Boeing Beefs Up Its Supply Chain Security

The need for airlines to adopt a solid information security framework is also clear, observe senior analysts at Boeing. They say cyber attacks are increasing in number and sophistication, while software vulnerabilities expose intellectual property to unauthorized users. Furthermore, insider threats to IT infrastructure and proprietary information are increasing.

“Effective information security risk management requires a framework and methodology that can adjust to this dynamic security threat environment,” says Stephen Whitlock, Boeing's Chief Information Security Strategist.
“An airline information security framework should ensure that managing information system-related security risks is consistent with the organization's mission, business objectives, and overall risk strategy established by the airline's senior leadership,” he says.

Information security requirements — including necessary security controls — should also be integrated into the airline's enterprise architecture and system development lifecycle processes.

“The ideal airline information security framework addresses airplanes in flight, ground operations, and threat management. It consists of three major functions: prevention, detection, and response,” says Whitlock.

As the connectivity of aviation services continues to increase, so does the potential for security vulnerabilities. Information security threats to commercial aviation present some unique challenges.

For example, threats can manifest themselves as internal security deficiencies or attacks from external sources, such as the supply chain and network connections within the industry.

The existing in-service fleet of airplanes contains computerized systems, software parts, software control of devices, and off-board communication capabilities that all require an effective security solution.

Faye Francy, a security expert from Boeing's Aviation Information Sharing and Analysis Center (AISAC), says some “advanced persistent threats” are able to hack many systems for six to nine months before any IT expert could detect a problem. And by then it's far too late.

“We want to move cybersecurity away from being just an afterthought,” she says. By taking webinars and other courses on real-time threat intelligence, many air cargo operations can eliminate some risks just by understanding their vulnerabilities. “Situational awareness is quite powerful,” she adds.

An even better course of action is to gain “collective awareness” by banding together with other companies – even with competitors – and setting up information-sharing committees, Francy says. For those concerned about sharing sensitive data, she says it's possible to “anonymize” the data and either share with private-sector partners or give it to the government to disseminate.

SC
MR