October 31, 2018
Exploring cyber security risks with Tom Bornais
October 2018 marks the 15th anniversary of National Cyber Security Awareness Month, an initiative to raise awareness about the importance of cyber security. Cyber security is becoming a larger area of focus for every industry around the world and the need for the aviation industry to increase its resilience online is also becoming more critical. As we get deeper into the discussion about the risk of cyber attacks on the aviation industry, it’s clear that collaboration between NAV CANADA, airports, airlines and other stakeholders will do a great deal to be better prepared to face issues and challenges head-on.
Our colleague Tom Bornais, Director of the Enterprise Technology Security Office, offers us some insight into the cyber security landscape of the aviation industry and explains what NAV CANADA is doing to strengthen organizational resilience against threats.
What is your role at NAV CANADA, Tom?
Working closely with all departments, and most notably Engineering, my role is to provide leadership and guidance to manage the many cyber security risks an organisation such as ours may, or does face. By no means do I accomplish this on my own, I’ve got fantastic leadership above me, a highly collaborative team and peers, and tons of support from the rest of the organization. In addition to focusing on cyber security technology and controls, our program is much more than that, driving an enterprise, risk based approach that is business context sensitive.
How serious is the issue of cyber threats to the aviation industry?
Between ANSPs (air navigation service providers), manufacturers and carriers, we all have a part to play with respect to cyber security. Safety of course is the number one concern, but when dealing with cyber risk we also need to worry about things such as reputational harm, business continuity and resilience, sensitive corporate data and private, personal information we all may store.
Most organisations today realise that cyber threats continue to increase in number, sophistication and impact. While defense capabilities remain important, it is critical for us to be as best prepared as possible for a breach.
In your view, why would someone try to hack an ANSP?
Good question. Unfortunately, we are a target for a few good reasons. All organisations similar in size to ours would be an interesting target for the usual suspects; organised crime trying to exploit us financially, hacktivists looking to use us to promote their cause, hackers simply wanting to make a name for themselves, state run espionage for the purposes of stealing intellectual property, as well as all those opportunists out there just looking to get lucky. All these being the most likely scenarios if should we become a victim.
However, to answer your question on why an ANSP specifically, well I would say because we’re considered critical infrastructure delivering a critical service. The successful disruption of services from a cyber event, either on the business or operational side, could have far reaching consequences depending on the extent of the issue.
A global, real time threat map populated by data gathered from Kapersky Labs and their security network.
Collaboration, especially with industry partners, appears to be an effective defence tactic against cyber threats. Can you elaborate on that?
Sure. Annually, NAV CANADA sponsors a cyber summit, inviting many other stakeholders from the aviation industry. Each year attendee numbers seem to grow exponentially. This tells me that the concept of stronger together (last year’s summit theme) rings true for all those involved. We all are dealing with cyber incidents on a regular basis in many ways, why not learn from each other? Sharing information and intelligence is an important concept in ensuring none of us become the next successful target.
Our CIO Claudio Silvestri as been instrumental in getting some key cyber partnerships established over the last few years. Cyber collaboration has hit an all-time high with other major airports, carriers, and certain ANSPs, focusing on issues that are unique to the aviation sector. It is clear we are all benefiting as a result.
While we are talking about collaboration, I should mention that we actively participate with government organisations such and the Canadian Cyber Incident Response Centre, and subscribe to multiple threat exchange services.
Outside of sharing information with our partners, what else is NAV CANADA doing to enhance our cyber security?
Awareness and training, third party assessments, continuous risk management, and a strong tie to protecting employees at work and at home all come to mind. At the heart of the program however, is the Security Operations Centre, where a constant stream of security information and logs feed into a system called Security Information and Event Management. Think of it as a monitoring and alerting ecosystem, exploiting the promise of artificial intelligence and machine learning capabilities. This system correlates a large amount of continuously growing data to help our security analysts focus on the right events and identify anomalies requiring our attention.
Like when there’s unusual activity on my credit card and I get a call from my credit card company?
Machine learning and artificial intelligence helps, but it’s still in it’s infancy in the cyber defense realm. Our cyber security initiatives also include threat risk assessments which include penetration testing and social engineering testing. Employees are often the best defense against cyber threats, so it’s equally important to be proactive in educating our people about cyber security protocols and policies. We try to ensure that everyone is informed and prepared, and that our approach to preventing and reacting to threats is embedded it into the fabric of our business.
One thing we hear often is that cyber attacks are so frequent that it’s no longer a question of if they will happen, it’s a question of when. Is that right?
That’s true. Practicing responding to events, such as running table top exercises in order to get ready for the inevitable is key to a quick recovery. Detection and remediation as soon as possible is the goal. We need to bounce back quickly from that next future attack.
Many organisations are on a journey of culture change with respect to cyber security. For us, we have a well established culture of “safety first”; one of my main goals is to attain a similar level with respect to cyber.