Wednesday, April 29, 2015

What can we learn from the American Airlines iPad failure?

ICYMI, American Airlines had several planes delayed when something went wrong with their iPads on 737 aircraft.  I'm pretty sure we'll never know the whole story on this, but are there any infosec takeaways?  I think so.
  1. Mobile device management is complicated.  It gets extra complicated when devices are randomly connected and disconnected from the Internet.  Whatever problem impacted the iPads was at least in part resolved by returning to the gate to get an active Internet connection.  Whether these devices are 4G enabled or not is unclear.  Even if they are, I don't know if they could use 4G in the cockpit after the boarding door is closed.  Next time someone is talking about mobile device management like it's child's play, ask them how they deal with a partial app update or similar regarding this situation.
  2. What's your DR plan?  Every new technology comes with liabilities.  The iPad rollout was used to eliminate 24 million pages of paper carried from gate to gate by the American Airlines pilots.  Paper never runs out of batteries, needs a software update, or suffers from a glitch.  It's also difficult to update 8,000 copies of the same paper (forget about automatic updates).  So the replacement sounded like a good idea. But what's your DR plan when the technology fails?  Do you have one?  Can you roll back to the old technology?  If so, how quickly?  What's the mitigation.  Again, this is a great real world scenario that speaks to DR.
  3. In my circles this morning, people openly asked questions about whether or not some cyber security incident may have been to blame for the iPad failure.  Then more questions came out about the security of the devices in general.  Every technology should be evaluated for security before being rolled out to the enterprise.  Twice this month, I've worked with clients who didn't do this and found out the hard way that they should have included security assessments in the project deployment plan. I trust that American Airlines did this, but if they didn't they need to get some independent security assessors to look at the technology now.  Why independent? Because in any project, internal security teams have politics to deal with and feelings they want to avoid hurting.  But for projects already deployed, it's way too easy to conveniently ignore or play down issues.
 I'm sure there are other takeaways here, but this is all I have time for this morning.  If you can think of others, feel free to drop me a line in the comments section.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.