Southwest Airlines CISO on tackling cyber risks in the aviation industry

In this Help Net Security interview, Carrie Mills, VP and CISO, Southwest Airlines talks about the cybersecurity challenges facing the aviation industry. She explains how being part of critical infrastructure, a major consumer brand, and an airline each brings its own set of security issues.

What are the most pressing cyber threats currently facing the aviation industry?

Southwest is not only an airline but also a well-known consumer brand and part of a United States critical infrastructure sector. Any of these characteristics alone would offer unique cyber challenges, and the combination of the three makes for an increasingly complex and dynamic threat landscape. Because of this, we have to expect the unexpected and be ready to pivot at a moment’s notice.

Recently, a spotlight has begun to shine on the importance of cybersecurity of operational technology. We created one of the industry’s first specialized cybersecurity aircraft teams, who work tirelessly to ensure our customers arrive safely to their destinations.

Given the rise of satellite-based communications and cloud adoption in aviation, what unique security challenges do they introduce?

At a high level, there aren’t necessarily aviation industry-specific challenges brought by satellite-based communications or cloud adoption; multiple industries share these challenges. It introduces a shared responsibility to secure these environments. The responsibility is now shared between multiple stakeholders to make sure the different parts of the environment are secure as whole. We have to trust each other that we are doing what we say and what we are contractually obligated to do.

Also, a well-rounded security program must apply to the company and its third parties to cover all bases, therefore all of the same security concepts still apply. This is why an approach to measure and constantly improve security is essential to develop a mature security posture.

How effective are current regulations and cybersecurity standards (e.g., ICAO, EASA, FAA, IATA) in mitigating cyber risks in aviation?

Standard-setting organizations are important as we try to align on cybersecurity as an industry. We do still face some challenges as we deal with fragmentation across the regulations and standards with overlap or gaps, and uniformity when it comes to cyber incident reporting.

Engaged stakeholders best inform effective regulations and standards, and Southwest is active in the aviation community. As an example, we officially joined the International Air Transport Association (IATA) earlier this year, which helps amplify our voice in shaping our industry’s policies and procedures. Southwest’s Chief Information Security Officer also serves on the Aviation Information Sharing and Analysis Center (A-ISAC) Board and is Vice Chair of the Airlines for America (A4A) Cybersecurity Committee.

While not aviation-specific, Southwest leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which provides a risk-based approach integral to mitigating cybersecurity risks and impacts on our facilities, airports, and aircraft.

How can aviation companies improve their cyber resilience and response times to mitigate disruptions?

Our cybersecurity team believes in being great at the basics, which requires practice and testing. Just as pilots train in simulators, we practice responding to various events by regularly testing our application resilience and incident response plans. These simulations and tests prepare us for all kinds of scenarios by helping identify potential gaps and dependencies we may not have been aware of before. Even if you think an application is resilient, you may be surprised the results of a cyber resiliency exercise.

Ensuring documentation is updated and reviewed frequently for accuracy is also key. While not the most glamorous work, it’s one of the easiest things you can do now to help your team in the future.

What steps should CISOs and security teams in the aviation sector prioritize today to strengthen their defenses?

An essential part of our cybersecurity program’s success is employees’ awareness, engagement, and preparedness, as they are often the first line of defense. Our Southwest Cybersecurity Awareness program helps maintain a dialogue with employees, whether they spend their days behind a computer or in the air. We work hard to build relationships with teams across the company to humanize cybersecurity and reduce fatigue.

Information sharing is also paramount to our success. We maintain strong partnerships and relationships with peers in the aviation and cybersecurity communities, such as vendors and other airlines. As an active member of organizations like Airlines for America (A4A) and the Aviation Information Sharing and Analysis Center (A-ISAC), we can collaborate to maintain industry cybersecurity.