Photo Credit: abbamouse via Compfight cc
When I was a lad, I used to work during my summers and college holidays in the factory my father gave many precious years to. It was lovingly described as light engineering. Every year as production engineer my father would lead an inspection team from the insurance company around the factory floor reviewing the safety measures on each lathe, press and milling machine. Every year, a request would come to fit an extra guard, or cover. As a result the machines would become less practical to use in reality. The controls that were being put in place had an impact on productivity and sometimes would cause the workers to bypass them in order to get the job done. This can lead to problems.
Now let’s move to the subject in hand, the Germanwings flight 9525 which was deliberately crashed in March 2015 by pilot Andreas Lubitz, killing all 150 passengers and crew. Two major things went wrong that we need to consider in terms of Infosec lessons, firstly the now infamous cockpit door. After 9/11, the cockpit doors across the industry were made more secure so that hijackers could no longer penetrate the nerve centre of the plane. The guard dogs and watch towers, the barbed wire were all pointing to the external threat – does this sound familiar with your organisation? The problem was the real threat was from an insider. The controls put in place, i.e. the locked door, made it impossible for the rest of the crew to regain control of the plane once Lubitz had taken over. How are you watching the activity on your network for insider threat? When you detect it, does your system help you shut out an internal hacker or information thief, or are they not geared up for that kind of reaction? If your users are doing something illegal in the outside world while sitting on your infrastructure, how quickly can you detect that traffic and stop it? Are your cockpit doors locked and a barrier not a protection?
After the event, the next reaction was for flight authorities across the world to mandate that two crew had to be on the flight deck at any one time to minimize the “internal threat”. But what if those two crew decide to act together? Many internal threats, such as Nick Leeson at Barings Bank, involve collusion between multiple players.
The other aspect of the Lubitz case is the taking of quick and decisive action and the following of internal processes. What became apparent after he had crashed the plane was that Lubitz had “suicidal tendencies” and had been declared unfit to work. Lubitz managed to keep this information from the very people that needed to know the most: his employers. He was clearly a very troubled young man. A key aspect of this should have been employee awareness and vigilance. I don’t mean spy on your colleagues, but consider that after the crash, Lubitz’s co-workers expressed their concern at his behaviour.
No, none of this has a perfect answer. For those passengers and crew that died, the focus on external rather than internal threat had a very real impact. I would suggest based on studies such as those of Forrester, that more threats are internal rather than external. Rather than a guard dog looking out, maybe the metaphor should be Cerberus, the multi-headed dog of Greek mythology looking in multiple directions at once. We need to learn to act sooner and ask the difficult questions before the cockpit door is locked.