filtering, endpoint protection.

                                   So in our case, our pilots and flight attendants, they all are carrying around iPads and iPhones. So we do as much as we can to protect the vulnerabilities at the endpoint level, before it even makes it into our network. We have advanced identity and access management, where we monitor behaviors and credential behaviors and if anything is out of the ordinary, then the right alarms are raised. We have an active 24/7 security incident management. And then, I think John touched on it very much, scan, patch, scan, which is a very advanced vulnerability management program is what we have. We make sure that none of our system are running on an outdated piece of software or is not patched in a timely fashion.

                                   And then last but not the least, which is very trivial, but I believe it's the most important and that's continuous user training and knowledge transfer. It is absolutely critical in current workforce where we are arming our entire employment base with as much information and as much training as we can. Not only that it helps them to protect Republic Airways, but it also helps them protect their own personal life and personal finances. So we take that very seriously. So it's a very, very comprehensive approach. One size does not fit all. I know many companies have different approaches, but that is our goal, is to protect our customer, which is the three main line partners and our employee information.

Lee Ann Shay:            Excellent. Given the ever-changing nature of cybersecurity, what's essential to protecting your business?

John Janachowski:     So Lee Anne for me, it's actionable threat intelligence. As I mentioned previously, conducting threat hunts based on threat Intel or recognizing threat patterns that are related to it and then taking decisive remedial action as quickly as possible. While organizations are accelerating their digital transformation initiatives, security teams are facing an ever-growing attack surface.

                                   One of the best countermeasures that I know of to a growing attack surface is having a functional security operations center or a SOC is as we call it. And continuing to improve over time with artificial intelligence and machine learning based on automation of a lot of these activities. But actionable threat intelligence allows us to better know where we have soft spots, quoting Sun Tzu, "Know yourself, know your adversary." This is as true today in cyber defense, than at any other time in our history.

Nirav Shah:                 And from our end, I think very similar to what John already said, I think actionable threat intelligence is very important. I always say this is a never-ending chess game and our goal is to stay two steps ahead of our adversaries. And the unfortunate part here is they only have to be lucky once. So for us, AI and ML will play a big role for us to keep up in this game. It is absolutely critical for us to go into more of an AI and ML based threat intelligence.

                                   One thing that is little bit different that we have been doing and I think John's also working on this, is being part of a local community called aviation AIESEC, which is an aviation information sharing group. It's a very active community with lots of different aviation folks all around the world. And it's an active group that shares any kind of cyber activity, any kind of intelligence very openly with the peer group. And it allows us to be more prepared, not only for things we see here in North America, but anywhere in the world. So we are an active partner of the group and we get a lot of valuable insight and valuable intelligence from there.

Lee Ann Shay:            Sounds good. Aviation is such a connected industry. So how do you manage suppliers, partners and vendors from a cybersecurity standpoint?

John Janachowski:     So we have to think that the US and US organizations are in a cyber war. Once we make that assumption, then we can take some action based on that. So military leaders have always known that the two keys to warfare are protecting communications and supply lines. If we've learned anything from the 2013 target breach, it's that the supply chain is the 21st century equivalent and must be protected. That starts with knowing your partners and actively and routinely vetting and revetting them. This is a routine part of our security operations. I call them conducting security assessments. The great thing about them is they are really cost-effective.

                                   They don't really cost anything other than the time it takes to do that. And at the same time, you're continuing to build deeper and better relationships with your partners and suppliers. A security assessment consists of requesting or obtaining really a package of information from them that includes completion of a standard security questionnaire. There are many examples out there to get one started if they don't currently do this, but it's really an easy tool to deploy. Details on the nature of the partnership. Are you sharing information? Are you integrating in any way? Are they providing a solution? And then what does that look like? Taking a look at some of their reporting obligations, like SOC one, SOC two type two reports, at least a SOC two at minimum, for security related investigations.

                                   Any attestations of compliance. If they say they're NIST compliant or CMMC or ISO or PCI, whatever the case may be and validating that their attestations are current. Vulnerability management, I think is a foundation to any good security program, but what is important is not just having a vulnerability management program, but also the patching side of that has to be fully implemented. And it has to be in accordance with priorities and criticality of patches, as we've seen with the recent Hafnia threat. In addition to that, recent penetration tests, they should be less than about 90 days old by a recognizable third party with a verifiable pedigree.

                                   And then also incident response and disaster recovery plan exercises, or the results of that. Very important to know that they have an incident response capability in place. And then that they can maintain availability if an event were to occur. And then finally, what we've started including in a lot of our legal boiler plate is an addendum for standard contractual security obligations that we share. So, it's a combination of all these things that goes into the vetting process. And then we rank and score them, based on that. And there may be some remediation that a partner or supplier has to undertake, but ultimately we get to stasis and then we can take that partnership to the next level.

Nirav Shah:                 From our perspective Lee Ann, it is very similar to what John has shared. He was actually very comprehensive in his answer. So I agree with most of the things he said. Anytime we are looking at a partner, whether it's through a technology acquisition or a business acquisition, we are looking into, even during the contractual phase, we're looking into their SOC certification, their compliance certification, things like that. And then on an ongoing basis, we continue reviewing those with a lot of amendments, things like. We believe it's a much larger ecosystem and we all can get better together. So we openly share our penetration testing results. We openly share our security assessments with them as well and then vice versa, a lot.

