The aviation safety sector is the study and practice of managing aviation risks. It is a solid concentration of regulations, legal documents, investigations of accidents and near-miss aviation incidents. On top of them lie lessons learned and shared knowledge; reports, facts and stats forming a cognitive super vitamin, that the aviation community uses to keep their business healthy and safe.
The above concept is successful. People trust the aviation sector and consider it the safest transportation. Sadly, when it comes to cybersecurity the community feels quite exposed and vulnerable. Stats that are not available, dark corners, and a lack of lessons learned from cyber incidents are some of the aspects that blur its reputation. Wouldn’t it be better if businesses and organizations adopt the successful “how-to” of the aviation safety sector to increase their cybersecurity level and the confidence of the community?
The idea behind
The recent cyber attacks renewed the interest of the industry, academia, and the US government in a form of a Board that could investigate cyber incidents. In the spring of 2021, a workshop was organized on creating a cyber incident investigative capacity modeled on the National Transportation Safety Board (NTSB). The NTSB is considered the most robust set of aviation safety programs. It acts as an independent Federal agency charged by Congress with investigating aviation accidents and major transportation incidents. NTSB investigates the causes and issues safety recommendations to prevent future disasters.
The workshop examined the feasibility of whether aviation safety procedures can be adopted by the cybersecurity sector to improve its posture. The output was a report where key findings were highlighted, research questions were recorded and a road map of recommendations was proposed. The report concluded that the cybersecurity industry does not have processes or authoritative and independent investigations whose focus is publishing lessons learned from cyber incidents and enabling improvements.
Policymakers in the cybersecurity industry have urged for an agency that will investigate cyber attacks and incidents, identify leaks and gaps in security controls and inform the community. From that perspective, the NTSB transportation safety paradigm is used frequently as an analogy, since it provides body, maturity, and substance to that concept.
The “cyber NTSB” conceptual approach
The workshop involved 70 expert minds who worked over four months on the concept of creating a “Cyber NTSB”, an idea born back in 1991. The problem handed over to the participants was the same as in the NSF 2014 Report: “A critical problem in cyber security is a lack of reliable, consistently reported data about security incidents. The lack of data makes it difficult for others to learn from these attacks, and is leading to misplaced priorities”.
The workshop was predicated on assumptions, all of which hold that the present cybersecurity safety system is insufficient and should be adjusted to match what the aviation safety industry performs. What the participants observed was that cybersecurity lacks information, knowledge and wisdom, not data; these are abundant.
Key findings of the workshop
At first, the workshop examined how a Board can be alerted about incidents to determine whether they merit investigation. Unlike in aviation, cyber incidents are not kinetic like air crashes and are wrapped with secrecy, as companies fear liability and damaged brand reputation, making their discovery difficult. The workshop’s findings were that:
- The Board can use existing reporting mechanisms effectively by filling the gaps between them.
- Cybersecurity and IT lack incentives for voluntary reporting, although it is clarified that information sharing does not violate antitrust laws.
- The awareness of the Board can be enhanced by individual reporting, although it may be considered as a company’s weakness and low investment in security.
Having an adequate reporting system present, the next question arose: which incidents require investigation? The workshop highlighted that there should be quantitative and qualitative criteria that will trigger the investigation procedure. Furthermore, it would be extremely useful if the Board could investigate not only incidents but trends as well. If it could track the cybersecurity ecosystem, identify common failures and trends in attack patterns, and associate best defense practices against these trends.
Next, the steps for a successful investigation were examined. How should investigations run, what exactly should be investigated, and what techniques should be used? The Board concluded that:
- Fact-finding should be a collaborative process; the analysis independent. As happens in aviation incidents, a lot of parties provide expertise related to the investigation, but they are excluded from the analysis and don’t contribute to the final report.
- Slow and careful investigations give value to the effort. Deep and detailed questions help knowledge gaining for the incident. Failures of the involved products, tools, and controls are significant and need to be looked at.
- The independence of the NTSB allows the Board to evaluate regulators and regulations.
Publishing reports of incidents and “near-miss incidents” is paramount. The workshop concluded that since there are no reliable data, records, and history of cyber incidents that can be used to build policies and response plans based on what has happened, the defender community often fights cases they don’t completely understand.
Finally, the reporting system should use narratives and numbers, as this will improve the “learning and sharing” concept, but should share knowledge wisely. There might be sensitive data, like “pilots’ last words to families”, that need to be disseminated with discretion.
The next steps
If safety was a fashion show, no doubt that aviation safety would be the top model; delicate but sturdy, where the maturity of time would add more charm to her. The challenge is whether cybersecurity can walk shiny on the same runways as aviation safety. The workshop proved that this is feasible if all parts cooperate to integrate knowledge to the highest possible security level.
To that end, the workshop sums up several research questions around adapting lesson learning systems from aviation, and key findings for further investigation. Finally, it suggests a series of recommendations for the Cyber Safety Review Board (CSRB) and Congress to evolve “Cyber NTSB” concept into reality; an entity that can learn from mistakes and successes, sharing knowledge generously.
Christos is intrigued by new challenges, open minded, and excited for exploring the impact of cybersecurity on industrial, critical infrastructure, telecommunications, financial, aviation, and maritime sectors.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.