As a forensic chemist dealing in explosives and crime scene investigation, Boeing’s Faye Francy spent the first half of her career analyzing the ugly aftermath of malicious attacks on aviation. Now, in a parallel role as executive director of the recently formed Aviation Information Sharing and Analysis Center (A-ISAC), she’s making it her goal in the second half to stop, or at very least mitigate the impact cyber attacks on industry stakeholders.
“I thought it would be nice to get on the other side and help prevent some of these things from happening,” Francy told RGN. “So I did a lot of research and development, where I learned about networks and the impact they were having. I recognized the tsunami was coming a few years ago and that it was really going to be critical for us to secure our networks from air-to-ground, on the ground and on board the aircraft.”
Francy spoke this week at the SITA Air Transport IT Summit in Barcelona (attended by nearly 500 delegates from around the world, including RGN, which was a guest of SITA) and was part of conversation around protecting extremely attractive and data-rich digital networks operated by airlines, airports and adjacent businesses. After all, a cyber attack can be a pre-cursor to physical attack.
“As we look at our aviation ecosystem, it is a very large system of systems, owned by multiple disparate stakeholders, all of whom have different and varied needs,” she told conference delegates during session on the threat of cyber attacks. “Data is king. And as data becomes king and as that interconnectedness happens across the globe, we are learning that maybe some of that interconnectedness may in fact be opening unfortunate access points.”
Relentless attacks on our industry illustrate all too clearly that it has never been more critical to invest time, resources and money into prevention and response. At the core of this process, agree many, is communication and the collective sharing of information. This, however, is more easily said than done, as businesses in aviation rely largely on trust – both that of the traveling public and corporate partners – for success. Many would prefer to keep a security breach to themselves, than share details about it and risk being exposed as the weakest link.
“The number one challenge is the issue of it being found out in the press that there has been an attack on the company, which could impact company profits and company viability. There are regulatory aspects as well, and even potential fines, depending on where you operate, that could impact your business. There is a justified fear that perhaps customers would not want to use your service if you have, in fact, been attacked,” Francy explains.
That’s why, back in 2012 and with the support of The Boeing Company, she began to set up the Aviation ISAC; a member-driven platform comprised of IT experts, analysts and leaders from across the industry. The A-ISAC facilitates the sharing of timely and actionable information pertaining to security threats, vulnerabilities, incidents and protective measures and practices – anonymously if participants so choose.
“Clearly the idea is that if you get together and develop a mechanism by which folks can share real-time threat intelligence, this will help all of us help each other,” she says.
It’s been a long while incubating, but now a secure online portal has been established to enable immediate reporting of threat data. A-ISAC members also benefit from weekly intelligence summaries, detailed reports, threat conference calls, a member contact directory, regional workshops, training and response and recovery coordination, among other services.
“They send us a daily email blast with a summary of everything that happened that day, plus we get targeted blasts if there is information specific to us,” says Dave Ockwell-Jenner, senior manager of SITA’s Security Threat & Operational Risk Management (STORM) division. “And our analysts can also log onto the portal any time and access the intelligence on there.”
With 22 members, the A-ISAC is still small in comparison to those created by other sensitive industries, such as the financial sector. Francy would like to see membership grow and a true drive is now on to expand the group. The A-ISAC is off to a great start and it’s a desperately important piece of the aviation safety puzzle, but of course it has it’s limitations.
Member enrollment requirements for the A-ISAC include identifying a “primary contact and analyst” and payment of the applicable annual fee; resources that cash-strapped airports, for example (as pointed out by Dominic Nessi, former CIO of Los Angeles World Airports, in the same security session), simply may not have at their disposal.
Footnote: Necmiye Genc, a young member of the SITA’s STORM team recently presented a Google-sponsored event, where she discusses women in the cyber-security field. The video of her presentation, “Why do women love chasing down bad guys?”, can be viewed below.