Author: Chris Cronin, ISO 27001 Auditor
Too often in information security we focus on the confidentiality of personal information, ignoring the damage that can result from failures in integrity and availability. In fact, this is the main driver of much of our information security spending in the U.S. But the proper function of information and communications can create huge impacts not only to business, but to the public if the integrity or availability of systems is compromised.
When both O’Hare and Midway airports were shut down last week, air travelers in the U.S., especially those whose travel plans included Chicago, learned a valuable lesson in information risk assessment. As one traveler summarized to a news reporter, “One man, one fire, all of this chaos. It goes to show the system needs a little work.”
Early on the morning of Friday, September 26th, a contract employee of an FAA radar facility lit ablaze the facility’s data center and severed communications lines. The attack debilitated the FAA’s radar capabilities for nearby O’Hare and Midway airports, grounding all flights at both locations. This just days after the FAA announced that O’Hare supported the most flights of any airport in the world. The resulting chaos was felt around the world and experts predict it will take weeks to fully recover.
The FAA is starting its investigation of the incident; as part of the analysis, it should look at how risk was identified and managed at the facility. As professionals who face information security issues as part of our daily work, we need to take a lesson in terms of estimating information risk impacts.
Deconstructing the Risks
Assuming that an appropriate information risk assessment was conducted prior to the incident, we would expect to see the following local risks to the facility:
- Lack of fire-resistance in the data center
- Lack of procedures for managing disgruntled personnel (bad actor)
- Unprotected cabling (the bad actor cut specific communications lines as part of his attack on the facility)
- Insufficient control of entryways (the bad actor wheeled in a suitcase full of the materials he would use to attack the facility)
- Insufficient continuity planning
Evaluating the Potential Impacts
We would also expect to see an impact analysis that considered more than the impact to the facility and its operations; namely, potential impacts to the rest of the world. Recalling that O’Hare is among the busiest airports in the world:
- Did the risk assessment call out that the FAA’s capabilities could be so badly debilitated by the loss of this one facility?
- Did they consider that disruption to the agency would have widespread interference with all air traffic in the global region for a day or more?
- What of people who depend on flights for medical emergencies, like organ transplant recipients?
The FAA may well have determined that a day of traveler chaos, and the impact to travelers and others who depend on air traffic was an appropriate risk, given the costs associated with operating redundant or more resilient facilities, but they’d better do a great job demonstrating that point now.
While working with organizations in many fields and industries, HALOCK has seen many risk assessments that consider impacts purely in terms of consequences to the organization, and not to the individuals who depend on those organizations to secure information and systems. This is a failure in understanding the purpose of risk management. And the fallout can be bad when the public learns how little the organization thought of them.
So take a lesson from the FAA. Ensure that your risk analysis includes an evaluation of your mission and objectives, but also of your obligations to others. This is a good idea not only for appropriate responsibility and accountability, but it could go a long way to maintaining a worthy reputation when security incidents do occur.
If you liked this post, you might also like “Common Hazards in Risk Management: The Selfish Risk Assessment.”