Airports must ensure the safety and security of passengers and employees as well as the continuous operation of their critical infrastructure. Cybersecurity incidents and cyber risk pose significant challenges to that goal. In 2019 alone, over 20 municipal governments and a number of major airports in the US have been hit with cyber attacks. These incidents disrupt services and have the potential to put lives at risk.
It is vitally important that airports appropriately manage risk in their environment. From assessments to business continuity plans, there are a number of steps that can be taken internally to appropriately handle risk. But what about third-party vendors? While an airport can work hard to manage risk, if a single vendor has a data breach or is a victim of a cyber attack, the effects of that incident can quickly spread to any organization they support.
Supply chain integrity and third-party vendor risk management is essential to an information security and cyber risk program for any airport. A 2018 study by the Ponemon Institute revealed that 56% of organizations have experienced a breach directly caused by one of their vendors. As an example, the major data breach at Target in 2014 was caused by a breach at one of their HVAC vendors.
Managing Third-Party Vendor Risk and Supply Chain Integrity
Airports engage in a significant amount of outsourcing and managed services to meet their needs. From master planning to vertical construction to IT systems, there are a myriad of services and systems that are handed off to vendors for management and completion. Each time an airport adds new systems or obtains new services the organizational risk profile changes. When those systems or services come from a third-party vendor, airports assume the risks brought on by that third-party.
For instance, an airport is considering a new FIDS system from a vendor. Has the vendor developed their product using SDLC and the STRIDE methodology? Are endpoint systems patched and what is the patching schedule? If the service is in the cloud, what is the security offered by the provider? Is data encrypted both at rest and in motion? How long is PII handled for, if at all? Does the vendor have a risk management plan? How does the vendor handle our infrastructure drawings and other SSI? These and countless other questions strike at the heart of managing cyber risk by way of verifiable standards.
Airports should confirm that their vendors manage cybersecurity and cyber risk to an appropriate level. To that end, they can use contracts as an enforcement vehicle. In the case of the FIDS vendor, an airport could require that all bidders have an updated ISO 27001:2013 certification or require SOC II or SOC Cybersecurity attestation before the contract conforms. It is also crucial that airports update their internal ISMS to account for the new assets, risks, threats, continuity requirements, and disaster recovery needs.
Vendors can increase their trustworthiness and reduce potential liability by proactively managing cyber risk. The ISO 27001:2013 certification and the SOC II and SOC Cybersecurity attestation processes can seem burdensome, however significant value is generated with the certification and with the reduced risks. Airports see a certified or attested company as trustworthy and diligent, even more so when others within a space do not have those credentials. If a cybersecurity incident should arise, managing risk and creating a true ISMS will show that a vendor has acted in good faith, with due diligence and due care in the situation.
It Takes Two to Tango
Airports and the vendors that serve them have a responsibility to ensure safe and secure operations for all stakeholders. Cybersecurity incidents pose a real danger to safe and secure operation of critical infrastructure. Airports and vendors can manage cyber risk by maintaining internal cybersecurity and cyber risk programs that are continually updated and audited. Vendors can demonstrate due diligence and due care through the certification and attestation processes, and airport can do the same by requiring and verifying those credentials.
Cyprus Lake assists airports and their vendors to certify that cybersecurity and cyber risk are being adequately managed. For airport vendors, we provide certification preparation and internal auditing services for ISO 27001:2013 and SSAE18 as well as preparation for SOC II and SOC Cybersecurity audits and attestation. For airports, we can help manage internal risk through NIST 800-30, NIST 800-53v4, NIST Cybersecurity Framework, CIS CSC, and ISO 27001:2013 preparation and remediation as well as with advisory services on contract engagements to ensure third-party compliance and attestation.
If you would like more information regarding our services, please contact us at (267) 888-8022 or email us at firstname.lastname@example.org.