How Boeing Developed a Framework to Improve Critical Infrastructure

Boeing is known for being one of the largest manufacturers of commercial and military aircraft. The company is also a provider of security systems and is on the forefront of creating infrastructures that help to secure our nation's cyberspace. A reliable IT infrastructure is critical for the security of all of businesses and organizations. Boeing has created an innovative framework that improves security and efficiency, which other firms are likely to use as a model. Boeing's approach considers factors such as the current framework requirements of the National Institute of Standards and Technology (NIST), risk management practices, and industry best practices.

"Protection of the critical infrastructure and our own intellectual property that creates and sustains this technological leadership is at the core of our efforts and the key to future success."

Boeing’s Approach to Cybersecurity

Due to the growth of cyberspace, the value that virtual data holds, and in response to the NIST, Boeing has created a stance and a forward-thinking approach to how IT infrastructure components should be shaped and maintained.

  • ROI must be taken into consideration. When it comes down to the security of a business' infrastructure it should be safe-guarded; but at what cost? A company must look at their available resources, both human and equipment, and calculate the gain of these resources relative to the benefit of the cybersecurity provided. With increased government regulation in cyberspace, a business must ensure that their valuable resources, that are used to stay in compliance, aren't taking away from their bandwidth to actually keep the infrastructure secure.
  • There should be collaboration between the public and the private sectors. Partnerships between government and businesses will help to strengthen security due to the shared nature of data and cyberspace. Boeing believes in improving information sharing, but only if businesses are assured that their transparency will not result in possible law suits or more strict regulation.
  • In order to strengthen the affiliation between the public and the private sectors, incentives, assistance, and protection could be provided if companies stay current and innovative in regards to cybersecurity.
  • Sector-wide cybersecurity best practices should be created and consistently updated in order to stay ahead of threats.
  • Third-party security audits are helpful to identify weak spots in the infrastructure. Boeing stresses that these audits should be voluntary as they could be costly for smaller businesses.
  • Organizations should strengthen themselves from within by providing incentives for research, innovative security solutions, and workforce development in the form of advanced education such as a Master of Science in Information Assurance.
  • The general public should be encouraged to play a part in cybersecurity by backing up files and keeping their anti-virus software up to date.

The Building of the Infrastructure Framework

Boeing based its infrastructure framework on numerous sources due to its consistent use of best practices in security. These practices include compliance standards required by various government agencies such as the Department of Defense (DOD), the Department of Homeland Security (DHS) and NIST.

For example, the NIST 800 series of publications is useful for businesses, although it was originally intended for government use. The Control Objectives for Information and Related Technology (COBIT) and Factor Analysis of Information Risk (FAIR) are useful for defining risk to infrastructure. Some parts of the ISO 27001 series were used to develop Boeing’s infrastructure framework.

Industry standards also form the basis for the framework, including Domain Name System Security Extensions (DNSSEC), Internet Protocol Security (IPSec) and Transport Layer Security (TLS). The Cloud Security Alliance provides further guidance on secure cloud computing.

Boeing’s Board of Directors and Audit Committee stay informed on the company’s enterprise data security measures. This practice allows security measures to be updated continuously in response to changes in threats and technology.

Risk Management

Risk management is the overarching principle of infrastructure security. Boeing believes that the development and use of a Capability Maturity Model (CMM) for cybersecurity is the best approach. The CMM methodology is used to develop software and processes and it features a five-level path at which each level assumes greater organization and maturity. The process encourages benchmarking, sharing information technology infrastructure best practices, and strict budgeting to accommodate innovation.

Improvements in Industry Practices

The most important improvements in industry practices regarding infrastructure components include a greater separation between business and operational systems, better encryption management and more effective monitoring.

A separation between business and operations requires a service-based approach to effectively address the security challenges in aviation. Boeing recommends a layered security model of services and solutions that integrates the required services with an underlying security. This strategy minimizes the development of co-dependent systems, which can be difficult to change in response to security requirements.

Proper encryption management in aviation primarily involves compliance with the standards developed by the Air Transport Association (ATA) and Airlines Electronic Engineering Committee (AEEC). These organizations provide extensive guidelines regarding the use of public keys, which are commonly used in both aircraft equipment and business operations. The use of cryptography is especially difficult in aircraft aboard since it must comply with a different standard each time it flies to a new country.

A cybersecurity framework also requires networks to be monitored for changes in their operational state. A prompt response to these changes is essential for minimizing the range of an attack. Boeing holds a patent (US Pat 8,051,477) on technology that monitors vector changes to a mobile network.

Cyberspace has allowed technology to soar, and changes the way we live and do business across the globe. But with it comes risk to commerce and society. A major cyber attack could cripple the nation's power grid, the financial system, the government, transportation, and medical services. Cyber protection needs to be a priority.

Visit our Resource Center for more details on the information assurance industry.

Access Information Assurance Resources