Cybersecurity-by-design – from an airport IT enterprise architecture perspective

Leong Yuh Khee, Senior Vice President of Airport Operations Technology & Corporate IT at the Changi Airport Group, explores cybersecurity-by-design as a concept and from an IT practitioner point of view without dwelling into specific technical options.

Co-authors

Chan Wee Lee, Associate General Manager of Airport Operations Technology & Corporate IT at the Changi Airport Group.

Jimmy Wong, a team member within Airport Operations Technology & Corporate IT division of Changi Airport Group.

Cybersecurity-by-design is a mindset. Enterprise architecture is a discipline.

Mindset is about how one views, values, and approaches things. It influences one’s behaviors, priorities, and how one judges whether an action is right, effective, and worth spending time and resources on.

Cybersecurity-by-design is a mindset because it reflects how one views, values, and approaches the integration of cybersecurity measures from the beginning stages of design and development, rather than adding them later on.

Discipline is about being persistent, consistent, and determined to achieve something regardless of one’s feelings, external factors, or other competing demands.

Enterprise architecture is a discipline because it requires being persistent, consistent, and determined to continually align an airport’s business processes, technology infrastructure, and information assets with its overall strategic goals and objectives. It takes discipline to adopt and maintain the frameworks, methodologies, and best practices that are developed to keep the architecture artifacts, such as models, diagrams, and documentation, that provide a holistic view of the airport’s system of systems.

Cybersecurity-by-design is an ongoing process that needs regular checking, assessment, and enhancement. It is a joint responsibility for all parties involved, including system managers, developers, contractors, and users. By incorporating cybersecurity-by-design within the broader framework of IT enterprise architecture governance and discipline, it provides the platform for the effective implementation and maintenance of cybersecurity.

Therefore, mindset and discipline can be compared to the two wings of a bird because only by combining both mindset and discipline can we ensure that cybersecurity is embedded into the continuous IT enterprise architecture framework and governance from the start.

Why airports need to implement cybersecurity-by-design?

Airports are high visibility targets due to their high value as critical infrastructure, large amounts of operational and sensitive data, and interlinked systems. A cyber attack on an airport could interfere with air traffic control systems, expose passenger data, affect flight schedules, and even create safety hazards.

The possible consequences of such an attack extend beyond the airport itself, affecting airlines, travellers, and the broader economy. Therefore, airports are attractive targets for various motives, including but not limited to causing material damage, stealing data, demanding money, gaining fame, expressing a cause, and for mere personal satisfaction.

Therefore, it is obvious that we need to safeguard the IT systems of an airport from cyber attacks. What’s more crucial is that the cybersecurity aspects and factors must be given high priority from the start, shaping how the system of systems is to be built and connected. As part of the solution architecture, it explains the related principles of linking systems to systems and eventually linking systems to the Internet as part of the larger IT enterprise architecture.

There is no point protecting something that cannot be defended to begin with.

Where do we begin?

From the IT enterprise architecture point of view, we can imagine securing the airport systems much like securing a medieval castle using a construction blueprint (see Figure 1) with the following 4 steps:

1. Identify the crown jewels.
2. Secure the crown jewels within an inner perimeter with a moat.
3. Provide drawbridges to access to the crown jewels strictly on a need-to-access basis with the following:
   • Repeat the above for an outer perimeter to protect activities that need to be carried out within the castle ground.
   • Stringent authentication and access control.
   • Monitor and record all traffic going in and out of the inner moat and accessing the crown jewels.
4. The drawbridges must be prepared to go up immediately when required.

The castle and its security cannot be built without first conceiving an architecture plan and a construction blueprint.

Making the castle defensible is only the beginning. The next step is to deploy the following elements to secure the castle (see Figure 2)

1. Segmentation. This is to keep the most valuable assets in different compartments as much as possible to limit the harm when the castle’s outer and / or inner perimeter is breached.
2. Segregation of roles and responsibilities. This is to assign clear accountability and responsibility for who can access the most valuable assets.
3. Perimeter defense and border surveillance. Establish an effective perimeter fencing to prevent unauthorized access, coupled with continuous surveillance, monitoring, and alert systems.
4. Guards ready to act. Have a legion of guards ready to respond to intrusion and fight off the intruders.
5. Simulated attacks. Keep the guards are on their toes with frequent simulated attacks on the castle and crown jewels, and ensure that the response plans are well-practiced and oiled.

The main goals of cybersecurity-by-design are to strengthen resilience and to speed up response and recovery.

Resilience through defense-in-depth, also known as layered defense, is a cybersecurity method that involves using different types of security controls at various points in the ecosystem. The aim of this method is to have backup in case a cybersecurity control is compromised or a weakness is exposed. By using different types of cybersecurity controls, an organization can enhance its overall cybersecurity level and ability to resist cyber attacks.

The advantages of implementing a defense-in-depth architecture include better cybersecurity and protection against cyber attacks, lower expenses and impacts of cybersecurity breaches and recovery, increased user confidence and satisfaction with the product or service, and the capability to function even when attacked, albeit in a degraded mode.

Cybersecurity-by-design provides strategic depth to the protected areas by creating defensive layers or buffer zones to protect the crown jewels.

