For years, the information security community focused
on hardening the perimeter — strong firewalls and
intrusion prevention systems on robust hardware and
dedicated appliances. We hardened our defenses at the
edge just in time to have the edge become less relevant.
Then, one day we awoke to the mobile revolution. In
what seemed like a blink, the perimeter was dead —
theoretically at least — and in each and every iDevice/
tablet box was delivered a Trojan horse of sorts: devices
that stay within the walls by day and venture into parts
unknown each evening … only to return the next day.
Users found business needs for these devices before the
technology to properly secure them existed. Heck, let’s
be honest — they found reasons to need them before they
were actually needed.
While this is both humorous and true simultaneously,
it is an important fact. In order to be successful in
articulating the problem, developing a program to
mitigate cyber threats and to plan appropriately for
the eventuality that you will be a victim, you must be
a business enabler. This means tradeoffs; this means
assuming risk that you, as an information technology
professional, have been trained to avoid your entire
career. If you’re the department of “no,” then you will
never even have a chance at success. It is critical that
your customers view you as an important member of the
team, who adds value and who helps them achieve their
business goals.
If you’re tasked with ensuring the cyber security of
your organization’s assets, you must establish a forward-thinking cyber security program and work diligently to
educate and inform key decision-makers about the risks,
countermeasures, industry standards and guidelines, and
impact that compromises will have on the organization.
These impacts should not only include the low hanging
fruit — impacts of system downtime and monetary
expenses associated with mitigating a compromise — but
also the soft costs of these events. While it’s difficult to
put a dollar amount on the negative publicity associated
with a breach or compromise, it’s fairly easy for a nontechnical person to grasp the scope and scale of how bad
that might be and just how fast it will get there … just
ask Target.
The news isn’t all bad. Cyber security is finally starting
to get some real momentum in virtually every sector, and
there are a lot of capable and competent folks working
on this issue in the aviation space. As I type, the Airport
Cooperative Research Program is in the midst of a project
to develop cyber security standards for airports. This is
one excellent example of how sharing of best practices,
Whether you’re an operator
of a large Cat X airport or a
smaller commercial airport,
these best practices will afford
everyone with an opportunity
to expand and enhance
their cyber security program
or a starting point to begin
the discussion within their
respective organizations.
as we’ve done for years in other facets of our business,
can serve as the tide to lift all boats. Whether you’re an
operator of a large Cat X airport or a smaller commercial
airport, these best practices will afford everyone with an
opportunity to expand and enhance their cyber security
program or a starting point to begin the discussion within
their respective organizations.
The inclusion of this article in AAAE’s Airport
Magazine is yet another example that the cyber security
issue is gaining important traction in 2014. Hopefully, it
will be one of many articles, and we as an industry will
once again rise to the challenge to ensure the safety and
security of the critical infrastructure that we have been
entrusted to operate, support and maintain. A
Thomas Domenico is director of cyber security and public safety
systems at the Massachusetts Port Authority, owner and operator of
Boston Logan International, LG Hanscom Field, Worcester Regional
Airport and the Port of Boston. He is also a principal at iSAFE Partners
LLC. With more than 20 years of experience in information technology and cyber security, he is presently vice president of the Northeast
Chapter of the Information Systems Security Association. He may be
reached at tdomenico@massport.com.