Aviation Safety and IT Assurance
As part of one of my earlier assignments, our team was deploying several information security policies, procedures, tools and technologies in a business environment. We were working with a highly demanding boss, who was also a good mentor. He constantly reminded us that information technology is not about jargon but about experience. At an operational level, we were constantly focused on deployment and deadlines. His message was registered and we tried to live up to his expectations. But he was not someone who would be pleased with ‘small successes’. One day we were traveling together on a flight. He explained to me that all the security procedures followed throughout the journey were ingrained into the customer experience and there was no need to explain customers as to why they were being frisked and scrutinized. These were well accepted norms and customers were comfortable following the same. The safety instructions on board were simple. He asked me, ‘Can you make information security as easy as the airlines procedures? Our team sat together to draw an analogy between the two themes. We mapped packet filtering devices, deep inspection algorithms, IP address binding mechanism to airline processes as frisking, x-ray scrutiny, seatbelt and so on and so forth. We prepared the full blue print and budget requirements using this model. We felt that, at least once, our boss would be pleased with the architecture proposed by us. Though our presentation was received well, our boss had even higher expectations. He smiled and explained us that passengers look for assurance not the security mechanism. . His statement left an impression on me. Every time I traveled on any flight, I remembered all the conversations we had. I browsed through aviation industry literature during one of my recent journeys by flight. The aviation industry was constantly making efforts to make journeys better experience and safer. Nevertheless, like all technology failures, the aviation industry did face challenges and witnessed some major accidents. In November 2001, an American Airlines flight crashed in Queens, New York, due to excessive use of rudder controls. In 2009, flight 3407, operated by Colgan Air crashed within 15 minutes of take-off. Investigations revealed that the pilot had to turn on the de-icing system just 11 minutes after taking off. It was inferred that there was a “significant” build-up of ice on the windshield and the wings the plane which altered the flow of air. Pilot lost control on the plane. All 48 passengers and crew on board were killed. In 2010, an Indian Airlines plane traveling from Dubai to Mangalore, crashed at the Mangalore airport. While landing, it over shot the runway, lost its control and fell into a valley. The plane caught the fire, killing all 158 passengers. . In 2010, an Australian Airlines witnessed a major hardware failure. This resulted into an outage of scheduling and booking systems. Normal operations were suspended. More than 400 flights had to be rescheduled. It took 11 days to restore the system and operations. . Though, there was no loss of human life, more than 50000 passengers had to reschedule their plans. Obviously, the business continuity plan for their IT systems was not effective. In 2014, a Malaysian plan crossing over Ukraine was shot down by suspected terrorists. This, of course, was a universal problems faced by all nations and in Risk Management philosophy, this could have been considered as an ‘external risk’ with a remote probability of occurrence. Many other airlines had changed their routes anticipating and perceiving risk of travelling over terror-prone territories. These airlines incurred an additional cost of 66 dollars more per passenger due to the longer route. Such expense probably was uncalled for before such events happened. Investigations were carried out. Recommendations were made. Management took an active interest in identifying ways to make security implementation program effective. One of the recommendations was to design the plane with anti-missile surface technologies. Needless to say, this recommendation was not in the ‘budget control’. All these incidents resembled major failures in IT systems that affected millions globally. On October 5. 2012, Nifty index crashed by 920 points despite the systems requiring circuit breakers —- first at 10 per cent and further at 15 per cent movements within a day requiring halt in market trading. It was estimated that 10 lakh crore investor wealth was eroded in a short span of time. In 2013, several South Korean banking and broadcasting systems were paralysed. It was suspected to be a case of cyber-warfare owing to the tensions growing in the same region. Cyber “time bombs” were planted in various systems. When the bomb exploded, it had devastating effect as wiped our he master boot record of several systems.. From July 20, 2014, USA VISA and passport issuing operations suffered heavily for more than a week. Consular Consolidated Database (CCD), backbone of the operations developed glitches after “maintenance activity” was carried out. This database is one of the world’s largest Oracle-based warehouses containing billions of visa files and photographs and is cross-linked to other databases of various US federal agencies, It was a major embarrassment for USA as diplomats, students, scientists, sports-persons intending to visit USA had to reschedule their plans. With occurrence of every such incident, IT and Aviation industries learnt lessons, re-visited their assumptions and revamped their security programs. Aviation industry published safety reports year after year. These reports reflected the efforts taken by aviation security experts to improve the overall security posture and that the air travel had actually become far safer. In 2013, International Business Times produced an extract of a report stating “According to air safety experts, the safer skies for travellers can be attributed to more reliable planes, better navigation technology and improved sharing of flight information and hazards among regulators and airlines.” Yet another extensive research proved that the probability that a person may die in a plane crash was lower than the person dying after falling from bed. Obviously, the risks were within “acceptable limits”. Engineering and risk management excellence was at its peak. Information technology, deeply embedded into all the components and control mechanisms, was secure and functional. On my return journey while I was about to check-in, I saw an elderly man, probably aged around 75,saying good-bye to his 5 year old granddaughter. It was a very heart warming moment when she hugged him. Both of them were living in a world of innocence –far beyond data and statistics. As per insurance charts, the value of the life of the grandfather could have been lower had he chosen not to fly. For the granddaughter, he was probably the world. She said good-bye and prayed for his safe journey. Finally, whose risk was it? For whom was the assurance planned? What was the probability of his survival on flight? One in eleven millions as published by industry experts or 50:50 as perceived by his beloved ones? My boss would have certainly asked this question. We would have gone back to our drawing board once more.
Bol Madhavache 