How Airbus defends against 12 big cyber attacks each year

Civil aircraft manufacturer Airbus Group is hit by up to 12 major systems attacks each year, its chief information security officer has revealed, mostly through ransomware and state-sponsored hackers.

Stephane Lenco told the Australian Cyber Security Centre conference that defence was particularly difficult against state-sponsored attackers who "will try everything" to break in, and if successful, "will go after everything".

"We get thousands of attacks daily because we have front ends to the internet," Lenco said.

"We get on average 10 to 12 really, really serious [attacks], that we would want to look at very deeply, a year."

Some of those are state-sponsored attackers, Lenco revealed. But at the same time, he said, ransomware that isn't directly targeted at Airbus is having a "tremendous amount of success" within the organisation.

He cited one example of ransomware compromsing a computer used by an employee offsite, which then encrypted files within Airbus' expansive corporate network after it connected to the company's intranet.

Had the ransomware not been caught and eliminated within two hours and backups activated, Lenco said, the company's operations and even as far as its research and development efforts could have been hurt.

However, Lenco said he was not concerned with finding out who the assailants attacking his systems were.

"What's the point in trying to know who it is? What you want [to know] is what they're after and how they proceed," he said.

"Ultimately who that is, is really a matter for law enforcement. If we're talking about people that are state-sponsored, doing something about it requires a lot of diplomacy, a lot of paper to make sure it doesn't happen in the future. I will definitely stay away from attribution every time I can."

Protecting Airbus' systems and infrastructure is made more difficult by the company's vast geographic reach - it spans 180 sites across 35 countries and 145,000 employees, not to mention 160,000 supplier partners.

Building from the ground up

The company's security posture was not always as good as it is today - which even now Lenco admits currently does not make Airbus an "A player".

Five years ago, the biggest threat to Lenco's operations were large-scale worms like Conficker, the executive said.

Advanced persistent threats (APTs) were on the near horizon, and manufacturing businesses like Airbus were among the first in attackers' sights.

As a response, Lenco took a strategy to his board outlining his plan to "deter, delay, delete and detect".

"Our plan was: to get better in security, we wanted to scare people off from attacking us," Lenco said.

"If [they attacked], and it does happen, we wanted to try to delay them for as long as possible. We wanted to detect them, because we've slowed them down to the point where we can see them. And if worst comes to worst, you go into deletion [CERT and APT remediations]."

However, "time goes by, projects are projects and they tend to slip", Lenco said.

"You've got other stuff to do, things that you figure take more valuable efforts out of your precious time. So come 2013, APT is now mass market. Every single thing you read ... talks about APTs," Lenco said.

What this meant was Airbus was not where it needed to be to effectively combat the threat.

"We tackled what was easy: we did most of the paperwork, we tried to adjust to a modern world where APTs were becoming commonplace," Lenco said.

"We had [a strategy] that was readable by average human beings, and we were doing emergency response, because that's what you do best when you don't know exactly how to structure yourself.

"My problem was: if what we forecasted happened, we're not where we wanted to be, so how do we get better at it?"

Luckily, Lenco said, the infosec team still had the support of the executive for the four D's approach, so the next step was about benchmarking.

"Ultimately what you want to come to is ... trying to understand what you need to do that you haven't done so far, and how to improve what you did that wasn't so bad," he said.

"You need to work out your top priority. [For us, the planes] need to come out of the factory no matter what."

What resulted was 47 streams containing around 350 individual projects.

"That's a massive problem. If you have an elephant, how do you eat it? You slice it," Lenco said.

Product systems, IT and the "general interest of the company" were split into three areas, with the overarching focus of the drive targeted to beefing up Lenco's computer emergency reponse team (CERT), improving policies, and awareness campaigns. A security operations centre was also created.

"So where are we today? It's time for the reality check: when the CEO gives you money, he wants results," Lenco said.

"The mantra is 'we want you to be an A player'. So are we now an A player? Quite frankly, and humbly, no.

"I don't think we are. But definitely we have improved by a great deal over five years. How can we do better is the next question."

Lenco said his rate of valuable threat intelligence from peer sources had increased from 9 percent in 2013 to 38 percent currently.

"It is becoming the first and foremost source of trustworthy information. So that is my way to get better. Getting the information from others - because I see some, you see some, but ultimately we're not seeing the same [information]," he said.

The security team will also soon start red-teaming - adopting an attacker's mindset to detect vulnerabilities in networks and systems - and blue-teaming (the defenders) to better catch and mitigate threats.