                                   One thing we have started recently specifically after the recent SolarWind FireEye incident, which was almost a zero trust integration. So anytime we bring on a partner on board, irrespective of the previous days where we would bring them into our ecosystem with lot of integrations and then turn things down that we don't believe we need. What we now do is we go in with zero trust and only turn things on that we believe we need absolutely for the integration between the software or between the business logic. So, that's has helped us a lot, but otherwise I think John covered most of it that I was going to plan to talk about. So thank you.

Lee Ann Shay:            Thank you, both. So it sounds like security needs to be treated just like a certification accreditation audit. Things that the aviation industry is very used to.

John Janachowski:     Very much so, that's a good model.

Nirav Shah:                 Yes, cannot agree more.

Lee Ann Shay:            Very good. John, given that MRO's including AR are using more digital tools, especially since the pandemic started, digital tools, processes, records and work cards. This must add another challenge to your cybersecurity plan.

John Janachowski:     It absolutely does Lee Ann and essentially digital transformation is a tremendous opportunity for us to realize benefits that are bound with any transformation activity. But cyber security is really only one facet of it. Compliance is also important, and that includes NIST, as I've said, SOC's and using IT general controls and ITX's controls for compliance is just good security hygiene. But beyond that, streamlining manual processes and moving to the paperless MRO and other modernization activities promise great benefit and rapid ROI realization.

                                   A good example is using drones for aircraft inspection and the labor saving benefits it delivers. But at the same time, it introduces new potential threats as drones are IOT devices replete with the promise and security challenges that IOT devices generally have. There are many others as well. Knowing the details is key to how these devices are manufactured, who their suppliers are down at the component or chip set level. A good example of that is the National Defense Administration... The NDAA and the moratorium on certain suppliers. The configuration is obviously really important as well.

                                   These two need to be tested just beyond functional testing. So in short it opens a lot of different opportunity for us, but it also increases our attack surface as well. And knowing that there's no free lunch, there's an opportunity cost to this, is important because now it means that while we're deriving new benefit and new opportunity from these initiatives, it means that we need to make sure that they're secure and that they could be used in a manner to which we can achieve those benefits.

Lee Ann Shay:            Absolutely. Well, gentlemen, any final observations or tips?

Nirav Shah:                Yeah, I think as we discussed a lot today Lee Ann, I think it's very critical that we all understand that this is definitely a chess game. The attackers have to be lucky once and for us, the best protection is training and educating our workforce as much as we can. Knowledge sharing with our partners and our ecosystem. We have the right tools in place and the right processes and right practices. And the key is a lot of the conversation we have had today has been around how to protect. I always say, "It's not about if we will get compromised, it's when we will get compromised."

                                   And it's important that we start preparing for our day two as well. And a lot of time we will be judged on what we do on day two after the compromise. And it's equally critical that we spend enough time and resources not only to protect, but also, doing different tabletop exercises, security incident work group, things like that, that we know will be very handy when the day two happens and when we do have a compromise, so we are ready for that day as well. So, that would be my parting advice to the group.

Lee Ann Shay:            Good point.

John Janachowski:     So I would add to that as well, Lee Ann, everything that Nirav said is absolutely true and its good advice. But when we talk about security threats, we sometimes presume they are more externally derived than internal. You have to assume that you've already been compromised and take appropriate action and implement safeguards and countermeasures and then perform those threat hunts to determine whether or not there are patterns that indicate data exfiltration or abuse of resources or external threats. But by not ignoring the internal threat, that is an important aspect.

                                   Internal threats could be something as simple as a human error or a mistake, accidental data leakage or an exposure. It could be intentional, it could be malicious, or it could be an accident through a phishing attack in a click on a link within a phishing email. So the majority of successful breaches, as Nirav mentioned earlier, start with a successful phishing campaign and all non-malicious insider threats can at least be partially mitigated through security awareness training, which is another thing that Nirav mentioned. That is a must. The human remains the weakest link.

                                    Also, having an effective cybersecurity plan will address the three main benefits or core tenants of cybersecurity and that's confidentiality, integrity and availability. And that requires process and controls in place. Administrative controls that define the guardrails and provide the legislative action of what is acceptable behavior. And then the technical controls, whether they be preventative, detective or corrective, that help enforce that. So when putting together a cybersecurity plan, it's important to keep those aspects in mind in making sure that nothing is left to chance.

Lee Ann Shay:            Well, gentlemen, thank you so much for all this information. It definitely seems like cybersecurity is a team sport, one that we all in the industry need to be aware of and doing what we need to do. So thank you Nirav and John so much, really appreciate it. And listeners, if you have any comments, please feel free to contact me at [email protected] and you can subscribe and download Aviation Week's MRO podcast on iTunes. Thank you so much for listening and joining us.

John Janachowski:     Thank you for having us.

Nirav Shah:                 Thank you.

Lee Ann Shay

As executive editor of MRO and business aviation, Lee Ann Shay directs Aviation Week's coverage of maintenance, repair and overhaul (MRO), including Inside MRO, and business aviation, including BCA.