Expedite response and recovery. The system’s capacity to adapt to and bounce back from different types of disruptions, such as natural disasters, cyberattacks, or other crises. It includes having strategies, resources, and processes ready to deal with the event and reduce adverse effects, while also aiming to resume normal operations as soon as possible.

Nevertheless, there are two important factors to consider: cyber defense is an asymmetrical warfare where one side has an advantage over the other, and there is a balance between how secure and how user-friendly something is.

The term asymmetrical warfare refers to the situation where one side has an advantage over the other in terms of resources, capabilities, or strategies. Cyber warfare is a form of asymmetrical warfare, as the attacker can use low-cost and covert methods to infiltrate and damage the defender’s systems, while the defender must invest more resources and effort to protect and monitor its networks.

Asymmetrical warfare poses a challenge to the traditional concepts of deterrence, defense, and retaliation, as the attacker may be difficult to identify, locate, or retaliate against.

What is more important – security or usability?

No single cybersecurity solution can fully protect against the dynamic cyber threats. The organization must secure its infrastructure and data from cyber-attacks, but also care about user experience. When we evaluate cybersecurity solutions, we will consider how they affect the systems that impact our passengers. Cybersecurity-by-design is not simply a matter of applying a technology, but rather a way of reducing or eliminating the cybersecurity risk for an application, system, and data while maintaining usability and satisfaction for the users.

The most cyber-secured system is one that even authorized users cannot use.

When we add new connections or interfaces to an existing system, like adding a new bridge to an already fortified castle, we need to assess the impact and review all the risks involved. This ensures that the new connection does not create more vulnerabilities, security gaps, and that the system security is not weakened or compromised for all connected systems.

We need to do regular enterprise-level business risk impact analysis as the threat landscape changes constantly. This ensures that the current cybersecurity measures for the infrastructure are still sufficient to protect the data and applications. We need to balance the ease of use and cybersecurity. By having a good understanding of the technology’s limitations compared to its intended purpose, we can identify alternative measures to reduce or eliminate related cyber risks.

Adopting a risk-based approach is both pragmatic and sensible to strike a balance between cybersecurity and usability.

One more thing – cybersecurity in the cloud

Airports are using the commercial cloud for workloads to various extent because the cloud offers the benefits of global reach, space saving, market responsiveness, scalability, and elasticity to adapt to changing needs. But some systems still must stay on-premises for security reasons. Some of these on-premises systems have data and information that may be needed to improve the algorithm and business logics for cloud-hosted systems. So, there may be a need to interconnect systems hosted on-premises and those hosted on the cloud for data exchange. Therefore, it is important to know the purpose and objective of the connections, as well as the bandwidth needs and security measures that are in place to protect the data exchange.

How can we choose whether a system should be in the cloud or on-premises? There should be a decision matrix to help system owner to help business owner to decide. I call this the CREDO principle:

1. Criticality – Can the business keep running when the system is down for long hours?
2. Reachability – Can the system be accessed from anywhere in the world?
3. Elasticity – Is there a need to increase or decrease resources on demand?
4. Dependency – Does the system depend on information in other systems that are not online?
5. Opportunity – Is the system architecture designed for cloud or on-premises?

With a better understanding of the business objectives and system architecture by design, the system owners will be able to make better decisions.

For cloud deployments, an organization can consider a shared cybersecurity infrastructure in the cloud to support the applications in the cloud, run by a team of infrastructure experts, who will monitor and detect cyber-attacks around the clock and throughout the year.

However, this approach would require following certain enterprise security architecture, designed for a specific cloud. This is especially useful for teams with limited experience in infrastructure security and also for small- to medium-sized applications. This approach will also speed up system deployment in the cloud with a baseline security architecture to protect the systems and help lower the common cybersecurity-related cost with consolidation.

The security requirements for cloud and on-premises systems are usually different, particularly in terms of cybersecurity measures, incident response procedures, and service level agreements. These differences arise from the varying security classifications of the data. Therefore, when these systems have to communicate or share data, we need to evaluate the cyber risk and implement more security measures if needed – no “one-size-fits-all” scenarios.

However, there are limits on how we can secure the connections, depending on the kind of cloud service, IaaS, PaaS or SaaS, and the telecommunication service providers’ services available to the cloud provider.

When deciding what service to use and which cloud provider to subscribe to, system owners should also consider the type of certification the cloud service provider has obtained, such as SOC2 or ISO 27001. Additionally, they should be aware of cybersecurity limitations, from vulnerability assessments to penetration tests, as well as the remediation and implementation of mitigation measures needed to comply with regulatory requirements, which cloud service providers may not necessarily meet.

What’s next?

For the longest time, the cyber defense landscape was left unchanged as the current doctrine, framework and architecture have been proven to serve us well. Trends such as the shifting of server on-premises workload to the cloud and staff working from home during the COVID-19 years did not seem to elicit a major shake-up of the cyber defense architecture. Will the next trend shake up this confidence?

Now, Generative A.I. swipes through the world, creating opportunities and disruptions along the way. The cyber defenders suddenly find themselves facing the prospects of their adversaries learning, adapting, and bypassing at warp speed while on a 24×7 work shift. This could very well be the repeat of the moment when controlled flight forever changed the ways military planner evaluate physical defense. At the rate where things are going, Generative A.I. will be here to stay and cyber defense will have to quickly learn and adapt to this new reality.

Autobots! Roll out!